lacework-global-292
7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible (Automated)
note
This rule has been changed to automated, see Automated Rules for CIS GCP 1.3.0 for details.
Profile Applicability
• Level 1
Description
It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Rationale
Granting permissions to allUsers
or allAuthenticatedUsers
allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. Therefore, ensure that anonymous and/or public access to a dataset is not allowed.
Impact
The dataset is not publicly accessible. Explicit modification of IAM privileges would be necessary to make them publicly accessible.
Audit
From Console:
- Go to
BigQuery
by visiting: https://console.cloud.google.com/bigquery. - Select a dataset from
Resources
. - Click
SHARING
near the right side of the window and selectPermissions
. - Validate that none of the attached roles contain
allUsers
orallAuthenticatedUsers
.
From Command Line:
List the name of all datasets.
bq ls
Retrieve each dataset details using the following command:
bq show PROJECT_ID:DATASET_NAME
Ensure that allUsers
and allAuthenticatedUsers
have not been granted access to the dataset.
Remediation
From Console:
- Go to
BigQuery
by visiting: https://console.cloud.google.com/bigquery. - Select the dataset from 'Resources'.
- Click
SHARING
near the right side of the window and selectPermissions
. - Review each attached role.
- Click the delete icon for each member
allUsers
orallAuthenticatedUsers
. On the popup clickRemove
.
From Command Line:
List the name of all datasets.
bq ls
Retrieve the data set details:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
In the access section of the JSON file, update the dataset information to remove all roles containing allUsers
or allAuthenticatedUsers
.
Update the dataset:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME
Prevention:
You can prevent Bigquery dataset from becoming publicly accessible by setting up the Domain restricted sharing
organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains .
References
https://cloud.google.com/bigquery/docs/dataset-access-controls