Policy Packs

guardrails-samples

This section addresses Google CloudPlatform BigQuery. BigQuery is a serverless, highly-scalable, and cost-effective cloud data warehouse with an in-memory BI Engine and machine learning built in.

GCP CIS v2.0.0 - Section 7 - BigQuery

main

gcp_bigquery_dataset_encryption_at_rest

Define the minimum level of encryption required for GCP BigQuery dataset.

datasetEncryptionAtRest

GCP > BigQuery > Dataset > Encryption at Rest

gcp_bigquery_dataset_encryption_at_rest_customer_managed_key

This template is used to generate the Google Cloud KMS symmetric key to use for dataset encryption at rest.

datasetEncryptionAtRestCustomerManagedKey

GCP > BigQuery > Dataset > Encryption at Rest > Customer Managed Key

gcp_bigquery_dataset_publicly_accessible

Ensure the BigQuery dataset is not publicly accessible.

datasetPubliclyAccessible

GCP > BigQuery > Dataset > Publicly Accessible

gcp_bigquery_table_approved

Determine the action to take when a GCP BigQuery table is not approved based on `GCP &gt; BigQuery &gt; Table &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/v5/docs/concepts/guardrails/approved) for more information.&#92;n

tableApproved

GCP > BigQuery > Table > Approved

gcp_bigquery_table_approved_encryption_at_rest

Define the minimum level of encryption required for GCP &gt; BigQuery &gt; Table.&#92;n&#92;nThis policy will be evaluated by the Approved control. If a GCP BigQuery table does not meet the minimum encryption level specified, it will be subject to the action specified in the `GCP &gt; BigQuery &gt; Table &gt; Approved` policy.&#92;n&#92;nSee [Approved](https://turbot.com/v5/docs/concepts/guardrails/approved) for more information.&#92;n

tableApprovedEncryptionAtRest

GCP > BigQuery > Table > Approved > Encryption at Rest

gcp_bigquery_table_approved_encryption_at_rest_customer_managed_key

The ID of a GCP KMS symmetric key that must be used as the encryption key for a GCP &gt; BigQuery &gt; Table.&#92;n&#92;nThis policy will be evaluated by the Approved control. If a GCP BigQuery table is not encrypted with the specified key, it will be subject to the action specified in the `GCP &gt; BigQuery &gt; Table &gt; Approved` policy.&#92;n&#92;nSee [Approved](https://turbot.com/v5/docs/concepts/guardrails/approved) for more information.&#92;n

tableApprovedEncryptionAtRestCustomerManagedKey

GCP > BigQuery > Table > Approved > Encryption at Rest > Customer Managed Key

turbot_policy_setting.gcp_bigquery_dataset_encryption_at_rest

turbot_policy_setting.gcp_bigquery_dataset_encryption_at_rest_customer_managed_key

turbot_policy_setting.gcp_bigquery_dataset_publicly_accessible

turbot_policy_setting.gcp_bigquery_table_approved

turbot_policy_setting.gcp_bigquery_table_approved_encryption_at_rest

turbot_policy_setting.gcp_bigquery_table_approved_encryption_at_rest_customer_managed_key

Policy	Setting	Note
GCP > BigQuery > Dataset > Encryption at Rest	Check: Customer managed key	GCP CIS v2.0.0 - Control: 7.3
GCP > BigQuery > Dataset > Encryption at Rest > Customer Managed Key	projects/my-project/locations/us-east1/keyRings/my-keyring/cryptoKeys/my-key	GCP CIS v2.0.0 - Control: 7.3
GCP > BigQuery > Dataset > Publicly Accessible	Check: Dataset is not publicly accessible	GCP CIS v2.0.0 - Control: 7.1
GCP > BigQuery > Table > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 7.2
GCP > BigQuery > Table > Approved > Encryption at Rest	Customer managed key	GCP CIS v2.0.0 - Control: 7.2
GCP > BigQuery > Table > Approved > Encryption at Rest > Customer Managed Key	projects/my-project/locations/us-east1/keyRings/my-keyring/cryptoKeys/my-key	GCP CIS v2.0.0 - Control: 7.2

Policy Settings