Introduction
Identity and Access Management (IAM) is the foundation of cloud security. Managing who can access what resources, under what conditions, and for how long is essential for maintaining secure cloud environments. Poor IAM practices lead to security breaches, compliance violations, and operational disruptions.
Modern cloud IAM goes beyond simple username/password authentication. It encompasses identity lifecycle management, federated access, multi-factor authentication, role-based access control, and continuous validation. Understanding these concepts is crucial for building secure cloud architectures.
This comprehensive guide examines cloud IAM across major providers. We explore identity management, authentication mechanisms, authorization patterns, federation, and operational best practices. Whether establishing IAM from scratch or improving existing implementations, this guide provides the knowledge necessary for success.
Understanding IAM Fundamentals
IAM encompasses the policies and technologies for managing digital identities and their access to resources.
Core Concepts
- Identity: Digital representation of a user, service, or device
- Principal: Entity making a request to access resources
- Resource: Cloud resource being accessed
- Permission: Authorization to perform actions on resources
- Policy: Document defining permissions
Authentication vs Authorization
| Concept | Description |
|---|---|
| Authentication (AuthN) | Verifying identity of principal |
| Authorization (AuthZ) | Determining what an authenticated principal can do |
AWS Identity and Access Management
AWS IAM provides fine-grained access control for AWS resources.
IAM Users and Groups
# Terraform - IAM Users and Groups
resource "aws_iam_user" "developer" {
name = "john.developer"
tags = {
Department = "Engineering"
EmployeeID = "EMP001"
}
}
resource "aws_iam_group" "developers" {
name = "Developers"
}
resource "aws_iam_user_group_membership" "developer" {
user = aws_iam_user.developer.name
groups = [aws_iam_group.developers.name]
}
IAM Roles
# IAM Role for EC2
resource "aws_iam_role" "ec2_role" {
name = "ec2-app-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}]
})
}
# Instance Profile
resource "aws_iam_instance_profile" "ec2_profile" {
name = "ec2-app-profile"
role = aws_iam_role.ec2_role.name
}
IAM Policies
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::app-bucket",
"arn:aws:s3:::app-bucket/*"
],
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Department": "Engineering"
}
}
},
{
"Effect": "Deny",
"Action": [
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::app-bucket/*",
"Condition": {
"Bool": {
"aws:PrincipalTag/IsAdmin": "false"
}
}
}
]
}
Policy Conditions
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "dynamodb:GetItem",
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/orders",
"Condition": {
"IpAddress": {
"aws:SourceIp": ["10.0.0.0/8", "172.16.0.0/12"]
},
"TimeOfDay": {
"aws:EpochTime": {
"gte": 1609459200,
"lt": 1609545600
}
},
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}]
}
Azure Active Directory
Azure AD (now Microsoft Entra ID) provides enterprise identity management.
User and Group Management
# Azure AD users
New-AzureADUser `
-DisplayName "John Developer" `
-PasswordProfile @{Password = "SecurePassword123!"} `
-UserPrincipalName "[email protected]" `
-AccountEnabled $true
# Azure AD group
New-AzureADGroup `
-DisplayName "Developers" `
-MailNickname "Developers" `
-SecurityEnabled $true
# Add user to group
Add-AzureADGroupMember `
-ObjectId (Get-AzureADGroup -Filter "DisplayName eq 'Developers'").ObjectId `
-RefObjectId (Get-AzureADUser -Filter "DisplayName eq 'John Developer'").ObjectId
Role-Based Access Control
# Assign built-in role
New-AzRoleAssignment `
-ResourceGroupName "rg-app" `
-RoleDefinitionName "Contributor" `
-SignInName "[email protected]"
# Custom role definition
$role = @{
Name = "App Operator"
Description = "Can operate application resources"
Actions = @(
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Storage/storageAccounts/read"
)
NotActions = @(
"Microsoft.Compute/virtualMachines/delete"
)
AssignableScopes = @("/subscriptions/sub-id/resourceGroups/rg-app")
}
New-AzRoleDefinition -Role $role
Conditional Access
# Conditional Access policy - Require MFA
$caPolicy = @{
DisplayName = "Require MFA for risky sign-ins"
State = "Enabled"
Conditions = @{
SignInRiskLevels = @("Medium", "High")
UserRiskLevels = @("Medium", "High")
}
GrantControls = @{
Operator = "OR"
BuiltInControls = @("mfa")
}
}
New-AzureADConditionalAccessPolicy @caPolicy
Google Cloud IAM
Google Cloud IAM provides unified access control across GCP services.
