BigQuery Data Access Identity Architecture

BigQuery Data Access Identity Architecture (PDF, 0.74MB)Published: 01 Sep, 2023

Created by:

Kat Traxler

The SANS SEC549 course materials are built around the fictional company, Delos International Management and its phased journey to the cloud. In course labs, students play the role of Delos Security Architects, tasked with helping them navigate their transformation into a cloud-first organization.

This diagram incorporates a number of elements including user sync with SCIM, SAML Identity Federation, OIDC Identity Federation and multiple BigQuery access controls. All components are leveraged to integrate the AWS-hosted Delos Destinations Park Tracker site with BigQuery and enforce strict access control to restricted BigQuery data.

This architecture for data access restricts Google Service Account impersonation to specific Delos Destinations employees, binds a Google IAM Role at the Table-Level, in accordance with least privilege and creates a BigQuery row-level security policy to restrict access to sensitive data.

This cheat sheet was developed by Kat Traxler to support SEC549: Cloud Security Architecture.

Author

Kat Traxler

Kat Traxler is the Principal Security Researcher at Vectra AI focusing on threat detection in the public cloud. Prior to her current role, she worked in various stages in the SDLC performing web application penetration testing and security architecture design for Web, IAM, Payment Technologies and Cloud Native Technologies. She is the lead author of SEC549: Cloud Security Architecture.

Resources

Secure Service Configuration in AWS, Azure, and GCP

Poster & Cheat SheetsCloud Security

28 Oct 2025

Prevent Real Cloud Attacks with Terraform

Poster & Cheat SheetsCloud Security

28 Oct 2025

Key Metrics: Cloud and Enterprise

Poster & Cheat SheetsCybersecurity Leadership, Cloud Security

24 Oct 2025

Kubernetes Cheat Sheet

Poster & Cheat SheetsCloud Security

3 Mar 2025

Cloud Native Security Tool

Poster & Cheat SheetsCloud Security

29 Mar 2024

Multicloud Cheat Sheet

Poster & Cheat SheetsCloud Security

29 Feb 2024

Related Courses

Slide 1 of 8
SEC540: Cloud Native Security and DevSecOps Automation
Advanced
SEC540Cloud Security
GIAC Cloud Security Automation (GCSA)
5 Days (Instructor-Led)
38 CPEs / 38 Hours (Self-Paced)
Labs: 35 Hands-On Labs
View course details Register
Slide 2 of 8
SEC522: Application Security: Securing Web Applications, APIs, and Microservices
Advanced
SEC522Cloud Security
GIAC Certified Web Application Defender (GWEB)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 21 Hands-On Labs
View course details Register
Slide 3 of 8
SEC545: GenAI and LLM Application Security
newAI-FOCUSEDAdvanced
SEC545Cloud Security, Artificial Intelligence
3 Days (Instructor-Led)
18 CPEs / 18 Hours (Self-Paced)
Labs: 11 Hands-On Labs
View course details Register
Slide 4 of 8
SEC502: Cloud Security Tactical Defense
Intermediate
SEC502Cloud Security
GIAC Cloud Security Essentials (GCLD)
5 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 41 Hands-On Labs
View course details Register
Slide 5 of 8
SEC549: Cloud Security Architecture
updatedAdvanced
SEC549Cloud Security
GIAC Cloud Security Architecture and Design (GCAD)
5 Days (Instructor-Led)
30 CPEs / 30 Hours (Self-Paced)
Labs: 35 Hands-On Labs
View course details Register
Slide 6 of 8
SEC510: Cloud Security Engineering and Controls
Advanced
SEC510Cloud Security
GIAC Public Cloud Security (GPCS)
5 Days (Instructor-Led)
38 CPEs / 38 Hours (Self-Paced)
Labs: 52 Hands-On Labs
View course details Register
Slide 7 of 8
SEC541: Cloud Security Threat Detection
Advanced
SEC541Cloud Security
GIAC Cloud Threat Detection (GCTD)
5 Days (Instructor-Led)
30 CPEs / 30 Hours (Self-Paced)
Labs: 22 Hands-On Labs
View course details Register
Slide 8 of 8
SEC480: AWS Secure Builder
Essentials
SEC480Cloud Security
GIAC AWS Secure Builder Micro-Credential
12 CPEs / 12 Hours (Self-Paced)
Labs: 8 Hands-On Labs
View course details Register