Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible

It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access. Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. Therefore, ensure that anonymous and/or public access to a dataset is not allowed.

Suggest Edits

Risk Level: High
Cloud Entity: BigQuery
CloudGuard Rule ID: D9.GCP.IAM.28
Covered by Spectral: Yes
Category: Data analytics

GSL LOGIC

BigQuery should not have datasetAccess contain [ specialGroup='allAuthenticatedUsers' or iamMember='allUsers' ]

REMEDIATION

From Portal

  1. Go to BigQuery by visiting: https://console.cloud.google.com/bigquery.
  2. Select the dataset from 'Resources'.
  3. Click SHARE DATASET near the right side of the window.
  4. Review each attached role.
  5. Click the delete icon for each member allUsers or allAuthenticatedUsers. On the popup click Remove.

From Command Line

  1. List the name of all datasets.
bq ls
  1. Retrieve the data set information:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
  1. In the access section of the JSON file, update the dataset information to remove all roles containing allUsers or allAuthenticatedUsers.
  2. Update the dataset using below command:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME

From Terraform

  1. Use the resource 'google_bigquery_dataset_access' for providing access to the dataset.
  2. Make sure you DON'T have the following values for the respective arguments
    i) special_group = "allAuthenticatedUsers"
    ii)iam_member = "allUsers"
resource "google_bigquery_dataset_access" "bad_template" {
	...
	iam_member = "allUsers"
	...
}

resource "google_bigquery_dataset_access" "bad_template" {
	...
	special_group = "allAuthenticatedUsers"
	...
}

References

  1. https://workbench.cisecurity.org/sections/507176/recommendations/827594
  2. https://cloud.google.com/bigquery/docs/dataset-access-controls
  3. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_dataset_access

BigQuery

BigQuery is Google's serverless, highly scalable, enterprise data warehouse designed to make all your data analysts productive at an unmatched price-performance. Because there is no infrastructure to manage, you can focus on analyzing data to find meaningful insights using familiar SQL without the need for a database administrator.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5

Updated 7 months ago