Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Pub/Sub Subscription Cross-Project Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)

Ensure that your Google Cloud Pub/Sub subscriptions are configured to allow access only to trusted GCP projects in order to protect against unauthorized cross-project access. The list with the trusted GCP projects must be defined in the conformity rule settings, in the Trend Cloud One™ – Conformity account console.

Security

You can allow a service account from another GCP project the permission to consume messages from a Pub/Sub subscription by updating the IAM policy associated with the subscription. Nonetheless, opening up your Pub/Sub subscription to unknown cross-project access can pose security risks, potentially enabling unauthorized consumers to get access to sensitive data. To mitigate these risks, it's essential to limit access to trusted projects through the implementation of secure access policies.


Audit

To determine if your Google Cloud Pub/Sub subscriptions allow unauthorized cross-project access, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that manages your Pub/Sub subscription from the console top navigation bar.

03 Navigate to Pub/Sub console available at https://console.cloud.google.com/cloudpubsub.

04 In the navigation panel, select Subscriptions to access the Pub/Sub subscriptions created for the selected GCP project.

05 Select the Pub/Sub subscription that you want to examine, choose SHOW INFO PANEL from the top-right menu, and select the PERMISSIONS tab to show the subscription permissions.

06 Click inside the Filter box, select Role / Principal, type Pub/Sub Subscriber, choose OR, select Role / Principal, type Pub/Sub Editor, choose OR, select Role / Principal, type Pub/Sub Admin, and press Enter. If the Google Cloud console returns one or more results, check each member/principal to determine if the principal is a valid service account. A valid service account has the following format: \@\.iam.gserviceaccount.com. If at least one valid service account is returned as a principal and the \ of this service account is the ID of another GCP project, continue the Audit process with the next step.

07 Sign in to your Trend Cloud One™ – Conformity account, access Pub/Sub Subscription Cross-Project Access conformity rule settings, and compare the \ of each cross-project service account identified at the previous step against each GCP project ID defined in the rule configuration. If one or more service account project IDs are not included in the list of trusted GCP projects listed in the conformity rule settings, the cross-project access configuration available for the selected Pub/Sub subscription is not compliant.

08 Repeat steps no. 5 - 7 for each Pub/Sub subscription available within the selected GCP project.

09 Repeat steps no. 2 - 8 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list --format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-dataflow-project
cc-bigdata-project
cc-developer-project

03 Run pubsub subscriptions list command (Windows/macOS/Linux) with custom filtering to describe the fully qualified identifier of each Pub/Sub subscription available within the selected Google Cloud project:

gcloud pubsub subscriptions list 
  --project cc-dataflow-project 
  --format="value(name)"

04 The command output should return the requested subscription identifier(s):

projects/cc-dataflow-project/subscriptions/cc-dataflow-app-subscription
projects/cc-dataflow-project/subscriptions/cc-dataflow-test-subscription

05 Run pubsub subscriptions get-iam-policy command (Windows/macOS/Linux) with the ID of the Pub/Sub subscription that you want to examine as the identifier parameter, to describe the name and role of each IAM member/principal assigned to the selected subscription:

gcloud pubsub subscriptions get-iam-policy projects/cc-dataflow-project/subscriptions/cc-dataflow-app-subscription
  --format=json | jq '.bindings[]'

06 The command output should return the requested information for the associated IAM members:

{
	"members": [
		"serviceAccount:cc-app-service-account@cc-dataflow-project.iam.gserviceaccount.com",
		"user:publisher@domain.com"
	],
	"role": "roles/pubsub.admin"
},
{
	"members": [
		"serviceAccount:cc-app-service-account@cc-developer-project.iam.gserviceaccount.com"
	],
	"role": "roles/pubsub.editor"
},
{
	"members": [
		"serviceAccount:cc-app-service-account@cc-developer-project.iam.gserviceaccount.com"
	],
	"role": "roles/pubsub.subscriber"
}

If the pubsub subscriptions get-iam-policy command output returns one or more valid cross-project service accounts as members/principals, continue the Audit process with the next step. A valid cross-project service account is a service account associated with one of the following roles: "roles/pubsub.subscriber", "roles/pubsub.editor", or "roles/pubsub.admin", which has the following format: \<service-account-name\>@\<project-id\>.iam.gserviceaccount.com, where \<project-id\> is the ID of another GCP project.

07 Sign in to your Trend Cloud One™ – Conformity account, access Pub/Sub Subscription Cross-Project Access conformity rule settings, and compare the \ of each cross-project service account identified at the previous step against each GCP project ID defined in the rule configuration. If one or more service account project IDs are not included in the list of trusted GCP projects listed in the conformity rule settings, the cross-project access configuration available for the selected Pub/Sub subscription is not compliant.

08 Repeat steps no. 5 - 7 for each Pub/Sub subscription available in the selected GCP project.

09 Repeat steps no. 3 – 8 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To remove the IAM policy bindings of the unknown, untrusted service accounts in order to protect your Pub/Sub subscription against unauthorized cross-project accesss, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Pub/Sub console available at https://console.cloud.google.com/cloudpubsub.

04 In the navigation panel, select Subscriptions to access the Pub/Sub subscriptions created for the selected GCP project.

05 Select the Pub/Sub subscription that you want to examine, choose SHOW INFO PANEL from the top-right menu, and select the PERMISSIONS tab to show the subscription permissions.

06 Click inside the Filter box, select Role / Principal, type Pub/Sub Subscriber, choose OR, select Role / Principal, type Pub/Sub Editor, choose OR, select Role / Principal, type Pub/Sub Admin, and press Enter.

07 Choose the untrusted cross-project service account that you want to remove and click on the delete button (bin icon) available next to the principal name to delete the binding.

08 In the Remove role from principal? confirmation box, choose REMOVE to remove the selected binding. Repeat this step for each non-compliant binding configured for your Pub/Sub subscription.

09 Repeat steps no. 5 – 8 for each Pub/Sub subscription that you want to configure, available within the selected project.

10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run pubsub subscriptions remove-iam-policy-binding command (OSX/Linux/UNIX) with the name of the Pub/Sub subscription that you want to configure as the identifier parameter, to remove the binding for the untrusted cross-project service account, from the IAM policy associated with the selected subscription. Repeat this step for each non-compliant binding configured for the selected Pub/Sub subscription:

gcloud pubsub subscriptions remove-iam-policy-binding projects/cc-dataflow-project/subscriptions/cc-dataflow-app-subscription 
  --member='serviceAccount:cc-app-service-account@cc-developer-project.iam.gserviceaccount.com' 
  --role='roles/pubsub.subscriber'

02 The command output should return the information available for the modified IAM policy:

Updated IAM policy for subscription [cc-dataflow-app-subscription].
	bindings:
		- members:
			- serviceAccount:cc-app-service-account@cc-dataflow-project.iam.gserviceaccount.com
			- user:publisher@domain.com
			role: roles/pubsub.admin
		- members:
			- serviceAccount:cc-app-service-account@cc-developer-project.iam.gserviceaccount.com
			role: roles/pubsub.editor
	etag: abcdabcdabcd
	version: 1

03 Repeat steps no. 1 and 2 for each Pub/Sub subscription that you want to configure, available in the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 1, 2024