gcp-bq-anon-or-public¶
Ensure that BigQuery datasets are not anonymously or publicly accessible
When creating a BigQuery Dataset resource (google_bigquery_dataset
), you should only grant access to authorized users. In the context of the access
attribute, it is possible use special_group
to specify allUsers
(grants anonymous access to anyone on the Internet) or allAuthenticatedUsers
(grants access to anyone authenticated with any Google account). Those special groups should be avoided and you should always prefer to create your own groups, specific users by e-mail or at least restrict to your organization using the domain
attribute.
Examples¶
Insecure Example
resource "google_bigquery_dataset" "dataset" {
dataset_id = "example_dataset"
friendly_name = "test"
description = "This is a test description"
location = "EU"
default_table_expiration_ms = 3600000
access {
role = "READER"
special_group = "allUsers"
}
access {
role = "WRITER"
special_group = "allAuthenticatedUsers"
}
}
Secure Example
resource "google_bigquery_dataset" "dataset" {
dataset_id = "example_dataset"
friendly_name = "test"
description = "This is a test description"
location = "EU"
default_table_expiration_ms = 3600000
access {
role = "READER"
domain = "bigcorp.com"
}
access {
role = "WRITER"
user_by_email = "johndoe@bigcorp.com"
}
}