Secure BigQuery Omni with VPC Service Controls

This document describes how to set up a VPC Service Controls perimeter for your BigQuery Omni resources.

Overview

You can use VPC Service Controls perimeters to restrict access from BigQuery Omni to external clouds.

VPC Service Controls is a Google Cloud feature that allows you to set up a secure perimeter to guard against data exfiltration. VPC Service Controls provides an extra layer of security defense for Google Cloud services that is independent of Identity and Access Management (IAM). This guide shows you how to set up an egress policy that restricts access to only specified external cloud resources from within a VPC Service Controls perimeter. For example, you can limit exports from your BigQuery Omni tables to a specific S3 bucket.

To learn more about VPC Service Controls, see Overview of VPC Service Controls.

Permissions

For permissions to configure service perimeters, see IAM roles for administering VPC Service Controls.

Before you begin

Before creating the perimeter policy, you must set a default access policy and create an input file that defines the egress policy you want to add.

Set default access policy

Before running the create command, set the default access policy. An access policy is an organization-wide container for access levels and service perimeters.

For information about setting a default access policy or getting an access policy name, see Managing an access policy.

Create the egress policy input file

An egress rule block defines the allowed access from within a perimeter to resources outside of that perimeter. For external resources, the externalResources property defines the external resource paths allowed access from within your VPC Service Controls perimeter.

Egress rules can be configured using a JSON file, or a YAML file. The following sample uses the .yaml format:

  - egressTo:
      operations:
      - serviceName: bigquery.googleapis.com
        methodSelectors:
        - method: "*"
        OR
        - permission: "*"
      externalResources:
        - External_Resource_Path
    egressFrom:
      identityType: IDENTITY_TYPE
      OR
      identities:
      - serviceAccount:SERVICE_ACCOUNT
  

  • - egressTo: - (Required) Starts the to block which lists allowed service operations on Google Cloud resources in specified projects outside the perimeter.

  • operations: - (Required) Marks the beginning of the list of accessible services and actions/methods that a client satisfying the from block conditions is allowed to access.

  • - serviceName: - (Required) For BigQuery Omni, this should be set to bigquery.googleapis.com.

  • methodSelectors: - (Required) The beginning of a list of methods that a client satisfying the from block conditions is allowed to access. For a list of restrictable methods and permissions for services, see Supported service method restrictions.

  • - method: - (This attribute or the permission attribute must be used). This field can be a valid service method, or can be set to \"*\" to allow access to all methods of the specified service.

  • - permission: - (This attribute or the method attribute must be used) This field must be a valid service permission. The access to the specified resources outside the perimeter is allowed for the operations that require this permission.

  • externalResources: - (Required) This attribute is a list of external resources that clients inside a perimeter can access. This field can be set to either a valid AWS S3 bucket, such as s3://bucket_name, or an Azure storage path, such as azure://myaccount.blob.core.windows.net/container_name.

  • egressFrom: - (Required) Starts the from block which lists allowed service operations on Google Cloud resources in specified projects within the perimeter.

  • identityType: - (This attribute or the identities attribute must be used) This attribute defines the types of identities that can be used to access the specified resources outside the perimeter. Acceptable values: ANY_IDENTITY, ANY_USER_ACCOUNT, ANY_SERVICE_ACCOUNT. ANY_IDENTITY allows all identities. ANY_USER_ACCOUNT allows all human users. ANY_SERVICE_ACCOUNT allows all service accounts.

  • identities: - (This attribute or the identityType attribute must be used) This attribute starts a list of service accounts that can access the specified resources outside the perimeter.

  • serviceAccount - A service account that can access the specified resources outside the perimeter.

Examples

The following example is a policy that allows egress operations from inside the perimeter to the s3://mybucket S3 location in AWS.

  - egressTo:
      operations:
      - serviceName: bigquery.googleapis.com
        methodSelectors:
        - method: "*"
      externalResources:
        - s3://mybucket
        - s3://mybucket2
    egressFrom:
      identityType: ANY_IDENTITY
  

The following example allows egress operations to an Azure storage bucket.

  - egressTo:
      operations:
      - serviceName: bigquery.googleapis.com
        methodSelectors:
        - method: "*"
      externalResources:
        - azure://myaccount.blob.core.windows.net/mycontainer
    egressFrom:
      identityType: ANY_IDENTITY
  

For more information about writing egress policies, see the Egress rules reference.

Add the egress policy to a service perimeter

You can create a service perimeter using the Google Cloud Console, gcloud command-line tool or the API. However you must use the gcloud command-line tool to add external resources to the egress rules.

The create perimeter command is the same for BigQuery Omni as any other product. For more information on the options, see the gcloud tab in Creating a service perimeter

Create a new service perimeter

The following command creates a new perimeter named omniPerimeter that includes the project with project number 12345, restricts the BigQuery API, and adds an egress policy defined in the egress.yaml file.

gcloud

gcloud alpha access-context-manager perimeters create omniPerimeter \
  --title="Omni Perimeter" \
  --resources=projects/12345 \
  --restricted-services=bigquery.googleapis.com \
  --egress-policies=egress.yaml

Add to an existing service perimeter

The following command adds an egress policy defined in the egress.yaml file to an existing service perimeter named omniPerimeter.

gcloud

gcloud alpha access-context-manager perimeters update omniPerimeter
  --set-egress-policies=egress.yaml

Verify your perimeter

You can use the describe command to verify the perimeter you just created.

gcloud

Use the following command to set a default access policy.

 gcloud alpha access-context-manager perimeters describe PERIMETER-NAME
  • PERIMETER-NAME is the name of the perimeter.

For example, the following describes the perimeter omniPerimeter.

gcloud alpha access-context-manager perimeters describe omniPerimeter

For more information about the describe command, see Managing service perimeters.

What's next