IT AI Skill
Iam Access Management
Design and implement Identity and Access Management (IAM) including role-based access control, attribute-based access control, single sign-on, multi-factor authentication, and privilege management. Use when configuring IAM policies, implementing SSO, settin...
IAM & Access Management
Design and implement Identity and Access Management (IAM) including RBAC, ABAC, SSO, MFA, and privilege management.
Workflow
1. IAM Architecture
IAM ARCHITECTURE
═══════════════════════════════════════
Identity Provider (IdP): Entra ID / Okta / Keycloak
→ Central identity store
→ User authentication
→ Single sign-on (SSO)
→ Multi-factor authentication (MFA)
Access Models:
═══════════════════════════════════════
RBAC (Role-Based Access Control):
→ Users assigned to roles
→ Roles assigned permissions
→ Simple, widely used
Roles:
→ Viewer: Read-only access
→ Editor: Read + write (non-sensitive)
→ Admin: Full access (limited scope)
→ Super Admin: Full access (all resources)
ABAC (Attribute-Based Access Control):
→ Policies based on attributes
→ More granular, context-aware
Attributes:
→ User: department, clearance level, employment type
→ Resource: classification, owner, sensitivity
→ Environment: time of day, location, device type
→ Action: read, write, delete, execute
Policy example (AWS):
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
"Condition": {
"StringEquals": {"aws:PrincipalTag/Department": "${aws:PrincipalTag/Department}"},
"Bool": {"aws:MultiFactorAuthPresent": "true"}
}
}
FEDERATION:
═══════════════════════════════════════
IdP (Entra ID/Okta) ←SAML/OIDC→ Cloud Providers (AWS, Azure, GCP)
←SAML/OIDC→ SaaS Apps (Salesforce, Slack, etc.)
←LDAP→ On-Prem Systems
Benefits:
→ Central identity management
→ Single sign-on (one password)
→ Centralized deprovisioning
→ MFA enforcement (one MFA)2. Role Design & Least Privilege
ROLE DESIGN FRAMEWORK
═══════════════════════════════════════
Role Matrix:
═══════════════════════════════════════
Role AWS Azure GCP Apps
───────────────────────────────────────────────────────────────────────────────
Developer PowerUser Contributor Editor Dev tools
(no production) (no prod acct) (no prod rg) (no prod proj)
Admin Administrator Owner Owner Admin tools
(production) Access (prod only) (prod only)
Viewer ReadOnly Reader Viewer Read-only
Access Access Access Access
Security SecurityAudit SecurityReader SecurityViewer Security tools
Analyst (no modify) (no modify) (no modify)
DBA Custom (RDS) Custom (SQL) Custom (SQL) DB tools
Access only) only) only)
SERVICE ROLES (AWS):
═══════════════════════════════════════
→ EC2 instance role: Attached to EC2 instances
→ Lambda execution role: Attached to Lambda functions
→ ECS task role: Attached to ECS tasks
→ K8s service account: Attached to K8s workloads
Principle: Each service gets ONLY the permissions it needs
Example (EC2 instance role):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::app-bucket/*"
},
{
"Effect": "Allow",
"Action": ["logs:CreateLogGroup", "logs:PutLogEvents"],
"Resource": "arn:aws:logs:*:*:log-group:/app/*"
}
]
}
PRIVILEGE ESCALATION PREVENTION:
═══════════════════════════════════════
→ No wildcard (*) permissions for humans
→ Regular access reviews (quarterly)
→ Just-in-time privileged access (PAM)
→ Session duration limits
→ MFA required for sensitive operations3. SSO & MFA Implementation
SINGLE SIGN-ON (SSO)
═══════════════════════════════════════
Protocols:
═══════════════════════════════════════
Protocol Use Case Direction Complexity
─────────────────────────────────────────────────────────────────────────
SAML 2.0 Enterprise SSO IdP → SP MEDIUM
OIDC Modern SSO IdP → RP LOW
OAuth 2.0 Delegated access Client → Resource MEDIUM
SSO Integration Matrix:
═══════════════════════════════════════
Application Protocol Status MFA Required
──────────────────────────────────────────────────────────────
AWS Console SAML 2.0 ✓ Integrated Yes
Azure Portal SAML 2.0 ✓ Integrated Yes
GCP Console SAML 2.0 ✓ Integrated Yes
