Profile Applicability:
- Level 1
Description:
It is recommended to ensure that the IAM policy for BigQuery datasets does not grant permissions to anonymous users or make them publicly accessible.
Rationale:
Granting permissions to allUsers or allAuthenticatedUsers allows unrestricted access to a dataset, which can lead to unauthorized exposure of sensitive data. To maintain data security and privacy, it is crucial to restrict access and avoid granting permissions to these roles.
Impact:
Datasets will no longer be publicly accessible. Any attempt to make them publicly available will require explicit modification of the IAM permissions.
Default Value:
By default, BigQuery datasets are not publicly accessible.
Audit Steps:
Using Google Cloud Console:
Navigate to BigQuery.
Select a dataset under Resources.
Click SHARING on the right side of the window and choose Permissions.
Verify that no roles include allUsers or allAuthenticatedUsers.
Using Google Cloud CLI:
List all datasets:
bq ls
Retrieve the details of each dataset:
bq show PROJECT_ID:DATASET_NAME
Check the access section of the dataset details to ensure that no permissions are granted to allUsers or allAuthenticatedUsers.
Remediation Steps:
Using Google Cloud Console:
Navigate to BigQuery.
Select the dataset from Resources.
Click SHARING and choose Permissions.
Review the attached roles.
Remove any entries for allUsers or allAuthenticatedUsers:
Click the delete icon next to the role.
Confirm by clicking Remove.
Using Google Cloud CLI:
List all datasets:
bq ls
Retrieve the dataset details:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
In the access section of the JSON file, remove any roles assigned to allUsers or allAuthenticatedUsers.
Update the dataset with the modified JSON:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME
Prevention:
To ensure BigQuery datasets do not become publicly accessible in the future:
Set up a Domain Restricted Sharing organization policy: Restrict Policy Member Domains.
Backout Plan:
Step 1: Revert Configuration
If dataset access needs to be temporarily restored, re-add necessary permissions:
bq update --source dataset_policy.json PROJECT_ID:DATASET_NAME
Modify dataset_policy.json to include the required IAM roles.
Step 2: Notify Stakeholders
If rollback is required, inform data engineers and security teams about temporary access adjustments.
Step 3: Restore from Backup (If Necessary)
If access configuration issues persist, restore the dataset IAM policy from a previous version.
Step 4: Validate Rollback Success
Run the audit steps again to confirm that the intended permissions are restored.
References:
CIS Controls: