Introduction
A few years into my career managing Linux infrastructure, I was handed a production server audit. The task was straightforward: find out who had access to what. I pulled /etc/passwd, checked the sudoers file, reviewed SSH authorized_keys across the fleet.
Three days later, I had a spreadsheet nobody wanted to read.
The problem wasn’t that the access was wrong. Most of it was fine. The problem was that nobody — not the team lead, not the security team, not the engineers who’d been there five years — could tell me why a particular account had access to a particular server. It had accumulated. People joined, got access, changed teams, left. The access stayed.
That was a 40-server fleet in 2012.
Fast-forward to a cloud environment today: you might have 50 engineers, 300 Lambda functions, 20 microservices, CI/CD pipelines, third-party integrations, compliance scanners — all making API calls, all needing access to something. The identity sprawl problem I spent three days auditing manually on 40 servers now exists at a scale where manual auditing isn’t even a conversation.
This is the problem Identity and Access Management exists to solve. Not just in theory — in practice, at the scale cloud infrastructure demands.
How We Got Here — The Evolution of Access Control
To understand why cloud IAM works the way it does, you need to trace how access control evolved. The design decisions in AWS IAM, GCP, and Azure didn’t come out of nowhere — they’re answers to lessons learned the hard way across decades of broken systems.
The Unix Model (1970s–1990s): Simple and Sufficient
Unix got the fundamentals right early. Every resource (file, device, process) has an owner and a group. Every action is one of three: read, write, execute. Every user is either the owner, in the group, or everyone else.
-rw-r--r-- 1 vamshi engineers 4096 Apr 11 09:00 deploy.conf
# owner can read/write | group can read | others can read
For a single machine or a small network, this model is elegant. The permissions are visible in a ls -l. Reasoning about access is straightforward. Auditing means reading a few files.
The cracks started showing when organizations grew. You’d add sudo to give specific commands to specific users. Then sudoers files became 300 lines long. Then you’d have shared accounts because managing individual ones was “too much overhead.” Shared accounts mean no individual accountability. No accountability means no audit trail worth anything.
The Directory Era (1990s–2000s): Centralise or Collapse
As networks grew, every server managing its own /etc/passwd became untenable. Enter LDAP and Active Directory. Instead of distributing identity management across every machine, you centralised it: one directory, one place to add users, one place to disable them when someone left.
This was a significant step forward. Onboarding got faster. Offboarding became reliable. Group membership drove access to resources across the network.
But the permission model was still coarse. You were either in the Domain Admins group or you weren’t. “Read access to the file share” was a group. “Deploy to the staging web server” was a group. Managing fine-grained permissions at scale meant managing hundreds of groups, and the groups themselves became the audit nightmare.
I spent time in environments like this. The group named SG_Prod_App_ReadWrite_v2_FINAL that nobody could explain. The AD group from a project that ended three years ago but was still in twenty user accounts. The contractor whose AD account was disabled but whose service account was still running a nightly job.
The directory model centralised identity. It didn’t solve the permissions sprawl problem.
The Cloud Shift (2006–2014): Everything Changes
AWS launched EC2 in 2006. In 2011, AWS IAM went into general availability. That date matters — for the first five years of AWS, access control was primitive. Root accounts. Access keys. No roles.
Early AWS environments I’ve seen (and had to clean up) reflect this era: a single root account access key shared across a team, rotated manually on a shared spreadsheet. Static credentials in application config files. EC2 instances with AdministratorAccess because “it was easier at the time.”
The AWS team understood what they’d built was dangerous. IAM in 2011 introduced the model that all three major cloud providers now share: deny-by-default, policy-driven, principal-based access control. Not “who is in which group” but “which policy explicitly grants this specific action on this specific resource to this specific identity.”
GCP launched its IAM model with a different flavour in 2012 — hierarchical, additive, binding-based. Azure RBAC came to general availability in 2014, built on top of Active Directory’s identity model.
