More Info:

Ensure that PubSub Subscriptions retain acknowledged messages

Risk Level

Low

Address

Operational Excellence, Reliability

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “PubSub Subscriptions Should Retain Acknowledged Messages For Record Keeping” for GCP using GCP console, follow these steps:
  1. Open the Google Cloud Console and navigate to the Pub/Sub page.
  2. Select the subscription that you want to configure.
  3. Click on the “Edit” button at the top of the page.
  4. In the “Message retention duration” section, select “Custom”.
  5. Enter the number of days that you want to retain acknowledged messages.
  6. Click on the “Save” button to apply the changes.
By following these steps, you will remediate the misconfiguration “PubSub Subscriptions Should Retain Acknowledged Messages For Record Keeping” for GCP using GCP console.

To remediate the misconfiguration “PubSub Subscriptions Should Retain Acknowledged Messages For Record Keeping” in GCP using GCP CLI, follow the below steps:
  1. Open the Cloud Shell in the GCP console.
  2. Run the following command to list all the subscriptions in the project:
gcloud pubsub subscriptions list
  1. Identify the subscription that needs to be remediated.
  2. Run the following command to update the subscription to retain acknowledged messages for 7 days:
gcloud pubsub subscriptions update <subscription-name> --ack-deadline=604800
Note: Replace <subscription-name> with the name of the subscription that needs to be remediated. 5. Verify the subscription has been updated by running the following command:
gcloud pubsub subscriptions describe <subscription-name>
  1. Check the “ackDeadlineSeconds” field in the output of the above command. It should be set to 604800 (7 days).
By following the above steps, you can remediate the misconfiguration “PubSub Subscriptions Should Retain Acknowledged Messages For Record Keeping” in GCP using GCP CLI.
To remediate the misconfiguration “PubSub Subscriptions Should Retain Acknowledged Messages For Record Keeping” for GCP using Python, you can follow the below steps:
  1. First, you need to enable the retention policy for the subscription. You can do this by setting the expiration_policy property of the subscription object to a value greater than zero. This will ensure that the messages that have been acknowledged are retained for a certain period of time.
from google.cloud import pubsub_v1

# Initialize PubSub client
client = pubsub_v1.SubscriberClient()

# Set the subscription path
subscription_path = client.subscription_path(project_id, subscription_name)

# Set the retention policy for the subscription
expiration_policy = {"ttl": {"seconds": 604800}}  # 7 days in seconds
update_mask = {"paths": ["expiration_policy"]}
subscription = client.update_subscription(request={"subscription": subscription_path, "expiration_policy": expiration_policy, "update_mask": update_mask})
  1. Next, you need to modify your code to handle the retained messages. You can do this by setting the return_immediately parameter of the pull method to False. This will ensure that the method waits for the server to return any retained messages before returning.
# Pull messages from the subscription
response = client.pull(request={"subscription": subscription_path, "max_messages": max_messages, "return_immediately": False})
  1. Finally, you need to acknowledge the retained messages after processing them. You can do this by calling the acknowledge method of the SubscriberClient object and passing in the message IDs of the retained messages.
# Acknowledge the messages
ack_ids = [msg.ack_id for msg in response.received_messages]
client.acknowledge(request={"subscription": subscription_path, "ack_ids": ack_ids})
By following these steps, you can remediate the misconfiguration “PubSub Subscriptions Should Retain Acknowledged Messages For Record Keeping” for GCP using Python.

Additional Reading: