chore: add gcp/bigquery metadata update to changelog

chore(gcp/bigquery): adapt metadata to new standarized format
2026-02-09 02:30:43 +00:00 · 2025-12-22 16:11:48 +01:00 · 2025-12-22 16:11:43 +01:00
4 changed files with 59 additions and 32 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -14,6 +14,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS SQS service metadata to new format [(#9429)](https://github.com/prowler-cloud/prowler/pull/9429)
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
+- Update GCP BigQuery service metadata to new format [(#9638)](https://github.com/prowler-cloud/prowler/pull/9638)
+

 ---

--- a/prowler/providers/gcp/services/bigquery/bigquery_dataset_cmk_encryption/bigquery_dataset_cmk_encryption.metadata.json
+++ b/prowler/providers/gcp/services/bigquery/bigquery_dataset_cmk_encryption/bigquery_dataset_cmk_encryption.metadata.json
@@ -1,26 +1,32 @@
 {
  "Provider": "gcp",
  "CheckID": "bigquery_dataset_cmk_encryption",
-  "CheckTitle": "Ensure BigQuery datasets are encrypted with Customer-Managed Keys (CMKs).",
+  "CheckTitle": "BigQuery dataset is encrypted with Customer-Managed Keys (CMKs)",
  "CheckType": [],
  "ServiceName": "bigquery",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Dataset",
-  "Description": "Ensure BigQuery datasets are encrypted with Customer-Managed Keys (CMKs) in order to have a more granular control over data encryption/decryption process.",
-  "Risk": "If you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.",
-  "RelatedUrl": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/BigQuery/enable-table-encryption-with-cmks.html",
+  "Severity": "medium",
+  "ResourceType": "bigquery.googleapis.com/Dataset",
+  "Description": "**BigQuery datasets** use **Customer-Managed Encryption Keys** (`CMEK`) rather than Google-managed encryption. The evaluation identifies datasets configured to use a customer-managed key for data-at-rest protection.",
+  "Risk": "Without **CMEK**, organizations lose **cryptographic control** of data at rest, weakening **confidentiality** and **access governance**. Lack of custom **key rotation**, **revocation** (kill switch), and location control hinders incident response and may conflict with data-sovereignty requirements.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/BigQuery/enable-table-encryption-with-cmks.html",
+    "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1#terraform",
+    "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_11",
+    "https://cloud.google.com/bigquery/docs/customer-managed-encryption"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
+      "CLI": "bq update --default_kms_key projects/<KMS_PROJECT_ID>/locations/<LOCATION>/keyRings/<KEY_RING>/cryptoKeys/<KEY_NAME> --dataset <DATASET_ID>",
      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_11",
-      "Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1#terraform"
+      "Other": "1. In Google Cloud Console, go to BigQuery\n2. In Explorer, select your project and click the dataset <DATASET_ID>\n3. Click Edit details\n4. Under Encryption, select Customer-managed key and choose or paste the key: projects/<KMS_PROJECT_ID>/locations/<LOCATION>/keyRings/<KEY_RING>/cryptoKeys/<KEY_NAME>\n5. Click Save",
+      "Terraform": "```hcl\nresource \"google_bigquery_dataset\" \"<example_resource_name>\" {\n  dataset_id = \"<example_resource_id>\"\n  location   = \"<LOCATION>\"\n\n  # Critical: apply CMEK at the dataset level so the check passes\n  default_encryption_configuration {\n    kms_key_name = \"projects/<KMS_PROJECT_ID>/locations/<LOCATION>/keyRings/<KEY_RING>/cryptoKeys/<KEY_NAME>\" # Critical: sets CMEK\n  }\n}\n```"
    },
    "Recommendation": {
-      "Text": "Encrypting datasets with Cloud KMS Customer-Managed Keys (CMKs) will allow for a more granular control over data encryption/decryption process.",
-      "Url": "https://cloud.google.com/bigquery/docs/customer-managed-encryption"
