pubsub/WARN/2024_003

Pub/Sub service account has the Encrypter and Decrypter Role if CMEK exist.

Product: Cloud Pub/Sub
Rule class: WARN - Something that is possibly wrong

Description

As long as the service account has the CyptoKey Encrypter/Decrypter role, the service can encrypt and decrypt its data. If you revoke this role, or if you disable or destroy the CMEK key, that data can’t be accessed.

Remediation

Assign the roles/cloudkms.cryptoKeyEncrypterDecrypter role to the Pub/Sub Service Account to assign CyptoKey Encrypter/Decrypter role Permissions.

Further information

Please find below for more information about the role permissions.

Cloud KMS Permissions Doc.
Customer-managed encryption keys (CMEK)