BigQuery Dataset should not be publicly accessible

WARNING: This rule is being deprecated on 17 June 2024.

Description

It is recommended that the IAM policy on BigQuery datasets does not allow anonymous or public access.

Rationale

Granting permissions to allUsers or allAuthenticatedUsers allows any user access to the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. Therefore, ensure that anonymous or public access to a dataset is not allowed.

Impact

The dataset is publicly accessible. Explicit modification of IAM privileges would be necessary to make them publicly accessible.

Remediation

  1. Go to BigQuery by visiting: https://console.cloud.google.com/bigquery.
  2. Select the dataset from Resources.
  3. Click Sharing near the right side of the window and select Permissions.
  4. Review each attached role.
  5. Click the delete icon for each member allUsers or allAuthenticatedUsers. On the popup, click Remove.

From Google Cloud Console

List the name of all datasets.

bq ls

Retrieve each dataset details using the following command:

bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE

In the access section of the JSON file, update the dataset information to remove all roles containing allUsers or allAuthenticatedUsers.

bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME

References

  1. https://cloud.google.com/bigquery/docs/control-access-to-resources-iam