+      "Text": "Protect datasets with **CMEK** via Cloud KMS:\n- Set a dataset or project default key\n- Align key location with dataset region\n- Enforce **least privilege** and separation of duties on key usage\n- Rotate keys and define revocation procedures\n- Audit key usage and use org policies to require CMEK",
+      "Url": "https://hub.prowler.com/check/bigquery_dataset_cmk_encryption"
    }
  },
  "Categories": [
--- a/prowler/providers/gcp/services/bigquery/bigquery_dataset_public_access/bigquery_dataset_public_access.metadata.json
+++ b/prowler/providers/gcp/services/bigquery/bigquery_dataset_public_access/bigquery_dataset_public_access.metadata.json
@@ -1,29 +1,41 @@
 {
  "Provider": "gcp",
  "CheckID": "bigquery_dataset_public_access",
-  "CheckTitle": "Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible.",
+  "CheckTitle": "BigQuery dataset is not publicly accessible",
  "CheckType": [],
  "ServiceName": "bigquery",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Dataset",
-  "Description": "Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible.",
-  "Risk": "Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. Therefore, ensure that anonymous and/or public access to a dataset is not allowed.",
+  "Severity": "critical",
+  "ResourceType": "bigquery.googleapis.com/Dataset",
+  "Description": "BigQuery datasets are evaluated for exposure to **public identities**. The finding highlights datasets that grant any role to `allUsers` or `allAuthenticatedUsers`, which makes the dataset publicly accessible beyond intended principals.",
+  "Risk": "Public dataset access erodes **confidentiality** by enabling unrestricted reads and metadata discovery. Attackers can query and copy data for **exfiltration** and use schema details for **lateral movement**. It can also trigger unexpected **costs** from abusive or high-volume queries.",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://github.com/forseti-security/forseti-security/issues/3406",
+    "https://support.icompaas.com/support/solutions/articles/62000233051-7-1-ensure-bigquery-datasets-are-not-anonymously-or-publicly-accessible-automated-",
+    "https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/bigquery-publicly-accessible-dataset/",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/BigQuery/publicly-accessible-big-query-datasets.html",
+    "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/bc_gcp_general_3#terraform",
+    "https://cloud.google.com/blog/products/identity-security/automatic-dlp-for-bigquery",
+    "https://cloud.google.com/bigquery/docs/customer-managed-encryption"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/BigQuery/publicly-accessible-big-query-datasets.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/bc_gcp_general_3#terraform"
+      "Other": "1. Open Google Cloud Console and go to BigQuery\n2. In Explorer, select the dataset\n3. Click SHARING > Permissions\n4. Remove principals named AllUsers and AllAuthenticatedUsers\n5. Click Save",
+      "Terraform": "```hcl\n# Ensure the dataset is not public by removing public principals from IAM (authoritative for this role)\nresource \"google_bigquery_dataset_iam_binding\" \"<example_resource_name>\" {\n  dataset_id = \"<example_resource_id>\"\n  role       = \"roles/bigquery.dataViewer\"\n  members    = [\n    \"user:<example_user_email>\" # CRITICAL: exclude allUsers/allAuthenticatedUsers to remove public access\n  ]\n}\n```"
    },
    "Recommendation": {
-      "Text": "It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.",
-      "Url": "https://cloud.google.com/bigquery/docs/customer-managed-encryption"
+      "Text": "Apply **least privilege** on datasets:\n- Remove `allUsers` and `allAuthenticatedUsers`\n- Grant access only to required groups or service accounts\n- Use **authorized views** or controlled listings for sharing\n- Review access regularly and enforce org policies that block public identities for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/bigquery_dataset_public_access"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed",
