Ensures that Cloud Pub/Sub topics are encrypted using CSEK keys
Risk Level: Low
Description
This plugin ensures that Google Pub/Sub topics are encrypted using CSEK keys. CSEK gives you more control over the key operations compared to the Google-managed encryption keys.
About the Service
Google Cloud Pub/Sub:
Pub/Sub helps applications and services build robust, scalable systems by integrating them asynchronously. It is a real-time messaging service that allows you to send and receive messages between independent applications. It has numerous benefits, including scalability, load balancing, parallel processing, and many others. For more information, click here.
Impact
If a Pub/Sub topic does not have the desired protection level, it makes it vulnerable to security breaches and increases the risk of attacks. This could jeopardize the data and services on the Google Cloud Platform that are managed by the topic.
Steps to Reproduce
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the Navigation menu on the left, go to Pub/Sub under the BIG DATA section and select Topics from the list.
- Examine the list of topics to see if any of the rows' Encryption key values are marked as Google-managed. If this is the case, the Pub/Sub topics have a low level of encryption.
- If you have multiple projects, repeat steps 2 to 4 for each project in your GCP Console.
Steps for Remediation
Determine whether or not you truly do not require the Pub/Sub topics to be encrypted by Google Managed keys. If not, make the necessary changes to use the desired level of encryption using the steps below.
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the Navigation menu on the left, go to Pub/Sub under the BIG DATA section and select Topics from the list.
- Select the topic you want to reconfigure from the list of topics displayed and note down all the necessary configuration settings. (In case you aren’t sure which topic needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
- Go back to the Topics page and click on CREATE TOPIC.
Note: The encryption settings cannot be changed once the topic has been created. Thus, to use the desired level of encryption, you must re-create the topic. - In the Create a topic dialog box, enter your desired Topic ID in the textbox provided.
- Check the Use a customer-managed encryption key (CMEK) checkbox and then select your desired CMEK from the drop-down list provided.
- Click on the GRANT button in the warning message displayed and then click the CREATE TOPIC button to re-create the topic.
- Go to the Topic details of the re-created topic and click on CREATE SUBSCRIPTION under the SUBSCRIPTIONS section and create all the subscriptions of the original topic.
- You can delete the previous topic once the newly generated one has been fully configured to match it in order to avoid unnecessary billing charges.
- Repeat steps 4 to 10 for all the topics you want to reconfigure in the selected project.
- If you have multiple projects, repeat steps 2 to 11 for each project in your GCP console.