GCP BigQuery Tables are anonymously or publicly accessible
Description
Code Example
shell
{
"bq get-iam-policy --format=prettyjson \\
PROJECT-ID:DATASET.TABLE \\
> policy.jso",
}Remediation
- GCP Console*
To change the policy using the GCP Console, follow these steps:
. Log in to the GCP Console at https://console.cloud.google.com.
. Navigate to https://console.cloud.google.com/bigquery [BigQuery].
. On the * Dataset Explorer* details page, expand the dataset that contains your table.
. Select your target table's kebab menu and then select * open*.
. Click the * SHARE* button to open the table's IAM policies.
. To remove a specific role assignment, to the front of * allUsers* and * allAuthenticatedUsers*, click * Delete*.
- CLI Command*
To remove access to * allUsers* and * allAuthenticatedUsers*, you need to first get the BigQuery tables existing IAM policy. To retrieve the existing policy and copy it to a local file:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0958 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_GCP_100 |