IAM & Identity Security
IAM Fundamentals Across Cloud Providers
4 min read
Identity and Access Management (IAM) is the single most critical security domain in cloud computing. Since identity IS the perimeter in the cloud, getting IAM wrong means everything else is exposed.
Why IAM Matters Most
The statistics are clear:
- IAM misconfigurations are the #1 cause of cloud breaches
- Cloud Identity and Access Management leads with 34.8% market share in cloud security software (2024)
- The Capital One breach (100M+ records) stemmed from an overly permissive IAM role
In traditional security, you could have weak authentication if you had strong perimeter defense. In the cloud, there is no perimeter—IAM IS your defense.
Core IAM Concepts
Every cloud provider implements these fundamental concepts differently:
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Identity service | IAM | Microsoft Entra ID | Cloud IAM |
| User identity | IAM User | User | Google Account |
| Service identity | IAM Role | Managed Identity | Service Account |
| Permission grouping | IAM Policy | Role Definition | IAM Role |
| Permission assignment | Role attachment | Role Assignment | IAM Binding |
| Resource-level control | Resource Policy | Scope | IAM Conditions |
AWS IAM Deep Dive
Identity Types
┌─────────────────────────────────────────────────────────┐
│ AWS Account (Root) │
├─────────────────────────────────────────────────────────┤
│ IAM Users │ IAM Roles │ Groups │
│ • Human users │ • EC2 instances │ • Admins │
│ • Service accounts │ • Lambda functions │ • Devs │
│ • With passwords │ • Cross-account │ • Read-only│
│ • With access keys │ • Federation │ │
└─────────────────────────────────────────────────────────┘
Policy Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/8"
}
}
}
]
}
Key elements:
- Effect: Allow or Deny
- Action: API operations permitted
- Resource: What the action applies to
- Condition: When the policy applies
Azure IAM (Entra ID + RBAC)
Azure separates identity (Entra ID) from authorization (RBAC):
Identity Layer (Entra ID)
- Users: Human identities
- Service Principals: Application identities
- Managed Identities: Azure-managed credentials for services
Authorization Layer (RBAC)
┌──────────────────────────────────────────────────────────┐
│ Security Principal → Role Definition → Scope │
│ (Who) (What) (Where) │
├──────────────────────────────────────────────────────────┤
│ User Owner Subscription │
│ Group Contributor Resource Group│
│ Service Principal Reader Resource │
│ Managed Identity Custom Role │
└──────────────────────────────────────────────────────────┘
Built-in Roles
| Role | Permissions |
|---|---|
| Owner | Full access including RBAC |
| Contributor | Full access except RBAC |
| Reader | Read-only access |
| User Access Administrator | Manage RBAC only |
GCP IAM
GCP uses a resource hierarchy model:
Organization
└── Folder (optional)
└── Project
└── Resource
IAM Components
- Member: Identity (user, group, service account, domain)
- Role: Collection of permissions
- Policy: Binds members to roles on a resource
Policy Binding
bindings:
- role: roles/storage.objectViewer
members:
- user:developer@example.com
- serviceAccount:app@project.iam.gserviceaccount.com
- role: roles/storage.admin
members:
- group:admins@example.com
condition:
expression: "request.time < timestamp('2026-01-01T00:00:00Z')"
IAM Best Practices Summary
| Principle | Implementation |
|---|---|
| Least Privilege | Start with no permissions, add only what's needed |
| No Long-term Credentials | Use roles/managed identities, not access keys |
| MFA Everywhere | Require MFA for all human users |
| Regular Review | Audit permissions quarterly |
| Separation of Duties | Different roles for different functions |
Next, we'll examine the most dangerous IAM misconfigurations and how to identify them. :::