Regulatory support in Pub/Sub

This document describes the features, configurations and APIs in Pub/Sub that align with the controls for supported control packages. This document assumes that you're using Assured Workloads.

Data Boundary For FedRAMP High

Supported services

The following table lists the Pub/Sub APIs and versions that meet the requirements of Data Boundary For FedRAMP High.

Service Version Status
pubsub.googleapis.com v1 SUPPORTED

Compliance supported regions

Pub/Sub is available for Data Boundary For FedRAMP High in the following Google Cloud regions:

  • us-central1
  • us-central2
  • us-east1
  • us-east4
  • us-east5
  • us-south1
  • us-west1
  • us-west2
  • us-west3
  • us-west4

Management tools

The following table describes how management tools support Data Boundary For FedRAMP High with Pub/Sub.

Tool Description
Google Cloud SDK You must use Google Cloud SDK version 403.0.0 or later to help ensure data regionalization for FedRAMP High technical data. To verify your current Google Cloud SDK version, run gcloud --version, and then run gcloud components update to update to the latest version.
Administrator controls By default, non-compliant APIs are disabled. However, administrators with sufficient permissions can enable a non-compliant API. When non-compliance APIs are enabled, you are notified in the Assured Workloads Monitoring page.

Affected features

The following table describes which features are affected by Data Boundary For FedRAMP High:

Feature Description
Single Message Transforms (SMTs) This feature is not supported for FedRAMP High compliance and should not be used. It is disabled by default under Assured Workloads folders.

Applicable settings

The following table describes the organization policy constraints and product settings that apply to Data Boundary For FedRAMP High. By default, these are set by Assured Workloads. If you change these settings, you must first consider how that change impacts your compliance status. For instructions on configuring organization policies, see Creating and managing organization policies.

Setting Required value
pubsub.managed.disableTopicMessageTransforms
  • True
pubsub.managed.disableSubscriptionMessageTransforms
  • True

API fields for sensitive data

Resource: No resource

The following table specifies the API resources and fields that are designed to handle data that is protected under Data Boundary For FedRAMP High.

API Method Protected fields

Service: pubsub.googleapis.com

REST API: POST /v1/{project=projects/*}:testMessageTransforms

RPC methods:

  • google.pubsub.v1.Transform.TestMessageTransforms
  • message.data
  • messageTransforms.messageTransforms.aiInference.serviceAccountEmail
  • messageTransforms.messageTransforms.javascriptUdf.code
  • messageTransforms.messageTransforms.javascriptUdf.functionName
  • messageTransforms.messageTransforms.jsonRedaction.fieldPaths

Service: pubsub.googleapis.com

REST API: POST /v1/{project=projects/*}:validateMessageTransform

RPC methods:

  • google.pubsub.v1.Transform.ValidateMessageTransform
  • messageTransform.aiInference.serviceAccountEmail
  • messageTransform.javascriptUdf.code
  • messageTransform.javascriptUdf.functionName
  • messageTransform.jsonRedaction.fieldPaths

Resource: pubsub.googleapis.com/Subscription

The following table specifies the API resources and fields that are designed to handle data that is protected under Data Boundary For FedRAMP High.

API Method Protected fields

Service: pubsub.googleapis.com

REST API: PATCH /v1/{subscription.name=projects/*/subscriptions/*}

RPC methods:

  • google.pubsub.v1.Subscriber.UpdateSubscription
  • subscription.bigqueryConfig.serviceAccountEmail
  • subscription.cloudStorageConfig.serviceAccountEmail
  • subscription.messageTransforms.aiInference.serviceAccountEmail
  • subscription.messageTransforms.javascriptUdf.code
  • subscription.messageTransforms.javascriptUdf.functionName
  • subscription.messageTransforms.jsonRedaction.fieldPaths
  • subscription.pubsubExportConfig.region
  • subscription.pubsubExportConfig.serviceAccountEmail
  • subscription.pubsubliteExportConfig.serviceAccountEmail
  • subscription.pushConfig.oidcToken.serviceAccountEmail

Service: pubsub.googleapis.com

REST API: POST /v1/{subscription=projects/*/subscriptions/*}:modifyPushConfig

RPC methods:

  • google.pubsub.v1.Subscriber.ModifyPushConfig
  • pushConfig.oidcToken.serviceAccountEmail

