Ensure that your Google Cloud Pub/Sub topics are configured to allow access only to trusted GCP projects in order to protect against unauthorized cross-project access. The list with the trusted GCP projects must be defined in the conformity rule settings, in the Trend Cloud One™ – Conformity account console.
You can allow a service account from another GCP project the permission to publish messages to a Pub/Sub topic in your project. This can be done by updating the IAM policy of the topic to include the service account with the role of "Pub/Sub Publisher" (i.e. roles/pubsub.publisher). Nonetheless, opening up your Pub/Sub topic to unknown cross-project access can pose security risks, potentially enabling unauthorized GCP projects to publish messages and compromising data integrity. To mitigate these risks, it's essential to limit access to trusted projects through the implementation of secure access policies.
Audit
To determine if your Google Cloud Pub/Sub topics allow unauthorized cross-project access, perform the following operations:
Remediation / Resolution
To remove the IAM policy bindings of the unknown, untrusted service accounts in order to protect your Pub/Sub topics against unauthorized cross-project accesss, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- IAM overview
- IAM basic and predefined roles reference
- Principal identifiers
- Access control with IAM
- Create service accounts
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud pubsub topics list
- gcloud pubsub topics get-iam-policy
- gcloud pubsub topics remove-iam-policy-binding