Console
    Contact Us Start free

    Regulatory support in Pub/Sub

    This document describes the features, configurations and APIs in Pub/Sub that align with the controls for supported control packages. This document assumes that you're using Assured Workloads .

    Data Boundary For FedRAMP High

    Supported services

    The following table lists the Pub/Sub APIs and versions that meet the requirements of Data Boundary For FedRAMP High.

    Service Version Status
    pubsub.googleapis.com
    		 v1 SUPPORTED

    Compliance supported regions

    Pub/Sub is available for Data Boundary For FedRAMP High in the following Google Cloud regions:

    • us-central1
    • us-central2
    • us-east1
    • us-east4
    • us-east5
    • us-south1
    • us-west1
    • us-west2
    • us-west3
    • us-west4

    Management tools

    The following table describes how management tools support Data Boundary For FedRAMP High with Pub/Sub.

    Tool Description
    Google Cloud SDK You must use Google Cloud SDK version 403.0.0 or later to help ensure data regionalization for FedRAMP High technical data. To verify your current Google Cloud SDK version, run gcloud --version , and then run gcloud components update to update to the latest version.
    Administrator controls By default, non-compliant APIs are disabled. However, administrators with sufficient permissions can enable a non-compliant API. When non-compliance APIs are enabled, you are notified in the Assured Workloads Monitoring page.

    Affected features

    The following table describes which features are affected by Data Boundary For FedRAMP High:

    Feature Description
    Single Message Transforms (SMTs) This feature is not supported for FedRAMP High compliance and should not be used. It is disabled by default under Assured Workloads folders.

    Applicable settings

    The following table describes the organization policy constraints and product settings that apply to Data Boundary For FedRAMP High. By default, these are set by Assured Workloads. If you change these settings, you must first consider how that change impacts your compliance status. For instructions on configuring organization policies, see Creating and managing organization policies .

    Setting
    Required value
    pubsub.managed.disableTopicMessageTransforms
    • True
    pubsub.managed.disableSubscriptionMessageTransforms
    • True

    API fields for sensitive data

    Resource: No resource

    The following table specifies the API resources and fields that are designed to handle data that is protected under Data Boundary For FedRAMP High.

    API Method
    Protected fields

    Service: pubsub.googleapis.com

    REST API: POST /v1/{project=projects/*}:testMessageTransforms

    RPC methods:

    • google.pubsub.v1.Transform.TestMessageTransforms
    • message.data

    Resource: pubsub.googleapis.com/Topic

    The following table specifies the API resources and fields that are designed to handle data that is protected under Data Boundary For FedRAMP High.

    API Method
    Protected fields

    Service: pubsub.googleapis.com

    REST API: POST /v1/{topic=projects/*/topics/*}:publish

    RPC methods:

    • google.pubsub.v1.Publisher.Publish
    • messages.data

    Fields not intended for Sensitive data

    The following table lists the field categories and specific fields that aren't designed for sensitive information. To maintain compliance, avoid placing protected data in these fields.

    Category
    Fields
    Data ingestion source
    • ingestionDataSourceSettings.awsKinesis.streamArn
    • ingestionDataSourceSettings.awsMsk.clusterArn
    • ingestionDataSourceSettings.awsMsk.gcpServiceAccount
    • ingestionDataSourceSettings.azureEventHubs.eventHub
    • ingestionDataSourceSettings.cloudStorage.bucket
    • ingestionDataSourceSettings.confluentCloud.bootstrapServer
    Message metadata
    • ackIds
    • messages.attributes.key
    • messages.attributes.value
    • messages.messageId
    • messages.orderingKey
    • subscription
    Message transformation
    • messageTransforms.aiInference.endpoint
    • messageTransforms.aiInference.unstructuredInference.parameters.fields.key
    • messageTransforms.aiInference.unstructuredInference.parameters.fields.value.stringValue
    • messageTransforms.schemaEncoding.firstRevisionId
    • messageTransforms.schemaEncoding.lastRevisionId
    • messageTransforms.schemaEncoding.schema
    Pagination and filtering
    • filter
    • pageToken
    Push configuration
    • cloudStorageConfig.filenamePrefix
    • pubsubliteExportConfig.topic
    • pushConfig.attributes.key
    • pushConfig.attributes.value
    • pushConfig.oidcToken.audience
    • pushConfig.pushEndpoint
    Resource identification
    • name
    • parent
    • project
    • schemaId
    • subscription
    • topic
    Schema definition
    • schema.definition
    • schema.name
    • schema.tags.key
    • schema.tags.value
    • tags.key
    • tags.value
    Schema settings
    • schemaSettings.firstRevisionId
    • schemaSettings.lastRevisionId
    • schemaSettings.schema
    Subscription configuration
    • bigqueryConfig.table
    • cloudStorageConfig.bucket
    • cloudStorageConfig.filenameDatetimeFormat
    • cloudStorageConfig.filenameSuffix
    • deadLetterPolicy.deadLetterTopic
    • pubsubExportConfig.topic
    Topic configuration
    • kmsKeyName
    • labels.key
    • labels.value
    • revisionId
    • snapshot
    • updateMask.paths

    References

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: