---
name: iam-access-management
description: Design and implement Identity and Access Management (IAM) including role-based access control, attribute-based access control, single sign-on, multi-factor authentication, and privilege management. Use when configuring IAM policies, implementing SSO, setting up MFA, managing cloud IAM, or designing access control models. Triggers on phrases like "IAM", "identity and access management", "RBAC", "ABAC", "role-based access", "attribute-based access", "least privilege", "single sign-on", "SSO", "SAML", "OIDC", "OAuth", "multi-factor authentication", "MFA", "federation", "identity provider", "IdP", "privilege escalation", "access control".
---

# IAM & Access Management

Design and implement Identity and Access Management (IAM) including RBAC, ABAC, SSO, MFA, and privilege management.

## Workflow

### 1. IAM Architecture

```
IAM ARCHITECTURE
═══════════════════════════════════════

Identity Provider (IdP): Entra ID / Okta / Keycloak
  → Central identity store
  → User authentication
  → Single sign-on (SSO)
  → Multi-factor authentication (MFA)

Access Models:
═══════════════════════════════════════

RBAC (Role-Based Access Control):
  → Users assigned to roles
  → Roles assigned permissions
  → Simple, widely used

  Roles:
    → Viewer: Read-only access
    → Editor: Read + write (non-sensitive)
    → Admin: Full access (limited scope)
    → Super Admin: Full access (all resources)

ABAC (Attribute-Based Access Control):
  → Policies based on attributes
  → More granular, context-aware

  Attributes:
    → User: department, clearance level, employment type
    → Resource: classification, owner, sensitivity
    → Environment: time of day, location, device type
    → Action: read, write, delete, execute

  Policy example (AWS):
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "*",
      "Condition": {
        "StringEquals": {"aws:PrincipalTag/Department": "${aws:PrincipalTag/Department}"},
        "Bool": {"aws:MultiFactorAuthPresent": "true"}
      }
    }

FEDERATION:
═══════════════════════════════════════

  IdP (Entra ID/Okta) ←SAML/OIDC→ Cloud Providers (AWS, Azure, GCP)
                              ←SAML/OIDC→ SaaS Apps (Salesforce, Slack, etc.)
                              ←LDAP→ On-Prem Systems

  Benefits:
    → Central identity management
    → Single sign-on (one password)
    → Centralized deprovisioning
    → MFA enforcement (one MFA)
```

### 2. Role Design & Least Privilege

```
ROLE DESIGN FRAMEWORK
═══════════════════════════════════════

Role Matrix:
═══════════════════════════════════════

Role              AWS              Azure            GCP              Apps
───────────────────────────────────────────────────────────────────────────────
Developer         PowerUser        Contributor      Editor           Dev tools
  (no production)  (no prod acct)  (no prod rg)     (no prod proj)

Admin             Administrator    Owner          Owner            Admin tools
  (production)    Access          (prod only)     (prod only)

Viewer            ReadOnly         Reader         Viewer           Read-only
  Access          Access           Access         Access

Security          SecurityAudit    SecurityReader SecurityViewer   Security tools
  Analyst         (no modify)      (no modify)    (no modify)

DBA               Custom (RDS)     Custom (SQL)   Custom (SQL)     DB tools
  Access          only)            only)          only)

SERVICE ROLES (AWS):
═══════════════════════════════════════

  → EC2 instance role: Attached to EC2 instances
  → Lambda execution role: Attached to Lambda functions
  → ECS task role: Attached to ECS tasks
  → K8s service account: Attached to K8s workloads

  Principle: Each service gets ONLY the permissions it needs

  Example (EC2 instance role):
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": ["s3:GetObject", "s3:PutObject"],
          "Resource": "arn:aws:s3:::app-bucket/*"
        },
        {
          "Effect": "Allow",
          "Action": ["logs:CreateLogGroup", "logs:PutLogEvents"],
          "Resource": "arn:aws:logs:*:*:log-group:/app/*"
        }
      ]
    }

PRIVILEGE ESCALATION PREVENTION:
═══════════════════════════════════════

  → No wildcard (*) permissions for humans
  → Regular access reviews (quarterly)
  → Just-in-time privileged access (PAM)
  → Session duration limits
  → MFA required for sensitive operations
```

