Control: Ensure that BigQuery datasets are not anonymously or publicly accessible
Description
It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Usage
Run the control in your terminal:
powerpipe control run terraform_gcp_compliance.control.bigquery_dataset_not_publicly_accessibleSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_gcp_compliance.control.bigquery_dataset_not_publicly_accessible --shareSQL
This control uses a named query:
select address as resource, case when (attributes_std -> 'access') is null then 'ok' when exists( select 1 from jsonb_array_elements( case when jsonb_typeof(attributes_std -> 'access') = 'array' then attributes_std -> 'access' else jsonb_build_array(attributes_std -> 'access') end ) as access where (access ->> 'special_group' is not null and access ->> 'special_group' in ('allAuthenticatedUsers', 'allUsers')) or not(access ?| ARRAY['user_by_email', 'group_by_email', 'domain', 'view', 'routine', 'dataset']) ) then 'alarm' else 'ok' end status, split_part(address, '.', 2) || case when (attributes_std -> 'access') is null then 'ok' when exists( select 1 from jsonb_array_elements(attributes_std -> 'access') as access where (access ->> 'special_group' is not null and access ->> 'special_group' in ('allAuthenticatedUsers', 'allUsers')) or not(access ?| ARRAY['user_by_email', 'group_by_email', 'domain', 'view', 'routine', 'dataset']) ) then 'alarm' else 'ok' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'google_bigquery_dataset';