📝 Google BigQuery Dataset is anonymously or publicly accessible 🟢

• Contextual name: 📝 Dataset is anonymously or publicly accessible 🟢
• ID: /ce/ca/google/big-query/dataset-anonymously-or-publicly-accessible
• Located in: 📁 Google BigQuery

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Check for Publicly Accessible BigQuery Datasets

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google BigQuery Dataset
  • 🔌 Google BigQuery Dataset - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.

Rationale

Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. Therefore, ensure that anonymous and/or public access to a dataset is not allowed.

Impact

The dataset is not publicly accessible. Explicit modification of IAM privileges would be necessary to make them publicly accessible.

Audit

From Google Cloud Console

1. Go to BigQuery by visiting: https://console.cloud.google.com/bigquery.
2. Select a dataset from Resources.
3. Click SHARING near the right side of the window and select Permissions.
4. Validate that none of the attached roles contain allUsers or allAuthenticatedUsers.

From Google Cloud CLI

List the name of all datasets.

        bq ls

Retrieve each dataset details using the following command:

        bq show PROJECT_ID:DATASET_NAME

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to BigQuery by visiting: https://console.cloud.google.com/bigquery.
2. Select the dataset from Resources.
3. Click SHARING near the right side of the window and select Permissions.
4. Review each attached role.
5. Click the delete icon for each member allUsers or allAuthenticatedUsers. On the popup click Remove.

From Google Cloud CLI

List the name of all datasets.

        bq ls

Retrieve the data set details:

        bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE

In the access section of the JSON file, update the dataset information to remove all roles containing allUsers or allAuthenticatedUsers.

Update the dataset:

        bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible - Level 1 (Automated)			1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			24