Ensure GCP BigQuery Tables are not anonymously or publicly accessible

Error: GCP BigQuery Tables are anonymously or publicly accessible
Bridgecrew Policy ID: BC_GCP_GENERAL_12
Checkov Check ID: CKV_GCP_100
Severity: HIGH

GCP BigQuery Tables are anonymously or publicly accessible

Description

GCP BigQuery tables are the resources in BigQuery that contain your data records, and each BigQuery table belongs to a dataset. Every BigQuery table inherits the IAM policies attached to it's dataset, but each table can also have it's own IAM policies directly applied. These table-level IAM policies can be set for public access via the allUsers and allAuthenticatedUsers IAM principals which can inadvertently expose your data to the public.

We recommend you ensure anonymous and public access to BigQuery tables is not allowed.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to BigQuery.
  3. On the Dataset Explorer details page, expand the dataset that contains your table.
  4. Select your target table's kebab menu and then select open.
  5. Click the SHARE button to open the table's IAM policies.
  6. To remove a specific role assignment, to the front of allUsers and allAuthenticatedUsers, click Delete.

CLI Command

To remove access to allUsers and allAuthenticatedUsers, you need to first get the BigQuery tables existing IAM policy. To retrieve the existing policy and copy it to a local file:

bq get-iam-policy --format=prettyjson \
 PROJECT-ID:DATASET.TABLE \
 > policy.jso

Replace PROJECT-ID with the project ID where the BigQuery table lives. Replace DATASET with the name of the BigQuery dataset that contains the table. Replace TABLE with the table name.

Next, locate and remove the IAM bindings with either allUsers or allAuthenticatedUsers depending on your Checkov error. After modifying the policy.json file, update BigQuery table with the following command:

bq set-iam-policy \
 PROJECT-ID:DATASET.TABLE \
 policy.json

Replace PROJECT-ID with the project ID where the BigQuery table lives. Replace DATASET with the name of the BigQuery dataset that contains the table. Replace TABLE with the table name.

Fix - Buildtime

Terraform

  • Resource: google_bigquery_table_iam_member

  • Field: member

  • Resource: google_bigquery_table_iam_binding

  • Field: members

//Option 1
resource "google_bigquery_table_iam_member" "member" {
  dataset_id = google_bigquery_table.default.dataset_id
  table_id = google_bigquery_table.default.table_id
  role = "roles/bigquery.dataOwner"
-  member        = "allUsers"
-  member        = "allAuthenticatedUsers"
}

//Option 2
resource "google_bigquery_table_iam_binding" "binding" {
  dataset_id = google_bigquery_table.default.dataset_id
  table_id = google_bigquery_table.default.table_id
  role = "roles/bigquery.dataOwner"
  members = [
-    "allUsers",
-    "allAuthenticatedUsers"
  ]
}