Event Information

  1. The google.pubsub.v1.Publisher.DeleteTopic event in GCP for Pubsub indicates that a topic has been deleted by a publisher.
  2. This event is triggered when a publisher sends a request to delete a specific topic in Google Cloud Pub/Sub.
  3. It is important to note that deleting a topic will also delete all the associated subscriptions and any pending messages in those subscriptions.

Examples

  1. Unauthorized deletion: If security is impacted with google.pubsub.v1.Publisher.DeleteTopic in GCP for Pubsub, it could mean that an unauthorized user or entity has gained access to the necessary permissions to delete topics. This could result in the accidental or intentional deletion of critical topics, leading to data loss or disruption of services.
  2. Data exposure: Another security impact could be the exposure of sensitive information related to the deleted topics. If the topics contain confidential or personally identifiable information (PII), their deletion could result in unauthorized access to this data, potentially leading to privacy breaches or compliance violations.
  3. Service disruption: Deleting topics in GCP Pubsub can have a cascading effect on dependent services and applications. If critical topics are deleted, it could disrupt the flow of messages and communication between different components of an application or system. This can lead to service outages, loss of data integrity, and impact business operations.

Remediation

Using Console

  1. Enable audit logging for GCP Pub/Sub:
    • Go to the GCP Console and navigate to the Pub/Sub section.
    • Select the specific Pub/Sub topic or subscription that you want to enable audit logging for.
    • Click on the “Edit” button to modify the settings.
    • Under the “Logging” section, enable the “Audit logs” option.
    • Choose the appropriate log sink destination, such as Cloud Storage or BigQuery, to store the audit logs.
    • Save the changes.
  2. Implement VPC Service Controls for GCP Pub/Sub:
    • Go to the GCP Console and navigate to the VPC Service Controls section.
    • Create a new VPC Service Perimeter or select an existing one that includes the Pub/Sub resources.
    • Configure the allowed APIs and services within the perimeter to only include the necessary ones for Pub/Sub.
    • Specify the authorized networks that can access the Pub/Sub resources.
    • Save the changes and apply the VPC Service Perimeter.
  3. Implement IAM roles and permissions for GCP Pub/Sub:
    • Go to the GCP Console and navigate to the IAM & Admin section.
    • Select the specific project that contains the Pub/Sub resources.
    • Click on the “IAM” tab to manage IAM roles and permissions.
    • Assign the appropriate roles to users, groups, or service accounts based on their required level of access to Pub/Sub.
    • Use the predefined roles like “Pub/Sub Editor” or create custom roles with specific permissions.
    • Regularly review and update the IAM roles to ensure least privilege access.
Note: The above steps are high-level instructions and may vary based on the specific GCP Console interface and version. It is recommended to refer to the official GCP documentation for detailed and up-to-date instructions.

Using CLI

To remediate the issues mentioned in the previous response for GCP Pub/Sub using GCP CLI, you can follow these steps:
  1. Enable audit logging for Pub/Sub:
    • Use the following command to enable audit logging for Pub/Sub: 
      gcloud pubsub topics set-iam-policy <TOPIC_NAME> policy.json
    • Replace <TOPIC_NAME> with the name of the Pub/Sub topic you want to enable audit logging for.
    • Create a policy.json file with the following content: 
      {
  "auditConfigs": [
    {
      "service": "pubsub.googleapis.com",
      "auditLogConfigs": [
        {
          "logType": "ADMIN_READ"
        },
        {
          "logType": "DATA_READ"
        },
        {
          "logType": "DATA_WRITE"
        }
      ]
    }
  ]
}
  2. Implement VPC Service Controls for Pub/Sub:
    • Use the following command to create a VPC Service Control perimeter: 
      gcloud access-context-manager perimeters create <PERIMETER_NAME> --resources=projects/<PROJECT_ID> --restricted-services=pubsub.googleapis.com
    • Replace <PERIMETER_NAME> with a name for the VPC Service Control perimeter.
    • Replace <PROJECT_ID> with your GCP project ID.
  3. Enable Pub/Sub encryption at rest:
    • Use the following command to enable encryption at rest for Pub/Sub: 
      gcloud pubsub topics update <TOPIC_NAME> --message-storage-policy-encryption-key=projects/<PROJECT_ID>/locations/global/keyRings/<KEY_RING_NAME>/cryptoKeys/<CRYPTO_KEY_NAME>
    • Replace <TOPIC_NAME> with the name of the Pub/Sub topic you want to enable encryption for.
    • Replace <PROJECT_ID> with your GCP project ID.
    • Replace <KEY_RING_NAME> and <CRYPTO_KEY_NAME> with the name of the key ring and crypto key you want to use for encryption.

