Risk Level: High
Cloud Entity: Google Pub/Sub
CloudGuard Rule ID: D9.GCP.CRY.06
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

PubSubTopic should have cryptoKey

REMEDIATION

From Portal

Go to the Pub/Sub topics page in the Cloud Console.
Select the relevant topic and click on delete
in the confirmation box type 'delete' and click delete.

To create new Topic with customer managed encryption key:

Go to the Pub/Sub topics page in the Cloud Console.
Click Create a topic.
In the Topic ID field, provide a unique topic name.
Under Encryption, choose Customer-managed key
Select or create a key and click on create Topic.

From TF

resource "google_pubsub_topic" "example" {
	+ kms_key_name = google_kms_crypto_key.crypto_key.id.example
}

From Command Line

To delete the unencrypted topic, Run below command.

gcloud pubsub topics delete TOPIC_NAME

To create the encrypted topic using Customer-Managed Key, Run below command.

gcloud pubsub topics create TOPIC_NAME --topic-encryption-key = TOPIC_ENCRYPTION_KEY

References

Google Pub/Sub

Pub/Sub enables you to create systems of event producers and consumers, called publishers and subscribers. Publishers communicate with subscribers asynchronously by broadcasting events, rather than by synchronous remote procedure calls (RPCs).

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CloudGuard Best Practices
GCP Dashboard System Ruleset
GCP GDPR Readiness
GCP LGPD regulation
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5