GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Ensure that BigQuery datasets are not anonymously or publicly accessible
More Info:
It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Risk Level
Medium
Address
Security
Compliance Standards
CISGCP, CBP, HITRUST, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate this misconfiguration in GCP using GCP console, you can follow these steps:
-
Open the GCP console and navigate to the BigQuery section.
-
Click on the dataset that you want to remediate.
-
In the dataset details page, click on the “Share dataset” button.
-
In the “Share dataset” dialog box, review the current access controls.
-
If the dataset is publicly accessible, click on the “X” next to the “allUsers” entry to remove it.
-
If the dataset is anonymously accessible, click on the “X” next to the “allAuthenticatedUsers” entry to remove it.
-
If you want to grant access to specific users or groups, click on the “Add item” button and enter their email addresses.
-
Choose the appropriate access level for the users or groups, such as “Viewer” or “Editor”.
-
Click on the “Save” button to apply the changes.
-
Finally, verify that the dataset is no longer publicly or anonymously accessible by reviewing the access controls again.
To remediate the misconfiguration of BigQuery datasets being anonymously or publicly accessible in GCP using GCP CLI, follow these steps:
- Open the Cloud Shell from the GCP console.
- Run the following command to list all the datasets in your project:
bq ls
- For each dataset that is publicly accessible, run the following command to revoke the public access:
bq update --default_table_expiration <dataset_id>
Note: Replace <dataset_id> with the ID of the dataset that you want to remediate.
- After running the above command, you will see the following prompt:
This update will modify table(s) <dataset_id>:*. Do you want to continue? (y/N):
-
Type
yand press enter to confirm the update. -
Repeat steps 3-5 for all the datasets that are publicly accessible.
-
Run the following command to verify that the datasets are no longer publicly accessible:
bq show <dataset_id>
Note: Replace <dataset_id> with the ID of the dataset that you want to verify.
-
Verify that the
defaultTableExpirationMsfield is set to-1in the output. This indicates that the dataset is not publicly accessible. -
Repeat step 8 for all the datasets that you have remediated.
By following these steps, you can remediate the misconfiguration of BigQuery datasets being anonymously or publicly accessible in GCP using GCP CLI.
To remediate the misconfiguration of BigQuery datasets being publicly accessible, you can use the following Python code:
- First, you need to authenticate and authorize your Python script to access the Google Cloud Platform. For this, you can use the
google-authandgoogle-auth-oauthliblibraries. Here is an example of how to authenticate and authorize:
from google.oauth2 import service_account
from google.auth.transport.requests import AuthorizedSession
# Load the service account credentials
credentials = service_account.Credentials.from_service_account_file(
'path/to/service_account.json'
)
# Create an authorized session using the credentials
session = AuthorizedSession(credentials)
- Once you have authenticated and authorized your script, you can use the
google-cloud-bigquerylibrary to access the BigQuery API. Here is an example of how to check if a dataset is publicly accessible:
from google.cloud import bigquery
# Create a BigQuery client
client = bigquery.Client()
# Get the dataset reference
dataset_ref = client.dataset('my_dataset')
# Get the dataset metadata
dataset = client.get_dataset(dataset_ref)
# Check if the dataset is publicly accessible
if dataset.acl_entries:
for entry in dataset.acl_entries:
if entry.role == 'READER' and entry.entity_type == 'userByEmail' and entry.entity_id == '':
print('Dataset is publicly accessible')
- If the dataset is publicly accessible, you can revoke the public access by removing the
READERrole for the anonymous user. Here is an example of how to do this:
from google.cloud import bigquery
# Create a BigQuery client
client = bigquery.Client()
# Get the dataset reference
dataset_ref = client.dataset('my_dataset')
# Get the dataset metadata
dataset = client.get_dataset(dataset_ref)
# Remove the public access
if dataset.acl_entries:
for entry in dataset.acl_entries:
if entry.role == 'READER' and entry.entity_type == 'userByEmail' and entry.entity_id == '':
dataset.acl_entries.remove(entry)
client.update_dataset(dataset, ['acl_entries'])
print('Public access revoked')
By following these steps, you can remediate the misconfiguration of BigQuery datasets being publicly accessible in GCP using Python.