BigQuery dataset is public

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > BigQuery dataset is public

Metadata

Id: e576ce44-dd03-4022-a8c0-3906acca2ab4

Cloud Provider: gcp

Framework: Terraform

Severity: High

Category: Access Control

Learn More

Provider Reference

Description

This check identifies BigQuery datasets configured to allow public or anonymous access, which can expose sensitive data to unauthorized users and increase the risk of data breaches. The vulnerability occurs when access controls use the special groups allAuthenticatedUsers or allUsers, effectively making data available to anyone with a Google account or the general public. To secure your BigQuery dataset, restrict access to specific users, groups, or domains instead of using public access groups, as shown in the example below:

access {
  role          = "OWNER"
  user_by_email = google_service_account.bqowner.email
}

access {
  role   = "READER"
  domain = "hashicorp.com"
}

Compliant Code Examples

# negative sample
resource "google_bigquery_dataset" "negative1" {
  dataset_id                  = "example_dataset"
  friendly_name               = "test"
  description                 = "This is a test description"
  location                    = "EU"
  default_table_expiration_ms = 3600000

  labels = {
    env = "default"
  }

  access {
    role          = "OWNER"
    user_by_email = google_service_account.bqowner.email
  }

  access {
    role   = "READER"
    domain = "hashicorp.com"
  }
}

Non-Compliant Code Examples

resource "google_bigquery_dataset" "positive1" {
  dataset_id                  = "example_dataset"
  friendly_name               = "test"
  description                 = "This is a test description"
  location                    = "EU"
  default_table_expiration_ms = 3600000

  labels = {
    env = "default"
  }

  access {
    role          = "OWNER"
    special_group = "allAuthenticatedUsers"
  }
}