Control: BigQuery dataset policies should prohibit public access

Description

This control checks whether BigQuery dataset access settings allow public access through allUsers or allAuthenticatedUsers.

Usage

Run the control in your terminal:

powerpipe control run gcp_perimeter.control.bigquery_dataset_policy_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_perimeter.control.bigquery_dataset_policy_prohibit_public_access --share

Steampipe Tables

gcp_bigquery_dataset

SQL

with public_access as (
  select
    self_link,
    count(*) as access_count
  from
    gcp_bigquery_dataset,
    jsonb_array_elements(access) as a
  where
    a ->> 'iamMember' in ('allUsers', 'allAuthenticatedUsers')
  group by
    self_link
)
select
  d.self_link as resource,
  case
    when p.self_link is null then 'ok'
    else 'alarm'
  end as status,
  case
    when p.self_link is null then d.title || ' does not allow public access.'
    else d.title || ' allows public access through ' || p.access_count || ' access entries.'
  end as reason
  
  , location, project
from
  gcp_bigquery_dataset as d
  left join public_access as p on p.self_link = d.self_link;

Control: BigQuery dataset policies should prohibit public access

Description

Usage

Steampipe Tables

SQL

Tags