Best practice rules for GCP Eventarc Service
- Configure Dead Lettering for Topics Associated with Eventarc Triggers
Ensure that Dead-Letter Topics (DLTs) are configured for Pub/Sub topics associated with Eventarc triggers.
- Enable Data Access Audit Logs for Eventarc Resources
Ensure that Data Access audit logs are enabled for Google Cloud Eventarc resources.
- Implement Least Privilege Access for Eventarc Resources
Ensure that IAM roles with administrative permissions are not used for Google Cloud Eventarc resources.
- Implement Least Privilege for Eventarc Trigger Service Accounts
Ensure that Eventarc trigger service accounts are granted least privilege access.
- Use Customer-Managed Encryption Keys for Eventarc Bus Encryption
Use Customer-Managed Encryption Keys (CMEKs) to encrypt Eventarc bus event messages.
- Use Customer-Managed Encryption Keys for Eventarc Channel Encryption
Use Customer-Managed Encryption Keys (CMEKs) to encrypt data related to Eventarc triggers.
- Use Customer-Managed Encryption Keys for Eventarc GoogleApiSources
Use Customer-Managed Encryption Keys (CMEKs) to encrypt GoogleApiSource resources.
- Use Customer-Managed Encryption Keys for Eventarc Pipeline Encryption
Use Customer-Managed Encryption Keys (CMEKs) to encrypt data sent through Eventarc pipelines.
- Use IAM Policy Conditions
Ensure Google Cloud Eventarc resources are protected with IAM policy conditions.
- Use Labels for Resource Management
Ensure that all Google Cloud Eventarc triggers are labeled for better resource management.
- Use VPC Service Controls for Eventarc
Ensure that VPC Service Controls perimeters are used to protect your Eventarc resources from data exfiltration.