Identity and Access Management
Every cloud security program starts with one question: who gets access to what? Identity and Access Management — IAM — answers that question. It controls which users, services, and applications can read, write, or delete resources in your cloud environment.
Why IAM Is Your First Line of Defense
If an attacker gets valid credentials, firewalls and encryption become less effective. They walk in through the front door. Strong IAM practices stop unauthorized users before they ever reach your data. Weak IAM is like handing your house key to a stranger and hoping they do not use it.
The Three Pillars of IAM
1. Authentication – Proving Who You Are
Authentication confirms that a user is who they claim to be. The most basic form is a username and password. Stronger forms include multi-factor authentication (covered in the next topic), biometrics, and hardware security keys.
2. Authorization – Deciding What You Can Do
Authorization happens after authentication. Even after you prove your identity, the system checks what you are allowed to do. A marketing employee might authenticate successfully but only have permission to read customer reports — not delete them or access financial systems.
3. Accounting – Recording What You Did
Accounting tracks every action a user takes. Logs record who logged in, what they accessed, and when. This helps you detect unusual behavior and investigate incidents after the fact.
IAM Flow:
--------------------------------------------------
User tries to access a resource
|
▼
[ Authentication ] → "Is this really you?" → Password + MFA
|
▼
[ Authorization ] → "What can you do?" → Role: Read-Only
|
▼
[ Accounting ] → "Log the action" → 10:42 AM: User read file X
The Principle of Least Privilege
The single most important IAM rule is least privilege: give every user and service the minimum permissions they need to do their job — nothing more. A developer who only writes code does not need database admin rights. A monitoring service that only reads logs does not need permission to delete resources.
Think of it like a hospital. A receptionist can see the appointment schedule. A nurse can see patient records. A surgeon can access the operating room. No one gets access to every part of the hospital just because they work there.
IAM in Practice: Roles and Policies
Cloud providers use roles and policies to manage access. A policy is a written rule that says what actions are allowed or denied on which resources. A role is a collection of policies assigned to a user, group, or service.
Example IAM Policy (plain language version): -------------------------------------------- Policy: "ReadOnlyStorage" Allow: Read files from the Backup storage bucket Deny: Write, delete, or modify files in any bucket Who gets this role: Junior Developers, QA Team
Service Accounts and Non-Human Access
In the cloud, applications and automated scripts also need identities. A service account is an identity for a non-human process. Your backup script needs permission to copy files — you give that script its own service account with only the permissions it needs. If that script is ever compromised, the attacker only gains the limited access that script had.
Common IAM Mistakes to Avoid
- Root account used daily: The root or master account has unlimited power. Lock it down. Use it only for rare administrative tasks.
- Shared credentials: Multiple people sharing one login makes it impossible to track who did what.
- Stale accounts: Former employees whose accounts were never deleted are a significant risk. Audit accounts regularly.
- Overly permissive roles: Assigning "admin" to everyone because it is easier than configuring specific permissions creates massive exposure.
IAM Tools by Provider
| Provider | IAM Service Name |
|---|---|
| Amazon Web Services | AWS Identity and Access Management (IAM) |
| Microsoft Azure | Azure Active Directory (Entra ID) |
| Google Cloud | Cloud Identity and Access Management (Cloud IAM) |
Key Terms to Know
- IAM Policy: A document that defines what actions are allowed or denied for a specific resource.
- Role: A collection of permissions assigned to a user or service.
- Service Account: A non-human identity used by applications and automated processes.
- Least Privilege: The practice of granting only the minimum permissions required to perform a task.
What You Learned
IAM controls who accesses your cloud resources and what they can do. It works through authentication, authorization, and accounting. The principle of least privilege limits access to only what each user or service actually needs. Both human users and automated services need properly scoped identities. Common IAM mistakes — like using root accounts daily or never cleaning up old accounts — create serious security gaps.