By 2015, the modern cloud IAM era was established. The primitives existed. The problem shifted from “does IAM exist?” to “are we using it correctly?” — and most teams were not.
The Problem IAM Actually Solves
Here’s the honest version of what IAM is for, based on what I’ve seen go wrong without it.
Without proper IAM, you get one of two outcomes:
The first is what I call the “it works” environment. Everything runs. The developers are happy. Access requests take five minutes because everyone gets the same broad policy. And then a Lambda function’s execution role — which had s3:* on * because someone once needed to debug something — gets its credentials exposed through an SSRF vulnerability in the app it runs. That role can now read every bucket in the account, including the one with the customer database exports.
The second is the “it’s secure” environment. Access is locked down. Every request goes through a ticket. The ticket goes to a security team that approves it in three to five business days. Engineers work around it by storing credentials locally. The workarounds become the real access model. The formal IAM posture and the actual access posture diverge. The audit finds the formal one. Attackers find the real one.
IAM, done right, is the discipline of walking the line between those two outcomes. It’s not a product you buy or a feature you turn on. It’s a practice — a continuous process of defining what access exists, why it exists, and whether it’s still needed.
The Core Concepts — Taught, Not Listed
Let me walk you through the vocabulary you need, grounded in what each concept means in practice.
Identity: Who Is Making This Request?
An identity is any entity that can hold a credential and make requests. In cloud environments, identities split into two types:
Human identities are engineers, operators, and developers. They authenticate via the console, CLI, or SDK. They should ideally authenticate through a central IdP (Okta, Google Workspace, Entra ID) using federation — more on that in EP10.
Machine identities are everything else: Lambda functions, EC2 instances, Kubernetes pods, CI/CD pipelines, monitoring agents, data pipelines. In most production environments, machine identities outnumber human identities by 10:1 or more.
This ratio matters. When your security model is designed primarily for human access, the 90% of identities that are machines become an afterthought. That’s where access keys end up in environment variables, where Lambda functions get broad permissions because nobody thought carefully about what they actually need, where the real attack surface lives.
Principal: The Authenticated Identity Making a Specific Request
A principal is an identity that has been authenticated and is currently making a request. The distinction from “identity” is subtle but important: the principal includes the context of how the identity authenticated.
In AWS, an IAM role assumed by EC2, assumed by a Lambda, and assumed by a developer’s CLI session are three different principals — even if they all assume the same role. The session context, source, and expiration differ.
{
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/DataPipelineRole"
}
}
In GCP, the equivalent term is member. In Azure, it’s security principal — a user, group, service principal, or managed identity.
Resource: What Is Being Accessed?
A resource is whatever is being acted upon. In AWS, every resource has an ARN (Amazon Resource Name) — a globally unique identifier.
arn:aws:s3:::customer-data-prod # S3 bucket
arn:aws:s3:::customer-data-prod/* # everything inside that bucket
arn:aws:ec2:ap-south-1:123456789012:instance/i-0abcdef1234567890
arn:aws:iam::123456789012:role/DataPipelineRole
The ARN structure tells you: service, region, account, resource type, resource name. Once you can read ARNs fluently, IAM policies become much less intimidating.
Action: What Is Being Done?
An action (AWS/Azure) or permission (GCP) is the operation being attempted. Cloud providers express these as service:Operation strings:
# AWS
s3:GetObject # read a specific object
s3:PutObject # write an object
s3:DeleteObject # delete an object — treat differently than read
iam:PassRole # assign a role to a service — one of the most dangerous permissions
ec2:DescribeInstances # list instances — often overlooked, but reveals infrastructure
# GCP
storage.objects.get
storage.objects.create
iam.serviceAccounts.actAs # impersonate a service account — equivalent to iam:PassRole danger
When I audit IAM configurations, I pay special attention to any policy that includes iam:*, iam:PassRole, or wildcards like "Action": "*". These are the permissions that let a compromised identity create new identities, assign itself more power, or impersonate other accounts. They’re the privilege escalation primitives — more on that in EP08.
