This page describes the detective policies that are included in the v1.0 version of the predefined posture for BigQuery, essentials. This posture includes a policy set that defines the Security Health Analytics detectors that apply to BigQuery workloads.
You can use this predefined posture to configure a security posture that helps protect BigQuery resources. You can deploy this predefined posture without making any changes.
Security Health Analytics detectors
The following table describes the Security Health Analytics detectors that are included in this posture.
Detector name | Description |
---|---|
BIGQUERY_TABLE_CMEK_DISABLED |
This detector checks whether a BigQuery table isn't configured to use a customer-managed encryption key (CMEK). For more information, see Dataset vulnerability findings. |
PUBLIC_DATASET |
This detector checks whether a dataset is configured to be open to public access. For more information, see Dataset vulnerability findings. |
YAML definition
The following is the YAML definition for the predefined posture for BigQuery.
name: organizations/123/locations/global/postureTemplates/big_query_essential
description: Posture Template to make your BigQuery workload secure.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: BigQuery detective policy set
description: 2 SHA modules that new customers can automatically enable.
policies:
- policy_id: BigQuery table CMEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BIGQUERY_TABLE_CMEK_DISABLED
- policy_id: Public dataset
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_DATASET