BigQuery Data Access Identity Architecture

The SANS SEC549 course materials are built around the ffictional company, Delos International Management and its phased journey to the cloud. In course labs, students play the role of Delos Security Architects, tasked with helping them navigate their transformation into a cloud-first organization.

This diagram incorporates a number of elements including user sync with SCIM, SAML Identity Federation, OIDC Identity Federation and multiple BigQuery access controls.  All components are leveraged to integrate the AWS-hosted Delos Destinations Park Tracker site with BigQuery and enforce strict access control to restricted BigQuery data.

This architecture for data access restricts Google Service Account impersonation to specific Delos Destinations employees, binds a Google IAM Role at the Table-Level, in accordance with least privilege and creates a BigQuery row-level security policy to restrict access to sensitive data.

This cheat sheet was developed by Kat Traxler to support SEC549: Cloud Security Architecture.

September 1, 2023
Cheat Sheet BigQuery Data Access Identity Architecture