Event Information

  • The google.cloud.bigquery.v2.TableService.UpdateTable event in GCP for BigQuery indicates that a table has been updated or modified in some way.
  • This event is triggered when changes are made to the schema, metadata, or other properties of a table in BigQuery.
  • It provides information about the specific table that was updated, including the project ID, dataset ID, and table ID.

Examples

  1. Unauthorized access: If security is impacted with google.cloud.bigquery.v2.TableService.UpdateTable in GCP for BigQuery, it could potentially allow unauthorized users to modify table configurations or access sensitive data. This could lead to data breaches or unauthorized data modifications.

  2. Data leakage: If security is impacted with google.cloud.bigquery.v2.TableService.UpdateTable in GCP for BigQuery, it could result in accidental exposure of sensitive data. For example, if access controls are not properly configured, an attacker could update the table to make it publicly accessible, leading to data leakage.

  3. Compliance violations: If security is impacted with google.cloud.bigquery.v2.TableService.UpdateTable in GCP for BigQuery, it could result in non-compliance with regulatory requirements. For instance, if the update allows for the removal of audit logs or alters data retention policies, it could lead to violations of data privacy regulations such as GDPR or HIPAA.

Remediation

Using Console

  1. Enable audit logging for BigQuery:

    • Go to the GCP Console and navigate to the BigQuery section.
    • Select the dataset or project for which you want to enable audit logging.
    • Click on “Show Info Panel” on the right side of the screen.
    • Under the “Audit logs” section, click on “Edit”.
    • Enable the desired audit logs, such as “Admin Activity” and “Data Access”.
    • Click on “Save” to enable audit logging for BigQuery.

  2. Implement VPC Service Controls for BigQuery:

    • Go to the GCP Console and navigate to the VPC Service Controls section.
    • Click on “Create Perimeter” to create a new perimeter.
    • Provide a name and description for the perimeter.
    • Select the project and location where BigQuery is deployed.
    • Add the BigQuery API service to the perimeter.
    • Configure the desired access levels and conditions for the perimeter.
    • Click on “Create” to create the perimeter and apply VPC Service Controls to BigQuery.

  3. Implement data classification and access controls:

    • Go to the GCP Console and navigate to the BigQuery section.
    • Select the dataset for which you want to implement data classification and access controls.
    • Click on “Show Info Panel” on the right side of the screen.
    • Under the “Data classification” section, click on “Edit”.
    • Classify the data based on sensitivity levels, such as “Confidential” or “Public”.
    • Under the “Access controls” section, click on “Edit”.
    • Configure the appropriate access controls, such as granting read-only access to specific users or groups.
    • Click on “Save” to implement data classification and access controls for the dataset in BigQuery.

Using CLI

  1. Enable audit logging for BigQuery:

    • Use the bq update command to enable audit logging for BigQuery datasets: 
      bq update --audit_log_flag=true <project_id>:<dataset_id>

  2. Implement access controls for BigQuery:

    • Use the bq update command to grant appropriate access to BigQuery datasets: 
      bq update --add_view --view <project_id>:<dataset_id>.<view_id> <project_id>:<dataset_id>
    • Use the bq update command to revoke unnecessary access from BigQuery datasets: 
      bq update --remove_view --view <project_id>:<dataset_id>.<view_id> <project_id>:<dataset_id>

  3. Enable encryption at rest for BigQuery:

    • Use the bq update command to enable encryption at rest for BigQuery datasets: 
      bq update --encryption_configuration kms_key_name=<kms_key_name> <project_id>:<dataset_id>
    • Replace <kms_key_name> with the name of the Cloud KMS key to be used for encryption.

Using Python

None