Detections
Analytics

Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible

HIGH

Description

Description:

It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.

Rationale:

Granting permissions to 'allUsers' or 'allAuthenticatedUsers' allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. Therefore, ensure that anonymous and/or public access to a dataset is not allowed.

The dataset is not publicly accessible. Explicit modification of IAM privileges would be necessary to make them publicly accessible.

Remediation

From Google Cloud Console

  1. Go to 'BigQuery' by visiting: https://console.cloud.google.com/bigquery.
  2. Select the dataset from 'Resources'.
  3. Click 'SHARING' near the right side of the window and select 'Permissions'.
  4. Review each attached role.
  5. Click the delete icon for each member 'allUsers' or 'allAuthenticatedUsers'. On the popup click 'Remove'.

From Google Cloud CLI

List the name of all datasets.

bq ls

Retrieve the data set details:

bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE

In the access section of the JSON file, update the dataset information to remove all roles containing 'allUsers' or 'allAuthenticatedUsers'.

Update the dataset:

bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME

Prevention:

You can prevent Bigquery dataset from becoming publicly accessible by setting up the 'Domain restricted sharing' organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains .

Policy Details

Rule Reference ID: AC_GCP_0230
CSP: GCP
Remediation Available: Yes
Domain: Identity and Access Management
Resource: google_bigquery_dataset
Resource Category: Database
Resource Type: BigQuery

Frameworks