v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/gcp_compliance
Overview
12Dashboards
536Controls
201Queries
2Variables
GitHub

Control: 7.1 Ensure that BigQuery datasets are not anonymously or publicly accessible

Description

It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.

Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. Therefore, ensure that anonymous and/or public access to a dataset is not allowed.

Remediation

From Console

  1. Login to BigQuery.
  2. Select the dataset from Resources.
  3. Click SHARE DATASET near the right side of the window.
  4. Review each attached role.
  5. Click the delete icon for each member allUsers or allAuthenticatedUsers. On the popup click Remove.

From Command Line

  1. Retrieve the data set information:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE

  1. In the access section of the JSON file, update the dataset information to remove all roles containing allUsers or allAuthenticatedUsers.

  2. Update the dataset:

bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v120_7_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v120_7_1 --share

SQL

This control uses a named query:

bigquery_dataset_not_publicly_accessible

Tags

benchmark = cis
category = Compliance
cis_item_id = 7.1
cis_level = 1
cis_section_id = 7
cis_type = automated
cis_version = v1.2.0
plugin = gcp
service = GCP/BigQuery