Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Pub/Sub Topic Cross-Project Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)

Ensure that your Google Cloud Pub/Sub topics are configured to allow access only to trusted GCP projects in order to protect against unauthorized cross-project access. The list with the trusted GCP projects must be defined in the conformity rule settings, in the Trend Cloud One™ – Conformity account console.

Security

You can allow a service account from another GCP project the permission to publish messages to a Pub/Sub topic in your project. This can be done by updating the IAM policy of the topic to include the service account with the role of "Pub/Sub Publisher" (i.e. roles/pubsub.publisher). Nonetheless, opening up your Pub/Sub topic to unknown cross-project access can pose security risks, potentially enabling unauthorized GCP projects to publish messages and compromising data integrity. To mitigate these risks, it's essential to limit access to trusted projects through the implementation of secure access policies.


Audit

To determine if your Google Cloud Pub/Sub topics allow unauthorized cross-project access, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that manages your Pub/Sub topic from the console top navigation bar.

03 Navigate to Pub/Sub console available at https://console.cloud.google.com/cloudpubsub.

04 In the navigation panel, select Topics to access the Pub/Sub topics created for the selected GCP project.

05 Select the Pub/Sub topic that you want to examine, choose SHOW INFO PANEL from the top-right menu, and select the PERMISSIONS tab to show the topic permissions.

06 Click inside the Filter box, select Role / Principal, type Pub/Sub Publisher, and press Enter. If the Google Cloud console returns one or more results, check each member/principal to determine if the principal is a valid service account. A valid service account has the following format: \@\.iam.gserviceaccount.com. If at least one valid service account is returned as a principal and the \ of this service account is the ID of another GCP project, continue the Audit process with the next step.

07 Sign in to your Trend Cloud One™ – Conformity account, access Pub/Sub Topic Cross-Project Access conformity rule settings, and compare the \ of each cross-project service account identified at the previous step against each GCP project ID defined in the rule configuration. If one or more service account project IDs are not included in the list of trusted GCP projects listed in the rule settings, the cross-project access configuration available for the selected Pub/Sub topic is not compliant.

08 Repeat steps no. 5 - 7 for each Pub/Sub topic available within the selected GCP project.

09 Repeat steps no. 2 - 7 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list --format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-dataflow-project
cc-bigdata-project
cc-developer-project

03 Run pubsub topics list command (Windows/macOS/Linux) with custom filtering to describe the fully qualified identifier of each Pub/Sub topic deployed within the selected Google Cloud project:

gcloud pubsub topics list 
  --project cc-dataflow-project 
  --format="value(name)"

04 The command output should return the requested topic identifier(s):

projects/cc-dataflow-project/topics/cc-dataflow-app-topic
projects/cc-dataflow-project/topics/cc-dataflow-host-topic

05 Run pubsub topics get-iam-policy command (Windows/macOS/Linux) with the ID of the Pub/Sub topic that you want to examine as the identifier parameter, to describe the name and role of each IAM member/principal assigned to the selected topic:

gcloud pubsub topics get-iam-policy projects/cc-dataflow-project/topics/cc-dataflow-app-topic 
  --format=json | jq '.bindings[]'

06 The command output should return the requested information for the associated IAM members:

{
	"members": [
		"user:publisher@domain.com"
	],
	"role": "roles/pubsub.admin"
},
{
	"members": [
		"serviceAccount:cc-app-service-account@cc-dataflow-project.iam.gserviceaccount.com"
	],
	"role": "roles/pubsub.publisher"
},
{
	"members": [
		"serviceAccount:cc-app-service-account@cc-developer-project.iam.gserviceaccount.com"
	],
	"role": "roles/pubsub.publisher"
}

If the pubsub topics get-iam-policy command output returns one or more valid cross-project service accounts as members/principals, continue the Audit process with the next step. A valid cross-project service account is a service account associated with the "roles/pubsub.publisher" role, which has the following format: \<service-account-name\>@\<project-id\>.iam.gserviceaccount.com, where \<project-id\> is the ID of another GCP project.

07 Sign in to your Trend Cloud One™ – Conformity account, access Pub/Sub Topic Cross-Project Access conformity rule settings, and compare the \<project-id\> of each cross-project service account identified at the previous step against each GCP project ID defined in the rule configuration. If one or more service account project IDs are not included in the list of trusted GCP projects listed in the rule settings, the cross-project access configuration available for the selected Pub/Sub topic is not compliant.

08 Repeat steps no. 5 - 7 for each Pub/Sub topic available in the selected GCP project.

09 Repeat steps no. 3 – 8 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To remove the IAM policy bindings of the unknown, untrusted service accounts in order to protect your Pub/Sub topics against unauthorized cross-project accesss, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Pub/Sub console at https://console.cloud.google.com/cloudpubsub.

04 In the navigation panel, select Topics to access the Pub/Sub topics created for the selected GCP project.

05 Select the Pub/Sub topic that you want to configure, choose SHOW INFO PANEL from the top-right menu, and select the PERMISSIONS tab to display the topic permissions.

06 Click inside the Filter box, select Role / Principal, type Pub/Sub Publisher, and press Enter. This will return the IAM members/principals with the Pub/Sub Publisher role.

07 Choose the untrusted cross-project service account that you want to remove and click on the delete button (bin icon) available next to the principal name to delete the binding.

08 In the Remove role from principal? confirmation box, choose REMOVE to remove the selected binding. Repeat this step for each non-compliant binding configured for your Pub/Sub topic.

09 Repeat steps no. 5 – 8 for each Pub/Sub topic that you want to configure, available within the selected project.

10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run pubsub topics remove-iam-policy-binding command (OSX/Linux/UNIX) with the name of the Pub/Sub topic that you want to configure as the identifier parameter, to remove the binding for the untrusted cross-project service account, from the IAM policy associated with the selected topic. Repeat this step for each non-compliant binding configured for the selected Pub/Sub topic:

gcloud pubsub topics remove-iam-policy-binding projects/cc-dataflow-project/topics/cc-dataflow-app-topic
  --member='serviceAccount:cc-app-service-account@cc-developer-project.iam.gserviceaccount.com' 
  --role='roles/pubsub.publisher'

02 The command output should return the information available for the modified policy:

Updated IAM policy for topic [cc-dataflow-app-topic].
	bindings:
		- members:
			- user:publisher@domain.com
			role: roles/pubsub.admin
		- members:
			- serviceAccount:cc-app-service-account@cc-dataflow-project.iam.gserviceaccount.com
			role: roles/pubsub.publisher
	etag: ABCD1234ABCD
	version: 1

03 Repeat steps no. 1 and 2 for each Pub/Sub topic that you want to configure, available in the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 2, 2024