BigQuery datasets should not be anonymously or publicly accessible

Description

BigQuery datasets should not grant the ‘allUsers’ or ‘allAuthenticatedUsers’ permissions because these will allow anyone to access the dataset and any stored sensitive data.

Remediation Steps

Google Cloud Console

  • Navigate to BigQuery Explorer.

  • Select a dataset under one of the projects.

  • Click Share Dataset on the upper right.

  • Under Dataset Permissions look for any permission where allUsers or allAuthenticatedUsers is a member.

  • Click the trash can icon and click Remove to confirm to remove this member’s permission.

  • Click Done.

bq CLI

  • Write the existing datset (including access controls) to a JSON file:

    • bq show --format=prettyjson PROJECT_ID:DATASET > PATH_TO_FILE

  • Remove ‘allUsers’ or ‘allAuthenticatedUsers’ from JSON file

  • Update permissions for dataset:

    • bq update --source PATH_TO_FILE PROJECT_ID:DATASET