Service: pubsub.googleapis.com

REST API: PUT /v1/{name=projects/*/subscriptions/*}

RPC methods:

  • google.pubsub.v1.Subscriber.CreateSubscription
  • bigqueryConfig.serviceAccountEmail
  • cloudStorageConfig.serviceAccountEmail
  • messageTransforms.aiInference.serviceAccountEmail
  • messageTransforms.javascriptUdf.code
  • messageTransforms.javascriptUdf.functionName
  • messageTransforms.jsonRedaction.fieldPaths
  • pubsubExportConfig.region
  • pubsubExportConfig.serviceAccountEmail
  • pubsubliteExportConfig.serviceAccountEmail
  • pushConfig.oidcToken.serviceAccountEmail

Resource: pubsub.googleapis.com/Topic

The following table specifies the API resources and fields that are designed to handle data that is protected under Data Boundary For FedRAMP High.

API Method Protected fields

Service: pubsub.googleapis.com

REST API: PATCH /v1/{topic.name=projects/*/topics/*}

RPC methods:

  • google.pubsub.v1.Publisher.UpdateTopic
  • topic.messageStoragePolicy.allowedPersistenceRegions
  • topic.messageTransforms.aiInference.serviceAccountEmail
  • topic.messageTransforms.javascriptUdf.code
  • topic.messageTransforms.javascriptUdf.functionName
  • topic.messageTransforms.jsonRedaction.fieldPaths

Service: pubsub.googleapis.com

REST API: POST /v1/{topic=projects/*/topics/*}:publish

RPC methods:

  • google.pubsub.v1.Publisher.Publish
  • messages.data

Service: pubsub.googleapis.com

REST API: PUT /v1/{name=projects/*/topics/*}

RPC methods:

  • google.pubsub.v1.Publisher.CreateTopic
  • messageStoragePolicy.allowedPersistenceRegions
  • messageTransforms.aiInference.serviceAccountEmail
  • messageTransforms.javascriptUdf.code
  • messageTransforms.javascriptUdf.functionName
  • messageTransforms.jsonRedaction.fieldPaths

Fields not intended for Sensitive data

The following table lists the field categories and specific fields that aren't designed for sensitive information. To maintain compliance, avoid placing protected data in these fields.

Category Fields
Data ingestion source
  • ingestionDataSourceSettings.awsKinesis.streamArn
  • ingestionDataSourceSettings.awsMsk.clusterArn
  • ingestionDataSourceSettings.awsMsk.gcpServiceAccount
  • ingestionDataSourceSettings.azureEventHubs.eventHub
  • ingestionDataSourceSettings.cloudStorage.bucket
  • ingestionDataSourceSettings.confluentCloud.bootstrapServer
Message metadata
  • ackIds
  • messages.attributes.key
  • messages.attributes.value
  • messages.messageId
  • messages.orderingKey
  • subscription
Message transformation
  • messageTransforms.aiInference.endpoint
  • messageTransforms.aiInference.unstructuredInference.parameters.fields.key
  • messageTransforms.aiInference.unstructuredInference.parameters.fields.value.stringValue
  • messageTransforms.schemaEncoding.firstRevisionId
  • messageTransforms.schemaEncoding.lastRevisionId
  • messageTransforms.schemaEncoding.schema
Pagination and filtering
  • filter
  • pageToken
Push configuration
  • cloudStorageConfig.filenamePrefix
  • pubsubliteExportConfig.topic
  • pushConfig.attributes.key
  • pushConfig.attributes.value
  • pushConfig.oidcToken.audience
  • pushConfig.pushEndpoint
Resource identification
  • name
  • parent
  • project
  • schemaId
  • subscription
  • topic
Schema definition
  • schema.definition
  • schema.name
  • schema.tags.key
  • schema.tags.value
  • tags.key
  • tags.value
Schema settings
  • schemaSettings.firstRevisionId
  • schemaSettings.lastRevisionId
  • schemaSettings.schema
Subscription configuration
  • bigqueryConfig.table
  • cloudStorageConfig.bucket
  • cloudStorageConfig.filenameDatetimeFormat
  • cloudStorageConfig.filenameSuffix
  • deadLetterPolicy.deadLetterTopic
  • pubsubExportConfig.topic
Topic configuration
  • kmsKeyName
  • labels.key
  • labels.value
  • revisionId
  • snapshot
  • updateMask.paths

References

What's next