I have a GCP project that I can allow users to do anything they want: they can enable new components, they can upload data into BigQuery/Cloud Storage, etc. The only thing they can't do is to create VMs.
But I don't want to allow them to download data, because it's sensitive data. They can explore and work with the data inside GCP as they want (this is an analytics project), but they shouldn't be able to download the data.
The problem is: we know that we can block users to download data via BigQuery. But they can be creative. They can build python scripts in AI Notebooks and write.csv, they can create service accounts and connect external platforms, etc.
So, we can restrict them to download BQ results, or even prevent them to create service accounts. But I'm wondering: what else could they do to download data?
Any insights here would be very helpful. Thanks a lot!
Since You gave them Owner Role for the project you can't prevent them from downloading data ,create a service account..etc. but you can monitor what they are doing.
1- Use Cloud Logging to ingest and analyze log data from any source.
2- Use Cloud Data Loss prevention - DLP to protect your customer data and give your team access to the Output of DLP that is more relevant for Analysis.
3- Use Cloud Monitoring dashboard for BigQuery (and others) to see a list of tables, events, and incident reporting that are user-configurable as well as charts of project metrics or dataset metrics.
4- Try to design custom roles in IAM for your team and assign these roles to a group's members.