IAM Policies
# GCP IAM policy
resource "google_project_iam_policy" "project" {
project = "my-project"
policy_data = data.google_iam_policy.admin.policy_data
}
data "google_iam_policy" "admin" {
binding {
role = "roles/owner"
members = [
"user:[email protected]",
"serviceAccount:[email protected]"
]
}
binding {
role = "roles/viewer"
members = [
"user:[email protected]",
"group:[email protected]"
]
}
}
Service Accounts
# Create service account
gcloud iam service-accounts create app-service-account \
--display-name "Application Service Account" \
--description "Service account for application"
# Grant roles
gcloud projects add-iam-policy-binding my-project \
--member="serviceAccount:[email protected]" \
--role="roles/storage.objectViewer"
# Create service account key
gcloud iam service-accounts keys create key.json \
--iam-account=[email protected]
Workload Identity
# Kubernetes service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-sa
namespace: production
---
# GCP service account
resource "google_service_account" "app_sa" {
account_id = "app-sa"
display_name = "App Service Account"
}
---
# IAM policy binding
resource "google_service_account_iam_member" "workload_identity" {
service_account_id = google_service_account.app_sa.name
role = "roles/iam.workloadIdentityUser"
member = "serviceAccount:production.svc.id.goog[default/app-sa]"
}
Federation and SSO
Federation enables using existing identities across systems.
SAML Federation
<!-- SAML assertion example -->
<saml:Assertion>
<saml:AttributeStatement>
<saml:Attribute Name="email">
<saml:AttributeValue>[email protected]</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="groups">
<saml:AttributeValue>Engineering</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
AWS SAML Configuration
# SAML provider
resource "aws_iam_saml_provider" "main" {
name = "corporate-saml"
saml_metadata_document = file("saml-metadata.xml")
}
# Role for SAML users
resource "aws_iam_role" "saml_role" {
name = "corporate-user-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRoleWithSAML"
Effect = "Allow"
Principal = {
Type = "Federated"
AWS = "arn:aws:iam::123456789012:saml-provider/corporate-saml"
}
Condition = {
StringEquals = {
"SAML:amr": "otp"
}
}
}]
})
}
OAuth 2.0 and OpenID Connect
// OAuth 2.0 Authorization URL
const authUrl = `https://authorization-server.com/authorize?
response_type=code&
client_id=${clientId}&
redirect_uri=${encodeURIComponent(redirectUri)}&
scope=read:profile write:repos&
state=${state}`;
// Token exchange
async function exchangeCode(code) {
const response = await fetch('https://authorization-server.com/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
grant_type: 'authorization_code',
code,
client_id: clientId,
client_secret: clientSecret,
redirect_uri: redirectUri
})
});
return response.json();
}
Multi-Factor Authentication
MFA adds additional security beyond passwords.
AWS MFA
# Enable MFA for IAM user
aws iam create-virtual-mfa-device \
--virtual-mfa-device-name "john.developer" \
--outfile qrcode.png \
--bootstrap-method Base32StringSeed
# Associate MFA
aws iam enable-mfa-device \
--user-name john.developer \
--serial-number arn:aws:iam::123456789012:mfa/john.developer \
--authentication-code1 123456 \
--authentication-code2 789012
Enforcing MFA with Policy
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:ListVirtualMFADevices"
],
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}]
}
Service Identity
Services require identity just as users do.
AWS Service Roles
# Lambda execution role
resource "aws_iam_role" "lambda_exec" {
name = "lambda-exec-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy" "lambda_policy" {
name = "lambda-policy"
role = aws_iam_role.lambda_exec.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = [
"dynamodb:GetItem",
"dynamodb:PutItem"
]
Resource = "arn:aws:dynamodb:us-east-1:123456789012:table/orders"
}]
})
}
Azure Managed Identity
# Enable system-assigned managed identity
Update-AzVM `
-ResourceGroupName "rg-app" `
-Name "app-vm" `
-IdentityType SystemAssigned
# Azure AD authentication in code
$token = (Get-AzAccessToken -ResourceUrl "https://storage.azure.com").Token
Password Policies
# AWS password policy
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 14
require_numbers = true
require_symbols = true
require_uppercase_characters = true
require_lowercase_characters = true
allow_users_to_change_password = true
password_reuse_prevention = 24
max_password_age = 90
}
Access Review and Audit
# AWS Access Advisor - Find unused permissions
aws iam get-service-last-accessed-details \
--arn arn:aws:iam::123456789012:role/DeveloperRole
# Azure AD access reviews
New-AzureADMSAccessReviewScheduleDefinition `
-DisplayName "Quarterly access review" `
-ReviewScope @{
IncludedGroups = @("group-id")
} `
-Reviewers @(
@{PrincipalId = "reviewer-id"; Type = "manager")
) `
-Settings @{
AutoReviewEnabled = $false
DurationDays = 30
}
Conclusion
Identity and Access Management forms the foundation of cloud security. Understanding IAM fundamentals—authentication, authorization, federation, and continuous validation—enables building secure cloud architectures.
Key practices include implementing least-privilege access through IAM policies, enforcing MFA for all users, using federation for enterprise identity management, regularly reviewing access permissions, and implementing strong password policies.
As cloud environments grow in complexity, IAM becomes increasingly critical. Investing in IAM fundamentals pays dividends through improved security, compliance, and operational efficiency.
Comments