GCP-Pub-Sub-Topic-Customer-Managed-Encryption-Key-UnSet

Severity: High

Description: This control ensures that Pub/Sub topics are encrypted using customer-managed keys. By default, Google-managed keys are used for encryption of Pub/Sub messages. Customer-managed encryption keys (CMEK) gives us additional control on the messages. Before Pub/Sub publishes messages to a subscription, it encrypts them using the key given. Pub/Sub decrypts the messages shortly before they are delivered to subscribers.

Remediation Steps:

Perform following to set CMK for PUB/SUB topic :

1. Sign in to GCP Console https://console.cloud.google.com.

2. Go to the Cloud Pub/Sub.

3. Select CREATE TOPIC in Pub/Sub header section.

4. Enter topic name in Topic ID text area.

5. Check Use a customer-managed encryption key (CMEK) check box.

6. Select a key from Select a customer-managed key drop-down.

7. Click CREATE TOPIC.

Important:

PubSub topics encryption cannot be changed once created. You'll need to create a new one

Reference:

• https://cloud.google.com/pubsub/docs/encryption#using-cmek