Ensures that dead lettering is enabled and configured for all the Pub/Sub subscriptions.
Risk Level: Low
Description
This plugin ensures that Google Pub/Sub subscriptions are configured to use a dead-letter topic, also known as a dead-letter queue, to forward undelivered messages. This guarantees that failures are handled efficiently.
About the Service
Google Cloud Pub/Sub:
Pub/Sub helps applications and services build robust, scalable systems by integrating them asynchronously. It is a real-time messaging service that allows you to send and receive messages between independent applications. It has numerous benefits, including scalability, load balancing, parallel processing, and many others. For more information, click here.
Impact
If the Pub/Sub service tries to deliver a message but the subscriber fails to acknowledge it, then the message is forwarded to a dead-letter topic. Hence, to ensure that the errors are handled and ensure optimal competence, SentinelOne CNS recommends enabling dead-letter topic subscription property.
Steps to Reproduce
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the Navigation menu on the left, go to Pub/Sub under the BIG DATA section and select Subscriptions from the list.
- Select the Subscription you wish to examine out of the list of subscriptions present and go to the OVERVIEW tab to check the configuration details.
- Check the status of Dead lettering. If it is set to disabled then dead lettering has not been set up and configured for the selected subscription.
- Repeat steps 4 and 5 for all the subscriptions you want to reconfigure in the selected project.
- If you have multiple projects, repeat steps 2 to 6 for each project in your GCP Console.
Steps for Remediation
Determine whether or not you truly dead-letter topic to be disabled. If not, make the necessary changes to enable using the steps below.
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the Navigation menu on the left, go to Pub/Sub under the BIG DATA section and select Subscriptions from the list.
- If you do not already have a dead-letter topic you wish to use, go to the Topics page and click on CREATE TOPIC.
Note: The dead-letter topic should be different from the source topic. - In the Create a topic dialog box, enter your desired Topic ID in the textbox provided.
- Check the Use a customer-managed encryption key (CMEK) checkbox and then select your desired CMEK from the drop-down list provided.
- Click on the GRANT button in the warning message displayed and then click the CREATE TOPIC button to re-create the topic.
- Go to the Topic details of the re-created topic and click on CREATE SUBSCRIPTION under the SUBSCRIPTIONS section and create the required subscriptions.
- From the Navigation panel on the left, select Subscriptions from the list.
- Select the subscription you want to reconfigure from the list of subscriptions displayed and click on the EDIT button on the top bar. (In case you aren’t sure which subscription needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
- In the Edit subscription page, check the Enable dead lettering checkbox under Dead lettering and choose the created dead-letter topic from the dropdown provided and finally, enter the maximum delivery attempts based on your needs. Then click on Update to apply all the changes.
- Next, go to the DEAD LETTERING tab and click on the GRANT PUBLISHER ROLE button to grant the role.
- Similarly, click on the GRANT SUBSCRIBER ROLE to assign subscriber role as well.
- Repeat steps 4 to 10 for all the subscriptions you want to reconfigure in the selected project.
- If you have multiple projects, repeat steps 2 to 11 for each project in your GCP console.