Event Information

  • The google.pubsub.v1.Subscriber.DeleteSubscription event in GCP for Pubsub indicates that a subscription has been deleted in the Google Cloud Pub/Sub service.
  • This event is triggered when a user or an automated process initiates the deletion of a subscription.
  • It signifies that the subscription and its associated resources, such as message delivery and acknowledgment, have been permanently removed from the Pub/Sub system.

Examples

  1. Unauthorized deletion: If security is impacted with google.pubsub.v1.Subscriber.DeleteSubscription in GCP for Pubsub, it could potentially allow unauthorized individuals to delete subscriptions. This could lead to data loss or disruption of critical business processes.

  2. Access control misconfiguration: If security is impacted with google.pubsub.v1.Subscriber.DeleteSubscription in GCP for Pubsub, it could indicate a misconfiguration in access control policies. This might allow users with lower privileges to delete subscriptions, bypassing the intended security measures.

  3. Lack of audit trail: If security is impacted with google.pubsub.v1.Subscriber.DeleteSubscription in GCP for Pubsub, it could result in a lack of proper audit trail. Without proper logging and monitoring, it becomes difficult to track and investigate any unauthorized or malicious deletion activities, hindering incident response and forensic analysis.

Remediation

Using Console

  1. Enable audit logging for GCP Pub/Sub:

    • Go to the GCP Console and navigate to the Pub/Sub section.
    • Select the specific Pub/Sub topic or subscription that you want to enable audit logging for.
    • Click on the “Edit” button to modify the settings.
    • Under the “Logging” section, enable the “Audit logs” option.
    • Choose the appropriate log sink destination, such as Cloud Storage or BigQuery, to store the audit logs.
    • Save the changes.

  2. Implement VPC Service Controls for GCP Pub/Sub:

    • Go to the GCP Console and navigate to the VPC Service Controls section.
    • Create a new VPC Service Perimeter or select an existing one that includes the Pub/Sub resources.
    • Configure the allowed APIs and services within the perimeter to only include the necessary ones for Pub/Sub.
    • Specify the authorized networks that can access the Pub/Sub resources.
    • Save the changes and apply the VPC Service Perimeter.

  3. Implement IAM roles and permissions for GCP Pub/Sub:

    • Go to the GCP Console and navigate to the IAM & Admin section.
    • Select the specific project that contains the Pub/Sub resources.
    • Click on the “IAM” tab to manage IAM roles and permissions.
    • Assign appropriate roles to users, groups, or service accounts based on their responsibilities and access requirements.
    • Ensure that the principle of least privilege is followed, granting only the necessary permissions for Pub/Sub operations.
    • Regularly review and update the IAM roles and permissions as needed to maintain security and compliance.

Note: The above steps are high-level instructions and may vary depending on the specific GCP Console interface and version. It is recommended to refer to the official GCP documentation for detailed and up-to-date instructions.

Using CLI

To remediate the issues mentioned in the previous response for GCP Pub/Sub using GCP CLI, you can follow these steps:

  1. Enable audit logging for Pub/Sub:

    • Use the following command to enable audit logging for Pub/Sub: 
      gcloud pubsub topics set-iam-policy <TOPIC_NAME> policy.json
    • Replace <TOPIC_NAME> with the name of the Pub/Sub topic you want to enable audit logging for.
    • Create a policy.json file with the following content: 
      {
  "auditConfigs": [
    {
      "auditLogConfigs": [
        {
          "logType": "DATA_READ",
          "exemptedMembers": []
        },
        {
          "logType": "DATA_WRITE",
          "exemptedMembers": []
        }
      ],
      "service": "pubsub.googleapis.com"
    }
  ],
  "bindings": [
    {
      "role": "roles/pubsub.publisher",
      "members": [
        "user:<USER_EMAIL>"
      ]
    }
  ]
}
    • Replace <USER_EMAIL> with the email address of the user who should have the pubsub.publisher role.

  2. Implement VPC Service Controls for Pub/Sub:

    • Use the following command to create a VPC Service Controls perimeter for Pub/Sub: 
      gcloud access-context-manager perimeters create <PERIMETER_NAME> --resources=pubsub.googleapis.com/projects/<PROJECT_ID>/locations/-/topics/*
    • Replace <PERIMETER_NAME> with a name for the perimeter and <PROJECT_ID> with your GCP project ID.