Using Python

To remediate the issues mentioned in the previous response for GCP Pub/Sub using Python, you can follow these steps:
  1. Enable VPC Service Controls:
    • Use the google-cloud-securitycenter library to enable VPC Service Controls for your project.
    • Here’s an example Python script to enable VPC Service Controls:
    from google.cloud import securitycenter

client = securitycenter.SecurityCenterClient()

# Set the project ID and organization ID
project_id = 'your-project-id'
organization_id = 'your-organization-id'

# Set the VPC Service Controls configuration
vpc_service_controls = {
    'project': f'projects/{project_id}',
    'servicePerimeters': [
        {
            'name': f'projects/{project_id}/servicePerimeters/default',
            'status': 'ACTIVE',
            'resources': [
                'pubsub.googleapis.com'
            ],
            'restrictedServices': [
                'pubsub.googleapis.com'
            ]
        }
    ]
}

# Enable VPC Service Controls
response = client.update_organization_settings(
    organization_settings={
        'name': f'organizations/{organization_id}/organizationSettings',
        'enableVpcServiceControls': True,
        'vpcServiceControls': vpc_service_controls
    }
)

print('VPC Service Controls enabled successfully.')
  2. Implement Pub/Sub access controls:
    • Use the google-cloud-pubsub library to implement access controls for your Pub/Sub topics and subscriptions.
    • Here’s an example Python script to create a new topic with access controls:
    from google.cloud import pubsub_v1

publisher = pubsub_v1.PublisherClient()

# Set the project ID and topic name
project_id = 'your-project-id'
topic_name = 'your-topic-name'

# Set the IAM policy for the topic
policy = {
    'bindings': [
        {
            'role': 'roles/pubsub.publisher',
            'members': [
                'serviceAccount:[email protected]'
            ]
        }
    ]
}

# Create the topic with access controls
topic_path = publisher.topic_path(project_id, topic_name)
topic = publisher.create_topic(request={'name': topic_path, 'labels': {'access': 'restricted'}})
publisher.set_iam_policy(request={'resource': topic.name, 'policy': policy})

print('Topic created successfully with access controls.')
  3. Implement Pub/Sub message encryption:
    • Use the google-cloud-kms library to encrypt and decrypt Pub/Sub messages using Cloud KMS.
    • Here’s an example Python script to encrypt and decrypt Pub/Sub messages:
    from google.cloud import kms_v1

kms_client = kms_v1.KeyManagementServiceClient()

# Set the project ID and location
project_id = 'your-project-id'
location = 'global'

# Set the key ring and key name
key_ring_id = 'your-key-ring-id'
key_id = 'your-key-id'

# Encrypt a message
plaintext_message = 'your-message'
key_name = kms_client.crypto_key_path_path(project_id, location, key_ring_id, key_id)
response = kms_client.encrypt(request={'name': key_name, 'plaintext': plaintext_message})
ciphertext_message = response.ciphertext

# Decrypt a message
response = kms_client.decrypt(request={'name': key_name, 'ciphertext': ciphertext_message})
decrypted_message = response.plaintext

print(f'Encrypted message: {ciphertext_message}')
print(f'Decrypted message: {decrypted_message}')
Please note that you need to replace the placeholders (your-project-id, your-organization-id, [email protected], your-topic-name, your-key-ring-id, your-key-id, your-message) with your actual values in the above scripts.