1

I have a GCP project that I can allow users to do anything they want: they can enable new components, they can upload data into BigQuery/Cloud Storage, etc. The only thing they can't do is to create VMs.

But I don't want to allow them to download data, because it's sensitive data. They can explore and work with the data inside GCP as they want (this is an analytics project), but they shouldn't be able to download the data.

The problem is: we know that we can block users to download data via BigQuery. But they can be creative. They can build python scripts in AI Notebooks and write.csv, they can create service accounts and connect external platforms, etc.

So, we can restrict them to download BQ results, or even prevent them to create service accounts. But I'm wondering: what else could they do to download data?

Any insights here would be very helpful. Thanks a lot!

Nyan Maru
  • 87
  • 8
  • 1
    They can take photographs and type the data somewhere else. If your users are sophisticated enough to create Python scripts, they're sophisticated enough to get the data no matter what you do. – Gilbert Le Blanc May 06 '21 at 21:25
  • 1
    If the users can create service accounts and assign roles, they can do almost anything including creating new VMs. Reading data is a basic permission included in most roles. – John Hanley May 06 '21 at 21:49
  • Have you explored custom roles? What roles do your users currently have? – PlainH2O May 07 '21 at 00:12
  • Thanks, everyone for sharing your thoughts. Today everyone is under a user group configured as "Editor". But I think I will start with more restricted access and as they "complain" about something they can't do, I will manage each scenario. – Nyan Maru May 07 '21 at 12:12

1 Answers1

1

Since You gave them Owner Role for the project you can't prevent them from downloading data ,create a service account..etc. but you can monitor what they are doing.

1- Use Cloud Logging to ingest and analyze log data from any source.

2- Use Cloud Data Loss prevention - DLP to protect your customer data and give your team access to the Output of DLP that is more relevant for Analysis.

3- Use Cloud Monitoring dashboard for BigQuery (and others) to see a list of tables, events, and incident reporting that are user-configurable as well as charts of project metrics or dataset metrics.

4- Try to design custom roles in IAM for your team and assign these roles to a group's members.

Adam
  • 73
  • 6
  • Hello Adam, thanks for sharing your thoughts! I think I will work better on my user group roles and study the monitoring options you shared. I will probably start with more restricted access and heavy monitoring, sounds like the safest option right now. – Nyan Maru May 07 '21 at 12:19