IAM (Identity and Access Management)

IAM (Identity and Access Management) is the framework for managing digital identities and controlling user access to resources. In cloud platforms, IAM defines who (users, services, or workloads) can do what (specific actions like read, write, delete) on which resources (specific files, databases, virtual machines, or entire accounts), enforced through roles and policies.

Why IAM matters

IAM is the foundation of cloud security. A misconfigured IAM setup is the single most common source of cloud breaches. Most data leaks from S3 buckets, Azure storage accounts, or GCP buckets trace back to IAM permissions that were broader than intended.

Beyond security, IAM enables three essential capabilities:

• Audit trails: every access decision is logged with the identity, resource, and outcome.
• Compliance: regulations like SOC 2, ISO 27001, and HIPAA require documented access control - IAM is how you prove it.
• Operational scale: without IAM, every user needs a separate password for every system. With IAM, identity flows from a single source of truth.

How IAM works in the major clouds

The three major cloud platforms use the same conceptual model with different naming:

• AWS IAM: users, groups, roles, and policies. JSON-based policy documents attached to identities. Resource-based policies on certain services (S3, Lambda, KMS). The principle of least privilege drives all policy design.
• Azure RBAC + Microsoft Entra ID: Entra ID (formerly Azure AD) is the identity provider. RBAC roles assigned at scope (management group, subscription, resource group, resource). Built-in roles like Reader, Contributor, Owner, plus custom roles.
• Google Cloud IAM: members (users, groups, service accounts), roles (basic, predefined, custom), and policies bound to resources at any level of the resource hierarchy.

IAM exam topics

IAM appears on every major cloud certification:

• AZ-900 / AZ-104: Microsoft Entra ID basics, RBAC scopes, conditional access, multi-factor authentication.
• AWS Cloud Practitioner / Solutions Architect Associate: IAM users vs roles, policy types, trust relationships, cross-account access, instance profiles.
• CompTIA Security+: the broader concepts - authentication factors, federated identity, SSO, privileged access management.
• CCNA / CCNP Security: AAA (Authentication, Authorization, Accounting) framework, RADIUS, TACACS+.

Common IAM mistakes

The patterns that show up in security incident reports:

• Granting full administrator access "just to get it working" and never revoking it.
• Using long-lived access keys instead of short-lived role-based credentials.
• Permissive resource-based policies ("Principal": "*" on S3 buckets).
• Not enabling MFA on root or break-glass accounts.
• Reusing the same role across production and development environments.

The principle of least privilege - grant only the minimum permissions required to perform a task - is the single most important rule in IAM design.