Identify any publicly accessible Pub/Sub topics within your Google Cloud account and update their IAM policy to prevent unauthorized access and sensitive data exposure. To achieve this, remove the bindings for "allUsers" and "allAuthenticatedUsers" members from your topic's IAM policy. "allUsers" is a special member identifier representing any user on the internet, including both authenticated and unauthenticated users. Similarly, "allAuthenticatedUsers" represents any user or service account that can sign in to Google Cloud Platform (GCP) with a Google account.
Misconfigured access permissions are a common security vulnerability for Google Cloud resources. Using "allUsers" or "allAuthenticatedUsers" with Pub/Sub topics grants unrestricted access, allowing anyone to publish messages or view sensitive data. Enforce granular permissions to restrict access to authorized users and services, maintaining data integrity and preventing abuse.
Audit
To determine if there are any publicly accessible Pub/Sub topics available in your Google Cloud account, perform the following operations:
Remediation / Resolution
To remove the "allUsers" and/or "allAuthenticatedUsers" IAM member bindings from the associated IAM policy in order to restrict anonymous and/or public access to your Pub/Sub topics, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- IAM overview
- IAM basic and predefined roles reference
- Principal identifiers
- Access control with IAM
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud pubsub topics list
- gcloud pubsub topics get-iam-policy
- gcloud pubsub topics remove-iam-policy-binding