Ensure PubSub service is encrypted, with customer managed encryption keys.

Pub/Sub uses the envelope encryption pattern with CMEK. In this approach, the messages are not encrypted by Cloud KMS. Instead Cloud KMS is used to encrypt Data Encryption Keys (DEKs) created by Pub/Sub for each topic.

Risk Level: High
Cloud Entity: Google Pub/Sub
CloudGuard Rule ID: D9.GCP.CRY.06
Covered by Spectral: Yes
Category: Networking & Content Delivery


PubSubTopic should have cryptoKey


From Portal

  1. Go to the Pub/Sub topics page in the Cloud Console.
  2. Select the relevant topic and click on delete
  3. in the confirmation box type 'delete' and click delete.

To create new Topic with customer managed encryption key:

  1. Go to the Pub/Sub topics page in the Cloud Console.
  2. Click Create a topic.
  3. In the Topic ID field, provide a unique topic name.
  4. Under Encryption, choose Customer-managed key
  5. Select or create a key and click on create Topic.

From TF

resource "google_pubsub_topic" "example" {
	+ kms_key_name = google_kms_crypto_key.crypto_key.id.example

From Command Line

  1. To delete the unencrypted topic, Run below command.
gcloud pubsub topics delete TOPIC_NAME
  1. To create the encrypted topic using Customer-Managed Key, Run below command.
gcloud pubsub topics create TOPIC_NAME --topic-encryption-key = TOPIC_ENCRYPTION_KEY


  1. https://cloud.google.com/pubsub/docs/encryption#using-cmek
  2. https://cloud.google.com/pubsub/docs/create-topic#pubsub_create_topic-Console
  3. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic
  4. https://cloud.google.com/sdk/gcloud/reference/pubsub/topics/create
  5. https://cloud.google.com/sdk/gcloud/reference/pubsub/topics/delete

Google Pub/Sub

Pub/Sub enables you to create systems of event producers and consumers, called publishers and subscribers. Publishers communicate with subscribers asynchronously by broadcasting events, rather than by synchronous remote procedure calls (RPCs).

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP Dashboard System Ruleset
  • GCP GDPR Readiness
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5