Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Publicly Accessible Pub/Sub Topics

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)

Identify any publicly accessible Pub/Sub topics within your Google Cloud account and update their IAM policy to prevent unauthorized access and sensitive data exposure. To achieve this, remove the bindings for "allUsers" and "allAuthenticatedUsers" members from your topic's IAM policy. "allUsers" is a special member identifier representing any user on the internet, including both authenticated and unauthenticated users. Similarly, "allAuthenticatedUsers" represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.

Security

Misconfigured access permissions are a common security vulnerability for Google Cloud resources. Using "allUsers" or "allAuthenticatedUsers" with Pub/Sub topics grants unrestricted access, allowing anyone to publish messages or view sensitive data. Enforce granular permissions to restrict access to authorized users and services, maintaining data integrity and preventing abuse.


Audit

To determine if there are any publicly accessible Pub/Sub topics available in your Google Cloud account, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Pub/Sub console at https://console.cloud.google.com/cloudpubsub.

04 In the navigation panel, select Topics to access the Pub/Sub topics created for the selected GCP project.

05 Select the Pub/Sub topic that you want to examine, choose SHOW INFO PANEL from the top-right menu, and select the PERMISSIONS tab to show the topic permissions.

06 Click inside the Filter box, select Role / Principal, type allUsers, and press Enter. Click again in the Filter box, choose OR, select Role / Principal, type allAuthenticatedUsers, and press Enter. If the Google Cloud console returns one or more results (i.e. principals), the selected Pub/Sub topic is considered publicly accessible.

07 Repeat steps no. 5 and 6 for each Pub/Sub topic available within the selected GCP project.

08 Repeat steps no. 2 - 7 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list --format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-dataflow-project-123123
cc-bigdata-project-112233

03 Run pubsub topics list command (Windows/macOS/Linux) with custom filtering to describe the fully qualified identifier of each Pub/Sub topic deployed within the selected Google Cloud project:

gcloud pubsub topics list 
  --project cc-dataflow-project-123123 
  --format="value(name)"

04 The command output should return the requested topic identifier(s):

projects/cc-dataflow-project-123123/topics/cc-dataflow-app-topic
projects/cc-dataflow-project-123123/topics/cc-dataflow-web-topic

05 Run pubsub topics get-iam-policy command (Windows/macOS/Linux) using the ID of the Pub/Sub topic that you want to examine as the identifier parameter, to describe name of the IAM members (principals) defined in the IAM policy associated with the selected topic:

gcloud pubsub topics get-iam-policy projects/cc-dataflow-project-123123/topics/cc-dataflow-app-topic 
  --format=json | jq '.bindings[].members[]'

06 The command output should return the name of the associated IAM members:

"allUsers"
"allAuthenticatedUsers"
"user:publisher@domain.com"

If the list of IAM member names returned by the pubsub topics get-iam-policy command output includes "allUsers" and/or "allAuthenticatedUsers", as shown in the example above, the selected Google Cloud Pub/Sub topic is considered publicly accessible.

07 Repeat steps no. 5 and 6 for each Pub/Sub topic available in the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To remove the "allUsers" and/or "allAuthenticatedUsers" IAM member bindings from the associated IAM policy in order to restrict anonymous and/or public access to your Pub/Sub topics, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Pub/Sub console available at https://console.cloud.google.com/cloudpubsub.

04 In the navigation panel, select Topics to access the Pub/Sub topics created for the selected GCP project.

05 Select the Pub/Sub topic that you want to configure, choose SHOW INFO PANEL from the top-right menu, and select the PERMISSIONS tab to display the topic permissions.

06 Click inside the Filter box, select Role / Principal, type allUsers, and press Enter. Click again in the Filter box, choose OR, select Role / Principal, type allAuthenticatedUsers, and press Enter. This will return the IAM roles with the allUsers and allAuthenticatedUsers principals.

07 Choose the allUsers/allAuthenticatedUsers principal that you want to remove and click on the delete button (bin icon) available next to the principal name to delete the binding.

08 In the Remove role from principal? confirmation box, choose REMOVE to remove the selected binding. Repeat this step for each "allUsers"/"allAuthenticatedUsers" binding.

09 Repeat steps no. 4 – 8 for each Pub/Sub topic that you want to configure, available within the selected project.

10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run pubsub topics remove-iam-policy-binding command (OSX/Linux/UNIX) using the name of the publicly accessible Pub/Sub topic that you want to configure as the identifier parameter, to remove the allUsers binding from the IAM policy associated with the selected topic. For example, the following command removes the allUsers principal from the roles/editor role:

gcloud pubsub topics remove-iam-policy-binding projects/cc-dataflow-project-123123/topics/cc-dataflow-app-topic
  --member='allUsers'
  --role='roles/editor'

02 The command output should return the information available for the modified policy:

Updated IAM policy for topic [cc-dataflow-app-topic].
	bindings:
		- members:
			- allAuthenticatedUsers
			role: roles/pubsub.admin
		- members:
			- user:publisher@domain.com
			role: roles/pubsub.viewer
	etag: ABCD1234ABCD
	version: 1

03 Run pubsub topics remove-iam-policy-binding command (OSX/Linux/UNIX) using the name of the publicly accessible Pub/Sub topic that you want to configure as the identifier parameter, to remove the allAuthenticatedUsers binding from the IAM policy of the selected topic. For example, the following command removes the allAuthenticatedUsers principal from the roles/pubsub.admin role:

gcloud pubsub topics remove-iam-policy-binding projects/cc-dataflow-project-123123/topics/cc-dataflow-app-topic
  --member='allAuthenticatedUsers'
  --role='roles/pubsub.admin'

04 The command output should return the information available for the updated policy:

Updated IAM policy for topic [cc-dataflow-app-topic].
	bindings:
	- members:
		- user:user@domain.com
		role: roles/pubsub.viewer
	etag: 1234ABCD1234
	version: 1

05 Repeat steps no. 1 - 4 for each Pub/Sub topic that you want to configure, available in the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.

References

Publication date May 1, 2024