GCP Pub/Sub Topics are anonymously or publicly accessible
Description
Pub/Sub is commonly used for asynchronous communication for applications in GCP. Messages are published to a Pub/Sub Topic and the ability to publish a message is controlled via IAM policies. It is possible to make Pub/Sub Topics publicly or anonymously accessible. Public notification topics can expose sensitive data and are a target for data exfiltration. We recommend you ensure that neither anonymous or public access to Pub/Sub Topics is allowed.
Code Example
{
"gcloud pubsub topics get-iam-policy \\
projects/PROJECT/topics/TOPIC \\
--format json > topic_policy.json",
}Remediation
- GCP Console*
To remove anonymous or public access to your Pub/Sub Topic:
. Log in to the GCP Console at https://console.cloud.google.com.
. Navigate to https://console.cloud.google.com/cloudpubsub/topic/list [Topics].
. Select the Pub/Sub Topic checkbox next to your * Topic ID*.
. Select the * INFO PANEL* tab to view the topic's permissions.
. To remove a specific role assignment, select * allUsers* or * allAuthenticatedUsers*, and then click * Delete*.
- CLI Command*
To remove access to * allUsers* and * allAuthenticatedUsers*, you need to first get the * Pub/Sub Topic's* existing IAM policy. To retrieve the existing policy and copy it to a local file:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0957 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_GCP_99 |