Ensure that your Google Cloud Pub/Sub subscriptions are configured to allow access only to trusted GCP projects in order to protect against unauthorized cross-project access. The list with the trusted GCP projects must be defined in the conformity rule settings, in the Trend Cloud One™ – Conformity account console.
You can allow a service account from another GCP project the permission to consume messages from a Pub/Sub subscription by updating the IAM policy associated with the subscription. Nonetheless, opening up your Pub/Sub subscription to unknown cross-project access can pose security risks, potentially enabling unauthorized consumers to get access to sensitive data. To mitigate these risks, it's essential to limit access to trusted projects through the implementation of secure access policies.
Audit
To determine if your Google Cloud Pub/Sub subscriptions allow unauthorized cross-project access, perform the following operations:
Remediation / Resolution
To remove the IAM policy bindings of the unknown, untrusted service accounts in order to protect your Pub/Sub subscription against unauthorized cross-project accesss, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- IAM overview
- IAM basic and predefined roles reference
- Principal identifiers
- Access control with IAM
- Create service accounts
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud pubsub subscriptions list
- gcloud pubsub subscriptions get-iam-policy
- gcloud pubsub subscriptions remove-iam-policy-binding