Salesforce SAML 2.0 ✓ Integrated Yes
GitHub SAML 2.0 ✓ Integrated Yes
Slack SAML 2.0 ✓ Integrated Yes
Jira SAML 2.0 ✓ Integrated No
Confluence SAML 2.0 ✓ Integrated No
ServiceNow SAML 2.0 ✓ Integrated Yes
Oracle ERP OIDC In Progress Yes
MULTI-FACTOR AUTHENTICATION (MFA):
═══════════════════════════════════════
MFA Methods:
═══════════════════════════════════════
Method Strength User Experience Cost Adoption
───────────────────────────────────────────────────────────────────────
TOTP (Authenticator) HIGH GOOD Free 85%
FIDO2 Security Key HIGHEST EXCELLENT $25/key 15%
SMS MEDIUM GOOD Low — (deprecated)
Push Notification HIGH EXCELLENT Free Growing
Hardware Token HIGHEST FAIR $50/token —
MFA Policy:
→ Required for ALL users (no exceptions)
→ Required for ALL cloud console access
→ Required for privileged accounts (enforced)
→ Conditional access: Risk-based (location, device, IP)
→ MFA fatigue protection: Request expiration, rate limiting4. Access Reviews
ACCESS REVIEW PROCESS
═══════════════════════════════════════
Review Schedule:
═══════════════════════════════════════
Review Type Frequency Scope Reviewer
────────────────────────────────────────────────────────────────────
User access Quarterly All users Manager
Privileged access Monthly Admin+ roles Security team
Service accounts Quarterly Non-human App owner
External access Quarterly Contractors Hiring manager
Cross-account Monthly Cross-account Account owner
Automated Access Review (AWS Access Analyzer):
═══════════════════════════════════════
→ Analyze resource sharing
→ Identify unused permissions
→ Flag excessive privileges
→ Generate recommendations
Results:
→ 25 users with unused permissions (recommend reduction)
→ 5 IAM policies with wildcard actions (need scoping)
→ 3 cross-account roles (all valid)
→ 12 service accounts (8 compliant, 4 need review)
ACCESS CERTIFICATION:
═══════════════════════════════════════
Step 1: Generate access report
Step 2: Distribute to reviewers (managers)
Step 3: Reviewers approve/revoke access
Step 4: Automated remediation (revoke denied)
Step 5: Exception handling (escalate)
Step 6: Compliance report generated5. IAM Security Monitoring
IAM SECURITY MONITORING
═══════════════════════════════════════
CloudTrail Events to Monitor:
═══════════════════════════════════════
Event Severity Action
──────────────────────────────────────────────────────────────
ConsoleLogin (MFA not used) P2 Alert + disable
CreateUser P3 Log + review
DeleteLoginProfile P3 Log + review
AttachUserPolicy P2 Alert
CreateAccessKey P2 Alert
AssumeRole P3 Log (check source)
StopLogging P1 Page immediately
DeleteTrail P1 Page immediately
DisableMFA P1 Page + alert
UnauthorizedAccess P1 Page + block
GuardDuty Findings (IAM):
═══════════════════════════════════════
→ UnauthorizedAccess:IAMUser
→ PrivilegeEscalation:IAMUser
→ CryptoCurrency:EC2
→ RemoteCmd:IAMUser
→ Anomalies:IAMUser
ALERT CONFIGURATION:
═══════════════════════════════════════
→ SNS topic: iam-security-alerts
→ Lambda: Auto-remediation (disable user, rotate keys)
→ Slack: Security channel notification
→ PagerDuty: On-call page for P1 eventsEdge Cases
- Break-glass: Emergency access procedures
- Cross-account: Role assumption security
- Federated users: Session duration limits
- Compliance: SOX, PCI, HIPAA access controls
- Global workforce: Multi-region identity
Integration Points
- IdP: Entra ID, Okta, Keycloak, Auth0
- Cloud IAM: AWS IAM, Azure RBAC, GCP IAM
- MFA: Duo, YubiKey, Authy, Entra MFA
- PAM: CyberArk, BeyondTrust, HashiCorp Vault
- SSO: SAML, OIDC, OAuth 2.0
- Monitoring: CloudTrail, GuardDuty, AlertManager
Output
IAM Status
IAM STATUS — Q4 2024
═══════════════════════════════════════
Users: 2,450 (active), 120 (external)
MFA adoption: 100%
SSO integrated: 10 of 11 apps
Roles: 28 (compliant)
Unused permissions: 25 users flagged
Access reviews: Q4 complete (100%)
Security:
→ 0 critical IAM findings
→ 5 policies need scoping (in progress)
→ All break-glass accounts logged