+    "identity-access"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/gcp/services/bigquery/bigquery_table_cmk_encryption/bigquery_table_cmk_encryption.metadata.json
+++ b/prowler/providers/gcp/services/bigquery/bigquery_table_cmk_encryption/bigquery_table_cmk_encryption.metadata.json
@@ -1,29 +1,36 @@
 {
  "Provider": "gcp",
  "CheckID": "bigquery_table_cmk_encryption",
-  "CheckTitle": "Ensure BigQuery tables are encrypted with Customer-Managed Keys (CMKs).",
+  "CheckTitle": "BigQuery table is encrypted with a Customer-Managed Key (CMK)",
  "CheckType": [],
  "ServiceName": "bigquery",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Table",
-  "Description": "Ensure BigQuery tables are encrypted with Customer-Managed Keys (CMKs) in order to have a more granular control over data encryption/decryption process.",
-  "Risk": "If you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Tables.",
+  "Severity": "medium",
+  "ResourceType": "bigquery.googleapis.com/Table",
+  "Description": "**BigQuery tables** use **customer-managed encryption keys** (`CMEK`) for at-rest encryption. The evaluation identifies tables lacking a configured **Cloud KMS key**, indicating use of default Google-managed encryption instead.",
+  "Risk": "Without `CMEK`, encryption keys are not under your control, reducing **key custody** and auditability. You can't enforce **region-bound keys**, custom **rotation**, or revoke access by disabling a key, weakening **confidentiality** and **compliance**. A compromised account may retain data access without an external KMS gate.",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/BigQuery/enable-table-encryption-with-cmks.html",
+    "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek#terraform",
+    "https://cloud.google.com/bigquery/docs/customer-managed-encryption"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
+      "CLI": "bq cp -f --destination_kms_key projects/<KMS_PROJECT_ID>/locations/<LOCATION>/keyRings/<KEY_RING>/cryptoKeys/<KEY> <DATASET_ID>.<TABLE_ID> <DATASET_ID>.<TABLE_ID>",
      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/BigQuery/enable-table-encryption-with-cmks.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek#terraform"
+      "Other": "1. In Google Cloud Console, go to BigQuery and open the Query editor\n2. Run:\n   ```sql\n   ALTER TABLE <DATASET_ID>.<TABLE_ID>\n   SET OPTIONS (kms_key_name = 'projects/<KMS_PROJECT_ID>/locations/<LOCATION>/keyRings/<KEY_RING>/cryptoKeys/<KEY>');\n   ```\n3. Click Run\n4. Open the table Details and verify Customer-managed key shows the specified key",
+      "Terraform": "```hcl\nresource \"google_bigquery_table\" \"<example_resource_name>\" {\n  dataset_id = \"<DATASET_ID>\"\n  table_id   = \"<TABLE_ID>\"\n\n  schema = jsonencode([\n    { name = \"id\", type = \"INT64\", mode = \"NULLABLE\" }\n  ])\n\n  # Critical: enforce CMEK on the table using the specified KMS key\n  encryption_configuration {\n    kms_key_name = \"projects/<KMS_PROJECT_ID>/locations/<LOCATION>/keyRings/<KEY_RING>/cryptoKeys/<KEY>\"  # Enables CMK encryption\n  }\n}\n```"
    },
    "Recommendation": {
-      "Text": "Encrypting tables with Cloud KMS Customer-Managed Keys (CMKs) will allow for a more granular control over data encryption/decryption process.",
-      "Url": "https://cloud.google.com/bigquery/docs/customer-managed-encryption"
+      "Text": "Protect BigQuery tables with **Cloud KMS CMEK** to retain key ownership and control.\n- Set dataset/project default keys\n- Match key location to dataset region\n- Enforce least-privilege on KMS and monitor usage\n- Rotate keys and define revocation procedures\n- Apply org policies to require CMEK and restrict permissible key projects",
+      "Url": "https://hub.prowler.com/check/bigquery_table_cmk_encryption"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
Author	SHA1	Message	Date
Rubén De la Torre Vico	71151dcc99	chore: add gcp/bigquery metadata update to changelog	2025-12-22 16:11:48 +01:00
Rubén De la Torre Vico	b46a08a751	chore(gcp/bigquery): adapt metadata to new standarized format	2025-12-22 16:11:43 +01:00