Control: BigQuery dataset policies should prohibit public access
Description
This control checks whether BigQuery dataset access settings allow public access through allUsers or allAuthenticatedUsers.
Usage
Run the control in your terminal:
powerpipe control run gcp_perimeter.control.bigquery_dataset_policy_prohibit_public_access
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_perimeter.control.bigquery_dataset_policy_prohibit_public_access --share
Steampipe Tables
SQL
with public_access as ( select self_link, count(*) as access_count from gcp_bigquery_dataset, jsonb_array_elements(access) as a where a ->> 'iamMember' in ('allUsers', 'allAuthenticatedUsers') group by self_link)select d.self_link as resource, case when p.self_link is null then 'ok' else 'alarm' end as status, case when p.self_link is null then d.title || ' does not allow public access.' else d.title || ' allows public access through ' || p.access_count || ' access entries.' end as reason , location, projectfrom gcp_bigquery_dataset as d left join public_access as p on p.self_link = d.self_link;