  3. Enable Pub/Sub encryption at rest:

    • Use the following command to enable encryption at rest for Pub/Sub: 
      gcloud pubsub topics update <TOPIC_NAME> --message-storage-policy-encryption-key=projects/<PROJECT_ID>/locations/global/keyRings/<KEY_RING_NAME>/cryptoKeys/<CRYPTO_KEY_NAME>
    • Replace <TOPIC_NAME> with the name of the Pub/Sub topic you want to enable encryption for, <PROJECT_ID> with your GCP project ID, <KEY_RING_NAME> with the name of the key ring, and <CRYPTO_KEY_NAME> with the name of the crypto key.

Please note that the above commands assume you have the necessary permissions to perform these actions in your GCP project.

Using Python

To remediate the issues mentioned in the previous response for GCP Pub/Sub using Python, you can follow these steps:

  1. Enable VPC Service Controls:

    • Use the google-cloud-securitycenter library to enable VPC Service Controls for your project.
    • Here’s an example Python script to enable VPC Service Controls:
    from google.cloud import securitycenter

client = securitycenter.SecurityCenterClient()

# Set the project ID and organization ID
project_id = 'your-project-id'
organization_id = 'your-organization-id'

# Set the VPC Service Controls configuration
vpc_service_controls = {
    'project': f'projects/{project_id}',
    'servicePerimeters': [
        {
            'name': f'projects/{project_id}/servicePerimeters/default',
            'resources': [
                'pubsub.googleapis.com'
            ],
            'status': 'ACTIVE'
        }
    ]
}

# Enable VPC Service Controls
response = client.update_organization_settings(
    organization_id=organization_id,
    organization_settings={'vpc_service_controls': vpc_service_controls}
)

print('VPC Service Controls enabled successfully.')

  2. Implement Pub/Sub access controls:

    • Use the google-cloud-pubsub library to implement access controls for your Pub/Sub topics and subscriptions.
    • Here’s an example Python script to create a new topic with access controls:
    from google.cloud import pubsub_v1

publisher = pubsub_v1.PublisherClient()

# Set the project ID and topic name
project_id = 'your-project-id'
topic_name = 'your-topic-name'

# Set the IAM policy for the topic
policy = {
    'bindings': [
        {
            'role': 'roles/pubsub.publisher',
            'members': ['serviceAccount:[email protected]']
        }
    ]
}

# Create the topic with access controls
topic_path = publisher.topic_path(project_id, topic_name)
topic = publisher.create_topic(request={'name': topic_path, 'policy': policy})

print(f'Topic {topic.name} created successfully with access controls.')

  3. Monitor Pub/Sub activity using Cloud Monitoring:

    • Use the google-cloud-monitoring library to monitor Pub/Sub activity and set up alerts for any suspicious or unauthorized events.
    • Here’s an example Python script to create a new alert policy for Pub/Sub:
    from google.cloud import monitoring_v3

client = monitoring_v3.AlertPolicyServiceClient()

# Set the project ID and topic name
project_id = 'your-project-id'
topic_name = 'your-topic-name'

# Set the condition for the alert policy
condition = {
    'condition_threshold': {
        'filter': f'resource.type="pubsub_topic" AND resource.labels.project_id="{project_id}" AND resource.labels.topic_id="{topic_name}"',
        'comparison': 'COMPARISON_GT',
        'threshold_value': 0,
        'duration': {'seconds': 60}
    }
}

# Create the alert policy
policy = {
    'display_name': 'Pub/Sub Activity Alert',
    'conditions': [condition],
    'notification_channels': ['projects/your-project-id/notificationChannels/your-notification-channel']
}

# Create the alert policy
response = client.create_alert_policy(
    name=f'projects/{project_id}', alert_policy=policy)

print(f'Alert policy {response.name} created successfully.')

Please note that you need to replace the placeholders (your-project-id, your-organization-id, your-service-account, your-topic-name, your-notification-channel) with the actual values specific to your GCP environment.