Google CloudOverview
It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Rationale
Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. Therefore, ensure that anonymous and/or public access to a dataset is not allowed.
Impact
The dataset is not publicly accessible. Explicit modification of IAM privileges would be necessary to make them publicly accessible.
Remediation guidance
From Console
- Go to
BigQueryby visiting: https://console.cloud.google.com/bigquery. - Select the dataset from 'Resources'.
- Click
SHARINGnear the right side of the window and selectPermissions. - Review each attached role.
- Click the delete icon for each member
allUsersorallAuthenticatedUsers. On the popup clickRemove.
From Command Line
List the name of all datasets.
bq ls
Retrieve the data set details:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
In the access section of the JSON file, update the dataset information to remove all roles containing allUsers or allAuthenticatedUsers.
Update the dataset:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME
Prevention
You can prevent Bigquery dataset from becoming publicly accessible by setting up the Domain restricted sharing organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains.
Default Value
By default, BigQuery datasets are not publicly accessible.
Multiple Remediation Paths
Google Cloud
SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.
gcloud org-policies set-policy policy.yaml
ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.
PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.
References for Service-Wide Patterns
- GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
- GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Google Cloud: apply organization policy constraints at org/folder scope.
gcloud org-policies set-policy policy.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}
