gcp-bq-anon-or-public

Ensure that BigQuery datasets are not anonymously or publicly accessible

When creating a BigQuery Dataset resource (google_bigquery_dataset), you should only grant access to authorized users. In the context of the access attribute, it is possible use special_group to specify allUsers (grants anonymous access to anyone on the Internet) or allAuthenticatedUsers (grants access to anyone authenticated with any Google account). Those special groups should be avoided and you should always prefer to create your own groups, specific users by e-mail or at least restrict to your organization using the domain attribute.

Examples

Insecure Example

resource "google_bigquery_dataset" "dataset" {
  dataset_id                  = "example_dataset"
  friendly_name               = "test"
  description                 = "This is a test description"
  location                    = "EU"
  default_table_expiration_ms = 3600000

  access {
    role   = "READER"
    special_group = "allUsers"
  }
  access {
    role   = "WRITER"
    special_group = "allAuthenticatedUsers"
  }
}

Secure Example

resource "google_bigquery_dataset" "dataset" {
  dataset_id                  = "example_dataset"
  friendly_name               = "test"
  description                 = "This is a test description"
  location                    = "EU"
  default_table_expiration_ms = 3600000

  access {
    role   = "READER"
    domain = "bigcorp.com"
  }
  access {
    role   = "WRITER"
    user_by_email = "johndoe@bigcorp.com"
  }
}

More information

• GCP Docs
• Terraform Docs