Ensure GCP Pub/Sub Topic is not anonymously or publicly accessible

Error: GCP Pub/Sub Topic is anonymously or publicly accessible
Bridgecrew Policy ID: BC_GCP_GENERAL_21
Checkov Check ID: CKV_GCP_99
Severity: MEDIUM

Pub/Sub Topic is anonymously or publicly accessible

Description

Pub/Sub is commonly used for asynchronous communication for applications in GCP. Messages are published to a Pub/Sub Topic and the ability to publish a message is controlled via IAM policies. It is possible to make Pub/Sub Topics publicly or anonymously accessible. Public notification topics can expose sensitive data and are a target for data exfiltration.

We recommend you ensure that neither anonymous or public access to Pub/Sub Topics is allowed.

Fix - Runtime

GCP Console

To remove anonymous or public access to your Pub/Sub Topic:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Topics.
  3. Select the Pub/Sub Topic checkbox next to your Topic ID.
  4. Select the INFO PANEL tab to view the topic's permissions.
  5. To remove a specific role assignment, select allUsers or allAuthenticatedUsers, and then click Delete.

CLI Command

To remove access to allUsers and allAuthenticatedUsers, you need to first get the Pub/Sub Topic's existing IAM policy. To retrieve the existing policy and copy it to a local file:

gcloud pubsub topics get-iam-policy \
   projects/PROJECT/topics/TOPIC \
   --format json > topic_policy.json

Replace PROJECT with the project ID where your Pub/Sub Topic is located. Replace TOPIC with the Pub/Sub Topic ID.

Next, locate and remove the IAM bindings with either allUsers or allAuthenticatedUsers depending on your Checkov error. After modifying the topic_policy.json file, update Pub/Sub Topic with the following command:

gcloud pubsub topics set-iam-policy  \
   projects/PROJECT/topics/TOPIC  \
   topic_policy.json

Replace PROJECT with the project ID where your Pub/Sub Topic is located. Replace TOPIC with the Pub/Sub Topic ID.

Fix - Buildtime

Terraform

  • Resource: google_pubsub_topic_iam_binding

  • Field: members

  • Resource: google_pubsub_topic_iam_member

  • Field: member

resource "google_pubsub_topic_iam_binding" "public_binding" {
  topic = google_pubsub_topic.example.name
  role = "roles/pubsub.publisher"

  members = [
-    "allUsers",
-    "allAuthenticatedUsers",
  ]
}
resource "google_pubsub_topic_iam_member" "public_member" {
  topic = google_pubsub_topic.example.name
  role = "roles/pubsub.publisher"

-  member = "allUsers"
-  member = "allAuthenticatedUsers"
}