More Info:

Ensure that PubSub Subscriptions are not detached from topics

Risk Level

Low

Address

Operational Excellence

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the PubSub subscription detachment from topics misconfiguration in GCP using GCP console, follow the below steps:
  1. Open the Google Cloud Console and select your project.
  2. Navigate to the Pub/Sub section from the left-hand side menu.
  3. Select the Subscription tab from the top menu.
  4. Identify the detached subscription(s) and select the checkbox beside them.
  5. Click on the Delete button above the list of subscriptions.
  6. Confirm the deletion by clicking on the Delete button in the confirmation dialog box.
  7. Next, navigate to the Topics tab from the top menu.
  8. Select the topic that the subscription was previously attached to.
  9. Click on the Add Subscription button above the list of subscriptions.
  10. In the Add Subscription dialog box, select the subscription(s) that you want to attach to the topic.
  11. Click on the Create button to attach the subscription(s) to the topic.
  12. Verify that the subscription(s) are now attached to the topic.
By following these steps, you can remediate the PubSub subscription detachment from topics misconfiguration in GCP using GCP console.

To remediate the misconfiguration “PubSub Subscriptions Should Not Be Detached From Topics” for GCP using GCP CLI, follow the steps below:
  1. Open the Cloud Shell in your GCP console.
  2. Run the following command to list all the subscriptions that are detached from topics: 
    gcloud pubsub subscriptions list --filter="topic:projects/*/topics/* AND NOT topic:projects/*/topics/*"
  3. Identify the subscription that is detached from a topic and note down its subscription name.
  4. Run the following command to delete the subscription: 
    gcloud pubsub subscriptions delete [SUBSCRIPTION_NAME]
    Replace [SUBSCRIPTION_NAME] with the name of the subscription that you want to delete.
  5. Repeat steps 3 and 4 for all the subscriptions that are detached from topics.
  6. Finally, run the following command to verify that all the subscriptions are attached to a topic: 
    gcloud pubsub subscriptions list --filter="topic:projects/*/topics/*"
    This command will list all the subscriptions that are attached to a topic.
By following these steps, you can remediate the misconfiguration “PubSub Subscriptions Should Not Be Detached From Topics” for GCP using GCP CLI.
To remediate the misconfiguration “PubSub Subscriptions Should Not Be Detached From Topics” for GCP using python, follow these steps:
  1. First, you need to identify the detached subscriptions in GCP. You can use the following code to get the list of all detached subscriptions:
from google.cloud import pubsub_v1

project_id = "your-project-id"
client = pubsub_v1.SubscriberClient()
project_path = f"projects/{project_id}"
response = client.list_subscriptions(project_path)
for subscription in response:
    if not subscription.topic:
        print(f"Detached subscription: {subscription.name}")
  1. Once you have identified the detached subscriptions, you can re-attach them to their respective topics using the following code:
from google.cloud import pubsub_v1

project_id = "your-project-id"
client = pubsub_v1.SubscriberClient()
project_path = f"projects/{project_id}"
response = client.list_subscriptions(project_path)
for subscription in response:
    if not subscription.topic:
        print(f"Re-attaching subscription {subscription.name} to topic {subscription.topic}")
        topic_path = f"projects/{project_id}/topics/{subscription.topic.split('/')[-1]}"
        client.modify_push_config(subscription.name, topic_path=topic_path)
This code will loop through all the subscriptions in your project and re-attach the detached subscriptions to their respective topics.

Additional Reading: