Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Detect Google Cloud Pub/Sub Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: CloudPubSub-001

Trend Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected Google Cloud Pub/Sub configuration changes within your GCP account.
Pub/Sub is a secure, highly available, scalable messaging service that allows supported GCP cloud services to communicate asynchronously. Pub/Sub is used for streaming analytic events and data integration pipelines to ingest and distribute data. The Pub/Sub messaging service lets you to create systems of event producers and consumers, called publishers and subscribers. In Pub/Sub, producers (publishers) communicate with consumers (subscribers) asynchronously by broadcasting events.
Google Cloud Pub/Sub write audit logs for resources such as topics and subscriptions to help you find who used your resources, where and when. Trend Cloud One™ – Conformity RTMA uses the audit information collected by Pub/Sub to process and send notifications about the configurations changes made at the Pub/Sub service level.
The activity detected by the Conformity RTMA feature can be a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the following operational events:

  • "CreateTopic" - Creates a topic with the given configuration. A Pub/Sub topic is a named entity that represents a feed of messages.
  • "UpdateTopic" - Updates an existing Pub/Sub topic.
  • "CreateSubscription" - Creates a subscription for a given topic. A Pub/Sub subscription is a named entity that represents an interest in receiving messages on a certain topic.
  • "UpdateSubscription" - Updates an existing Pub/Sub subscription.
  • "SetIamPolicy" - Sets an access control policy for the specified Pub/Sub resource. This operation replaces any existing policy associated with the topic.

To follow industry best practices and meet compliance requirements, Trend Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide GCP users (except administrators or dedicated, authorized personnel) the permission to perform Pub/Sub configuration changes within your GCP account.
For example, if a Pub/Sub resource is created and/or modified by an inexperienced user, it can allow attackers to perform malicious activities such as intercepting and publishing messages without permission. To prevent data leaks, data loss, and avoid unexpected costs on your GCP bill, ensure that Pub/Sub configuration changes are monitored in real time using Conformity RTMA.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for Pub/Sub configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule resolution is part of the Conformity solution.

Security

Monitoring your Google Cloud Platform (GCP) account for operational events such as "CreateTopic", "UpdateSubscription", and "SetIamPolicy" can provide insight into the configuration changes made at the Pub/Sub service level and can help you to reduce the time it takes to detect suspicious activity such as unsolicited or unauthorized updates made for topics and subscriptions. Monitoring Pub/Sub configuration changes is vital for keeping your "publish/subscribe" environment reliable and secure in Google Cloud.


References

Publication date Dec 14, 2022