Comprehensive and Detailed In-Depth

BigQuery uses IAM for access control, adhering to least privilege by granting only necessary

permissions.

Option A: IAM roles (e.g., roles/bigquery.dataViewer for read-only) restrict query access to

authorized users, aligning with Google’s security best practices.

Option B: BigQuery doesn’t support SQL GRANT for dataset privileges; access is managed via IAM or

authorized views.

Option C: Exporting to Cloud Storage with signed URLs bypasses BigQuery’s native controls and adds

complexity.

Option D: CMEK encrypts data at rest but doesn’t control query access.

Extract from Google Documentation: From "Controlling Access to BigQuery"

(https://cloud.google.com/bigquery/docs/access-control): "Use IAM to manage access to BigQuery

resources. Predefined roles like roles/bigquery.dataViewer allow you to grant query access while

following the principle of least privilege."

Reference: Google Cloud Documentation - "BigQuery IAM"

(https://cloud.google.com/bigquery/docs/access-control).