### 3. SSO & MFA Implementation

```
SINGLE SIGN-ON (SSO)
═══════════════════════════════════════

Protocols:
═══════════════════════════════════════

Protocol    Use Case                    Direction          Complexity
─────────────────────────────────────────────────────────────────────────
SAML 2.0    Enterprise SSO              IdP → SP           MEDIUM
OIDC        Modern SSO                  IdP → RP           LOW
OAuth 2.0   Delegated access            Client → Resource  MEDIUM

SSO Integration Matrix:
═══════════════════════════════════════

Application           Protocol    Status        MFA Required
──────────────────────────────────────────────────────────────
AWS Console           SAML 2.0    ✓ Integrated   Yes
Azure Portal          SAML 2.0    ✓ Integrated   Yes
GCP Console           SAML 2.0    ✓ Integrated   Yes
Salesforce            SAML 2.0    ✓ Integrated   Yes
GitHub                SAML 2.0    ✓ Integrated   Yes
Slack                 SAML 2.0    ✓ Integrated   Yes
Jira                  SAML 2.0    ✓ Integrated   No
Confluence            SAML 2.0    ✓ Integrated   No
ServiceNow            SAML 2.0    ✓ Integrated   Yes
Oracle ERP            OIDC        In Progress    Yes

MULTI-FACTOR AUTHENTICATION (MFA):
═══════════════════════════════════════

MFA Methods:
═══════════════════════════════════════

Method                  Strength    User Experience    Cost    Adoption
───────────────────────────────────────────────────────────────────────
TOTP (Authenticator)    HIGH        GOOD              Free     85%
FIDO2 Security Key      HIGHEST     EXCELLENT         $25/key  15%
SMS                     MEDIUM      GOOD              Low      — (deprecated)
Push Notification       HIGH        EXCELLENT         Free     Growing
Hardware Token          HIGHEST     FAIR              $50/token —

MFA Policy:
  → Required for ALL users (no exceptions)
  → Required for ALL cloud console access
  → Required for privileged accounts (enforced)
  → Conditional access: Risk-based (location, device, IP)
  → MFA fatigue protection: Request expiration, rate limiting
```

### 4. Access Reviews

```
ACCESS REVIEW PROCESS
═══════════════════════════════════════

Review Schedule:
═══════════════════════════════════════

Review Type           Frequency    Scope              Reviewer
────────────────────────────────────────────────────────────────────
User access           Quarterly    All users          Manager
Privileged access     Monthly      Admin+ roles       Security team
Service accounts      Quarterly    Non-human          App owner
External access       Quarterly    Contractors        Hiring manager
Cross-account         Monthly      Cross-account      Account owner

Automated Access Review (AWS Access Analyzer):
═══════════════════════════════════════

  → Analyze resource sharing
  → Identify unused permissions
  → Flag excessive privileges
  → Generate recommendations

  Results:
    → 25 users with unused permissions (recommend reduction)
    → 5 IAM policies with wildcard actions (need scoping)
    → 3 cross-account roles (all valid)
    → 12 service accounts (8 compliant, 4 need review)

ACCESS CERTIFICATION:
═══════════════════════════════════════

  Step 1: Generate access report
  Step 2: Distribute to reviewers (managers)
  Step 3: Reviewers approve/revoke access
  Step 4: Automated remediation (revoke denied)
  Step 5: Exception handling (escalate)
  Step 6: Compliance report generated
```

### 5. IAM Security Monitoring

```
IAM SECURITY MONITORING
═══════════════════════════════════════

CloudTrail Events to Monitor:
═══════════════════════════════════════

Event                           Severity   Action
──────────────────────────────────────────────────────────────
ConsoleLogin (MFA not used)     P2         Alert + disable
CreateUser                      P3         Log + review
DeleteLoginProfile              P3         Log + review
AttachUserPolicy                P2         Alert
CreateAccessKey                 P2         Alert
AssumeRole                      P3         Log (check source)
StopLogging                     P1         Page immediately
DeleteTrail                     P1         Page immediately
DisableMFA                      P1         Page + alert
UnauthorizedAccess              P1         Page + block

GuardDuty Findings (IAM):
═══════════════════════════════════════

  → UnauthorizedAccess:IAMUser
  → PrivilegeEscalation:IAMUser
  → CryptoCurrency:EC2
  → RemoteCmd:IAMUser
  → Anomalies:IAMUser

ALERT CONFIGURATION:
═══════════════════════════════════════

  → SNS topic: iam-security-alerts
  → Lambda: Auto-remediation (disable user, rotate keys)
  → Slack: Security channel notification
  → PagerDuty: On-call page for P1 events
```

## Edge Cases

- **Break-glass**: Emergency access procedures
- **Cross-account**: Role assumption security
- **Federated users**: Session duration limits
- **Compliance**: SOX, PCI, HIPAA access controls
- **Global workforce**: Multi-region identity

## Integration Points

- **IdP**: Entra ID, Okta, Keycloak, Auth0
- **Cloud IAM**: AWS IAM, Azure RBAC, GCP IAM
- **MFA**: Duo, YubiKey, Authy, Entra MFA
- **PAM**: CyberArk, BeyondTrust, HashiCorp Vault
- **SSO**: SAML, OIDC, OAuth 2.0
- **Monitoring**: CloudTrail, GuardDuty, AlertManager

## Output

### IAM Status

```
IAM STATUS — Q4 2024
═══════════════════════════════════════

Users: 2,450 (active), 120 (external)
MFA adoption: 100%
SSO integrated: 10 of 11 apps
Roles: 28 (compliant)
Unused permissions: 25 users flagged
Access reviews: Q4 complete (100%)

Security:
  → 0 critical IAM findings
  → 5 policies need scoping (in progress)
  → All break-glass accounts logged
```