Detect Google Cloud Pub/Sub Configuration Changes

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected Google Cloud Pub/Sub configuration changes within your GCP account.
Pub/Sub is a secure, highly available, scalable messaging service that allows supported GCP cloud services to communicate asynchronously. Pub/Sub is used for streaming analytic events and data integration pipelines to ingest and distribute data. The Pub/Sub messaging service lets you to create systems of event producers and consumers, called publishers and subscribers. In Pub/Sub, producers (publishers) communicate with consumers (subscribers) asynchronously by broadcasting events.
Google Cloud Pub/Sub write audit logs for resources such as topics and subscriptions to help you find who used your resources, where and when. Trend Micro Cloud One™ – Conformity RTMA uses the audit information collected by Pub/Sub to process and send notifications about the configurations changes made at the Pub/Sub service level.
The activity detected by the Conformity RTMA feature can be a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the following operational events:

• "CreateTopic" - Creates a topic with the given configuration. A Pub/Sub topic is a named entity that represents a feed of messages.
• "UpdateTopic" - Updates an existing Pub/Sub topic.
• "CreateSubscription" - Creates a subscription for a given topic. A Pub/Sub subscription is a named entity that represents an interest in receiving messages on a certain topic.
• "UpdateSubscription" - Updates an existing Pub/Sub subscription.
• "SetIamPolicy" - Sets an access control policy for the specified Pub/Sub resource. This operation replaces any existing policy associated with the topic.

To follow industry best practices and meet compliance requirements, Trend Micro Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide GCP users (except administrators or dedicated, authorized personnel) the permission to perform Pub/Sub configuration changes within your GCP account.
For example, if a Pub/Sub resource is created and/or modified by an inexperienced user, it can allow attackers to perform malicious activities such as intercepting and publishing messages without permission. To prevent data leaks, data loss, and avoid unexpected costs on your GCP bill, ensure that Pub/Sub configuration changes are monitored in real time using Conformity RTMA.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for Pub/Sub configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule resolution is part of the Conformity solution.