google.pubsub.v1.Publisher.CreateTopic

​

Event Information

1. The google.pubsub.v1.Publisher.CreateTopic event in GCP for Pubsub indicates that a new topic has been created by a publisher in the Google Cloud Pub/Sub service.
2. This event signifies the successful creation of a topic, which is a named resource to which messages can be sent and from which messages can be received by subscribers.
3. The event provides information about the publisher, the topic name, and any additional metadata associated with the topic creation.

​

Examples

1. Unauthorized access: If security is impacted with google.pubsub.v1.Publisher.CreateTopic in GCP Pub/Sub, it could mean that unauthorized users or entities are able to create topics. This can lead to potential data breaches or unauthorized access to sensitive information.

2. Data leakage: If security is impacted with google.pubsub.v1.Publisher.CreateTopic in GCP Pub/Sub, it could result in the creation of topics that are not properly secured. This can lead to data leakage, where sensitive data is exposed to unauthorized parties, potentially compromising the confidentiality and integrity of the data.

3. Malicious activity: If security is impacted with google.pubsub.v1.Publisher.CreateTopic in GCP Pub/Sub, it could allow malicious actors to create topics with malicious intent. This can lead to the propagation of harmful messages or the execution of unauthorized actions within the Pub/Sub system, potentially disrupting normal operations or causing harm to other components or systems connected to Pub/Sub.

​

Remediation

​

Using Console

1. Enable audit logging for GCP Pub/Sub:

   • Go to the GCP Console and navigate to the Pub/Sub section.
   • Select the specific Pub/Sub topic or subscription that you want to enable audit logging for.
   • Click on the “Edit” button to modify the settings.
   • Under the “Logging” section, enable the “Audit logs” option.
   • Choose the appropriate log sink destination, such as Cloud Storage or BigQuery, to store the audit logs.
   • Save the changes.

2. Implement VPC Service Controls for GCP Pub/Sub:

   • Go to the GCP Console and navigate to the VPC Service Controls section.
   • Create a new VPC Service Perimeter or select an existing one that includes the Pub/Sub resources.
   • Configure the allowed APIs and services within the perimeter to only include the necessary ones for Pub/Sub.
   • Specify the authorized networks that can access the Pub/Sub resources.
   • Save the changes and apply the VPC Service Perimeter.

3. Implement IAM roles and permissions for GCP Pub/Sub:

   • Go to the GCP Console and navigate to the IAM & Admin section.
   • Select the specific project that contains the Pub/Sub resources.
   • Click on the “IAM” tab to manage IAM roles and permissions.
   • Assign appropriate roles to users, groups, or service accounts based on their responsibilities and access requirements.
   • Ensure that the principle of least privilege is followed, granting only the necessary permissions for Pub/Sub operations.
   • Regularly review and update the IAM roles and permissions as needed to maintain security and compliance.

Note: The above steps are high-level instructions and may vary based on the specific GCP Console interface and version. It is recommended to refer to the official GCP documentation for detailed and up-to-date instructions.

​

Using CLI

1. Enable audit logging for GCP Pub/Sub:

   • Use the following command to enable audit logging for Pub/Sub:

     gcloud pubsub topics set-iam-policy [TOPIC_NAME] --audit-log-config=LOGS_READ
     

2. Restrict access to Pub/Sub topics:

   • Use the following command to update the IAM policy for a Pub/Sub topic and restrict access:

     gcloud pubsub topics set-iam-policy [TOPIC_NAME] [POLICY_FILE]
     

3. Enable VPC Service Controls for Pub/Sub:

   • Use the following command to enable VPC Service Controls for Pub/Sub:

     gcloud services vpc-peerings add-iam-policy-binding \
     --service=servicenetworking.googleapis.com \
     --member=[MEMBER] \
     --role=roles/servicenetworking.networksViewer
     

​

Using Python

To remediate the issues mentioned in the previous response for GCP Pub/Sub using Python, you can follow these steps:

1. Enable VPC Service Controls:

   • Use the google-cloud-securitycenter library to enable VPC Service Controls for your project.
   • You can use the following Python script as an example:

   from google.cloud import securitycenter
   
   client = securitycenter.SecurityCenterClient()
   
   # Set the project ID and organization ID
   project_id = 'your-project-id'
   organization_id = 'your-organization-id'
   
   # Set the VPC Service Controls configuration
   vpc_service_controls = {
       'project': f'projects/{project_id}',
       'servicePerimeters': [
           {
               'name': f'projects/{project_id}/servicePerimeters/your-perimeter',
               'resources': [
                   'pubsub.googleapis.com'
               ]
           }
       ]
   }
   
   # Enable VPC Service Controls
   response = client.update_organization_settings(
       organization_id=organization_id,
       organization_settings={'vpc_service_controls': vpc_service_controls}
   )
   
   print('VPC Service Controls enabled successfully.')
   

2. Implement Access Control Policies:

   • Use the google-cloud-iam library to implement access control policies for your Pub/Sub topics and subscriptions.
   • You can use the following Python script as an example:

   from google.cloud import pubsub_v1
   from google.cloud.pubsub_v1 import types
   
   publisher_client = pubsub_v1.PublisherClient()
   subscriber_client = pubsub_v1.SubscriberClient()
   
   # Set the project ID and topic/subscription name
   project_id = 'your-project-id'
   topic_name = 'your-topic-name'
   subscription_name = 'your-subscription-name'
   
   # Set the IAM policy for the topic
   topic_path = publisher_client.topic_path(project_id, topic_name)
   policy = {
       'bindings': [
           {
               'role': 'roles/pubsub.publisher',
               'members': ['serviceAccount:[email protected]']
           }
       ]
   }
   publisher_client.set_iam_policy(request={'resource': topic_path, 'policy': policy})
   
   # Set the IAM policy for the subscription
   subscription_path = subscriber_client.subscription_path(project_id, subscription_name)
   policy = {
       'bindings': [
           {
               'role': 'roles/pubsub.subscriber',
               'members': ['serviceAccount:[email protected]']
           }
       ]
   }
   subscriber_client.set_iam_policy(request={'resource': subscription_path, 'policy': policy})
   
   print('Access control policies implemented successfully.')
   

3. Implement Pub/Sub Message Validation:

   • Use the google-cloud-pubsub library to implement message validation for your Pub/Sub topics and subscriptions.
   • You can use the following Python script as an example:

   from google.cloud import pubsub_v1
   
   subscriber_client = pubsub_v1.SubscriberClient()
   
   # Set the project ID and subscription name
   project_id = 'your-project-id'
   subscription_name = 'your-subscription-name'
   
   # Set the message validation schema
   schema = {
       'type': 'object',
       'properties': {
           'message': {'type': 'string'}
       },
       'required': ['message']
   }
   
   # Set the message validation policy for the subscription
   subscription_path = subscriber_client.subscription_path(project_id, subscription_name)
   policy = {
       'schemaSettings': {
           'schema': schema
       }
   }
   subscriber_client.update_subscription(request={'subscription': subscription_path, 'update_mask': {'paths': ['schema_settings']}, 'subscription': policy})
   
   print('Message validation implemented successfully.')
   

Please note that you need to replace the placeholders (your-project-id, your-organization-id, your-perimeter, your-service-account, your-topic-name, your-subscription-name) with the actual values specific to your GCP environment.