turbot/steampipe-mod-gcp-perimeter

Control: BigQuery dataset policies should prohibit public access

Description

This control checks whether BigQuery dataset access settings allow public access through allUsers or allAuthenticatedUsers.

Usage

Run the control in your terminal:

powerpipe control run gcp_perimeter.control.bigquery_dataset_policy_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_perimeter.control.bigquery_dataset_policy_prohibit_public_access --share

Steampipe Tables

SQL

with public_access as (
select
self_link,
count(*) as access_count
from
gcp_bigquery_dataset,
jsonb_array_elements(access) as a
where
a ->> 'iamMember' in ('allUsers', 'allAuthenticatedUsers')
group by
self_link
)
select
d.self_link as resource,
case
when p.self_link is null then 'ok'
else 'alarm'
end as status,
case
when p.self_link is null then d.title || ' does not allow public access.'
else d.title || ' allows public access through ' || p.access_count || ' access entries.'
end as reason
, location, project
from
gcp_bigquery_dataset as d
left join public_access as p on p.self_link = d.self_link;

Tags