Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible

From Console

1. Go to BigQuery by visiting: https://console.cloud.google.com/bigquery.
2. Select the dataset from 'Resources'.
3. Click SHARING near the right side of the window and select Permissions.
4. Review each attached role.
5. Click the delete icon for each member allUsers or allAuthenticatedUsers. On the popup click Remove.

From Command Line

List the name of all datasets.

bq ls

Retrieve the data set details:

bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE

In the access section of the JSON file, update the dataset information to remove all roles containing allUsers or allAuthenticatedUsers.

Update the dataset:

bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME

Prevention

You can prevent Bigquery dataset from becoming publicly accessible by setting up the Domain restricted sharing organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains.

Default Value

By default, BigQuery datasets are not publicly accessible.

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Google Cloud

Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.