Skip to main content

πŸ›‘οΈ Google BigQuery Dataset is anonymously or publicly accessible🟒

  • Contextual name: πŸ›‘οΈ Dataset is anonymously or publicly accessible🟒
  • ID: /ce/ca/google/big-query/dataset-anonymously-or-publicly-accessible
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.

Rationale​

Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. Therefore, ensure that anonymous and/or public access to a dataset is not allowed.

Impact​

The dataset is not publicly accessible. Explicit modification of IAM privileges would be necessary to make them publicly accessible.

Audit​

From Google Cloud Console​
  1. Go to BigQuery by visiting: https://console.cloud.google.com/bigquery.
  2. Select a dataset from Resources.
  3. Click SHARING near the right side of the window and select Permissions.
  4. Validate that none of the attached roles contain allUsers or allAuthenticatedUsers.
From Google Cloud CLI​

List the name of all datasets.

        bq ls

Retrieve each dataset details using the following command:

        bq show PROJECT_ID:DATASET_NAME

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to BigQuery by visiting: https://console.cloud.google.com/bigquery.
  2. Select the dataset from Resources.
  3. Click SHARING near the right side of the window and select Permissions.
  4. Review each attached role.
  5. Click the delete icon for each member allUsers or allAuthenticatedUsers. On the popup click Remove.

From Google Cloud CLI​

List the name of all datasets.

        bq ls

Retrieve the data set details:

        bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE

In the access section of the JSON file, update the dataset information to remove all roles containing allUsers or allAuthenticatedUsers.

Update the dataset:

        bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 7.1 Ensure that BigQuery datasets are not anonymously or publicly accessible - Level 1 (Automated)1no data
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible - Level 1 (Manual)1no data
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible - Level 1 (Automated)1no data
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible - Level 1 (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access101no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3768no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)15no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81157no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)13no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)68no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)13no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)68no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)15no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)657no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)13no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.8.2.3 Handling of assets5no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.14.1.3 Protecting application services transactions1015no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1127no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1431no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1024no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code822no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2026no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)1044no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1530no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1653no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition8no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity2227no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-6: Data is destroyed according to policy5no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-2: Removable media is protected and its use restricted according to policy5no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-4: Communications and control networks are protected1044no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events85no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles25no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization42no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk44no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage95no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-2 ACCOUNT MANAGEMENT1336no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15540no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-5 Separation of Duties15no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102350no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό MP-2 Media Access213no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1056no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.47no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.56no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.56no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.756no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.56no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1536no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-3 Restricts Logical Access122no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-7 Restricts Access to Information Assets1327no data