For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-gcp-pubsub-topic-is-public.md. A documentation index is available at /llms.txt.

Pub/Sub Topics are anonymously or publicly accessible

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-gcp-pubsub-topic-is-public

Provider: GCP

Platform: Terraform

Severity: Medium

Category: Insecure Configurations

Learn More

Description

Google Cloud Pub/Sub Topics should not be configured to allow public access by assigning IAM roles to the special principals allUsers or allAuthenticatedUsers. Granting roles to these principals makes the topic accessible to anyone on the internet or to any authenticated Google user, exposing your data to unauthorized access or misuse. For example:

resource "google_pubsub_topic_iam_member" "bad_example" {
  topic  = "example-topic"
  member = "allUsers"
  role   = "roles/pubsub.publisher"
}

To prevent this, restrict the member attribute to specific users or service accounts, as shown below:

resource "google_pubsub_topic_iam_member" "good_example" {
  topic  = "example-topic"
  member = "user:someone@example.com"
  role   = "roles/pubsub.publisher"
}

Compliant Code Examples

# IAM Member compliant
resource "google_pubsub_topic_iam_member" "good_example_member" {
  topic  = "example-topic"
  member = "user:someone@example.com" # ✅ Non-public principal
  role   = "roles/pubsub.publisher"
}

# IAM Binding compliant
resource "google_pubsub_topic_iam_binding" "good_example_binding" {
  topic   = "example-topic"
  members = ["user:someone@example.com", "group:admins@example.com"] # ✅ No public principals
  role    = "roles/pubsub.subscriber"
}

Non-Compliant Code Examples

# IAM Member violation
resource "google_pubsub_topic_iam_member" "bad_example_member" {
  topic  = "example-topic"
  member = "allUsers" # ❌ Public principal
  role   = "roles/pubsub.publisher"
}

# IAM Binding violation
resource "google_pubsub_topic_iam_binding" "bad_example_binding" {
  topic   = "example-topic"
  members = ["allAuthenticatedUsers", "user:someone@example.com"] # ❌ Contains public principal
  role    = "roles/pubsub.subscriber"
}