github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/bigquery/no_public_access.go (about) 1 package bigquery 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/providers/google/bigquery" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicAccess = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-GCP-0046", 15 Provider: providers.GoogleProvider, 16 Service: "bigquery", 17 ShortCode: "no-public-access", 18 Summary: "BigQuery datasets should only be accessible within the organisation", 19 Impact: "Exposure of sensitive data to the public iniernet", 20 Resolution: "Configure access permissions with higher granularity", 21 Explanation: `Using 'allAuthenticatedUsers' provides any GCP user - even those outside of your organisation - access to your BigQuery dataset.`, 22 Links: []string{}, 23 Terraform: &scan.EngineMetadata{ 24 GoodExamples: terraformNoPublicAccessGoodExamples, 25 BadExamples: terraformNoPublicAccessBadExamples, 26 Links: terraformNoPublicAccessLinks, 27 RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, 28 }, 29 Severity: severity.Critical, 30 }, 31 func(s *state.State) (results scan.Results) { 32 for _, dataset := range s.Google.BigQuery.Datasets { 33 for _, grant := range dataset.AccessGrants { 34 if grant.SpecialGroup.EqualTo(bigquery.SpecialGroupAllAuthenticatedUsers) { 35 results.Add( 36 "Dataset grants access to all authenticated GCP users.", 37 grant.SpecialGroup, 38 ) 39 } else { 40 results.AddPassed(&grant) 41 } 42 } 43 } 44 return 45 }, 46 )