PubSub Subscriptions Should Have Dead Letter Queue Topic Set For Failed Messages

More Info:

Ensure that PubSub Subscriptions have set DLQ topic.

Risk Level

Low

Address

Reliability, Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate this misconfiguration for GCP using GCP CLI, follow these steps:

Open the Cloud Shell in the GCP Console.
Run the following command to set up a dead letter topic:

gcloud pubsub topics create [DEAD_LETTER_TOPIC_NAME]

Replace [DEAD_LETTER_TOPIC_NAME] with a name for your dead letter topic.

Run the following command to create a subscription with a dead letter topic:

gcloud pubsub subscriptions create [SUBSCRIPTION_NAME] --topic [TOPIC_NAME] --dead-letter-topic [DEAD_LETTER_TOPIC_NAME]

Replace [SUBSCRIPTION_NAME] with the name of your subscription, [TOPIC_NAME] with the name of your topic, and [DEAD_LETTER_TOPIC_NAME] with the name of your dead letter topic.

Verify that the subscription was created with the dead letter topic by running the following command:

gcloud pubsub subscriptions describe [SUBSCRIPTION_NAME]

This should display information about your subscription, including the dead letter topic.Your PubSub subscription should now have a dead letter queue topic set for failed messages.

Using Python

To remediate the misconfiguration “PubSub Subscriptions Should Have Dead Letter Queue Topic Set For Failed Messages” in GCP using python, you can follow the below steps:

First, you need to create a Dead Letter Queue (DLQ) topic in GCP Pub/Sub. To do this, use the following code:

from google.cloud import pubsub_v1

project_id = "your-project-id"
topic_name = "your-dlq-topic-name"

publisher = pubsub_v1.PublisherClient()
topic_path = publisher.topic_path(project_id, topic_name)

topic = publisher.create_topic(request={"name": topic_path})
print("Created topic: {}".format(topic.name))

Once the DLQ topic is created, you need to update the subscription to use this DLQ topic for failed messages. To do this, use the following code:

subscription_name = "your-subscription-name"
subscription_path = publisher.subscription_path(project_id, subscription_name)

update_mask = {"paths": ["dead_letter_policy.dead_letter_topic"]}

dead_letter_policy = {
    "dead_letter_topic": topic_path,
    "max_delivery_attempts": 5
}

subscription = publisher.update_subscription(
    request={
        "subscription": subscription_path,
        "update_mask": update_mask,
        "dead_letter_policy": dead_letter_policy
    }
)

print("Updated subscription: {}".format(subscription.name))

Finally, you can verify that the DLQ topic is set for the subscription using the following code:

subscription = publisher.get_subscription(request={"subscription": subscription_path})
print("Subscription: {}".format(subscription.name))
print("DLQ topic: {}".format(subscription.dead_letter_policy.dead_letter_topic))

These steps will remediate the misconfiguration “PubSub Subscriptions Should Have Dead Letter Queue Topic Set For Failed Messages” in GCP using python.

Additional Reading:

https://cloud.google.com/pubsub/docs/handling-failures

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

PubSub Subscriptions Should Have Dead Letter Queue Topic Set For Failed Messages

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: