PubSub Subscriptions Should Have Dead Letter Queue Enabled
More Info:
Ensure that PubSub Subscriptions have enabled DLQRisk Level
LowAddress
Reliability, Operational Maturity, SecurityCompliance Standards
HIPAA, SOC2, PCIDSS, NISTTriage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step-by-step instructions to remediate the misconfiguration “PubSub Subscriptions Should Have Dead Letter Queue Enabled” in GCP using the GCP console:
- Open the GCP console and navigate to the Pub/Sub page.
- Select the subscription that needs to be remediated.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Delivery” section and click on “Add Dead-letter topic”.
- In the “Dead-letter topic” field, enter the name of the topic where dead-letter messages should be sent.
- Click on the “Create” button to create the dead-letter topic.
- Set the maximum delivery attempts for the subscription by entering a value in the “Maximum delivery attempts” field.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration of PubSub Subscriptions not having a Dead Letter Queue enabled in GCP using GCP CLI, follow the below steps:
- Open the Google Cloud Console and navigate to the Pub/Sub section.
- Select the subscription that needs to be remediated.
- Click on the “Edit” button at the top of the page.
- Under the “Delivery retry policy” section, enable the “Dead-letter topic” option.
- Select the topic that will be used as the Dead Letter Queue.
- Click on the “Save” button.
- Open the terminal and authenticate to your GCP account using the command:
gcloud auth login. - Set the project that contains the Pub/Sub subscription using the command:
gcloud config set project [PROJECT_ID]. - Enable the Dead Letter Queue for the subscription using the command:
gcloud pubsub subscriptions update [SUBSCRIPTION_NAME] --dead-letter-topic=[DEAD_LETTER_TOPIC_NAME] --dead-letter-ack-deadline=[ACK_DEADLINE].
- [SUBSCRIPTION_NAME]: Name of the subscription that needs to be remediated.
- [DEAD_LETTER_TOPIC_NAME]: Name of the topic that will be used as the Dead Letter Queue.
- [ACK_DEADLINE]: Acknowledgement deadline for the Dead Letter Queue in seconds.
Using Python
Using Python
To remediate the misconfiguration of PubSub Subscriptions not having Dead Letter Queue enabled in GCP using Python, follow these steps:Putting it all together, here’s the complete code:Note: Replace the placeholders “your-project-id”, “your-subscription-name”, and “your-dead-letter-topic-name” with your actual project ID, subscription name, and dead letter topic name, respectively.
- Import the necessary libraries:
- Set the project ID and subscription name:
- Create the PubSub client and subscription object:
- Check if the subscription already has a dead letter policy:
- If the subscription does not have a dead letter policy, create one:
- Update the subscription with the new dead letter policy:
- Handle any errors that may occur during the update process: