Identity & Access (IAM)
IAM roles/policies, Managed Identities, service accounts, least-privilege
Identity and Access Management (IAM) controls who (identity) can do what (action) on which resource (resource) under what conditions (condition). AWS IAM uses JSON-based policies attached to users, groups, or roles; Azure uses Entra ID with RBAC role assignments scoped to management groups, subscriptions, resource groups, or resources; GCP uses IAM Bindings on resources. The principle of least privilege — granting only the minimum permissions needed — is the foundational security control.
Key Points
- AWS IAM Policy evaluation order: explicit Deny > explicit Allow > implicit Deny — a single Deny in any attached policy overrides any Allow.
- IAM Roles (not users) should be used for service-to-service authentication: EC2 instance profiles, ECS task roles, Lambda execution roles eliminate long-lived static credentials.
- AWS Service Control Policies (SCPs) in AWS Organizations are guardrails — they restrict what IAM policies in member accounts can grant, even for the root user.
- Azure Managed Identities (system-assigned or user-assigned) provide automatic credential rotation for Azure resources without storing secrets in code.
- GCP Workload Identity Federation allows Kubernetes service accounts (e.g., in GKE) to impersonate GCP service accounts via OIDC token exchange — no key files needed.
- Permission boundaries in AWS set the maximum permissions a user or role can have, even if attached policies grant more — used to safely delegate IAM administration.
- OIDC-based GitHub Actions integration (AWS OIDC provider, Azure Federated Credentials) allows CI/CD pipelines to assume cloud roles without storing cloud credentials as secrets.
- AWS IAM Access Analyzer identifies resources shared with external principals and validates policies against security best practices — run continuously in Security Hub.
Real-World Example
Stripe uses IAM roles with permission boundaries to allow engineering teams to self-service IAM within guardrails, preventing accidental privilege escalation without requiring a central IAM team for every change.