Policy: The Document That Connects Everything
A policy is a document that says: this principal can perform these actions on these resources, under these conditions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadCustomerDataBucket",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::customer-data-prod",
"arn:aws:s3:::customer-data-prod/*"
]
}
]
}
Notice what’s explicit here: the effect (Allow), the exact actions (not s3:*), and the exact resource (not *). Every word in this document is a deliberate decision. The moment you start using wildcards to save typing, you’re writing technical debt that will come back as a security incident.
How IAM Actually Works — The Decision Flow
When any API call hits a cloud service, an IAM engine evaluates it. Understanding this flow is the foundation of debugging access issues, and more importantly, of understanding why your security posture is what it is.
Request arrives:
Action: s3:PutObject
Resource: arn:aws:s3:::customer-data-prod/exports/2026-04-11.csv
Principal: arn:aws:iam::123456789012:role/DataPipelineRole
Context: { source_ip: "10.0.2.15", mfa: false, time: "02:30 UTC" }
IAM Engine evaluation (AWS):
1. Is there an explicit Deny anywhere? → No
2. Does the SCP (if any) allow this? → Yes
3. Does the identity-based policy allow this? → Yes (via DataPipelinePolicy)
4. Does the resource-based policy (bucket policy) allow or deny? → No explicit rule → implicit allow for same-account
5. Is there a permissions boundary? → No
Decision: ALLOW
The critical insight here: cloud IAM is deny-by-default. There is no implicit allow. If there is no policy that explicitly grants s3:PutObject to this role on this bucket, the request fails. The only way in is through an explicit "Effect": "Allow".
This is the opposite of how most traditional systems work. In a Unix permission model, if your file is world-readable (-r--r--r--), anyone can read it unless you actively restrict them. In cloud IAM, nothing is accessible unless you actively grant it.
When I’m debugging an AccessDenied error — and every engineer who works with cloud IAM spends significant time doing this — the mental model is always: “what is the chain of explicit Allows that should be granting this access, and at which layer is it missing?”
Why This Is Harder Than It Looks
Understanding the concepts is the easy part. The hard part is everything that happens at organisational scale over time.
Scale. A real AWS account in a growing company might have 600+ IAM roles, 300+ policies, and 40+ cross-account trust relationships. None of these were designed together. They evolved incrementally, each change made by someone who understood the context at the time and may have left the organisation since. The cumulative effect is an IAM configuration that no single person fully understands.
Drift. IAM configs don’t stay clean. An engineer needs to debug a production issue at 2 AM and grants themselves broad access temporarily. The temporary access never gets revoked. Multiply that by a team of 20 over three years. I’ve audited environments where 60% of the permissions in a role had never been used — not once — in the 90-day CloudTrail window. That unused 60% is pure attack surface.
The machine identity blind spot. Most IAM governance practices were built for human users. Service accounts, Lambda roles, and CI/CD pipeline identities get created rapidly and reviewed rarely. In my experience, these are the identities most likely to have excess permissions, least likely to be in the access review process, and most likely to be the initial foothold in a cloud breach.
The gap between granted and used. This one surprised me most when I first started doing cloud security work. AWS data from real customer accounts shows the average IAM entity uses less than 5% of its granted permissions. That 95% excess isn’t just waste — it’s attack surface. Every permission that exists but isn’t needed is a permission an attacker can use if they compromise that identity.
IAM Across AWS, GCP, and Azure — The Conceptual Map
The three major providers implement IAM differently in syntax, but the same model underlies all of them. Once you understand one deeply, the others become a translation exercise.
| Concept | AWS | GCP | Azure |
|---|---|---|---|
| Identity store | IAM users / roles | Google accounts, Workspace | Entra ID |
| Machine identity | IAM Role (via instance profile or AssumeRole) | Service Account | Managed Identity |
| Access grant mechanism | Policy document attached to identity or resource | IAM binding on resource (member + role + condition) | Role Assignment (principal + role + scope) |
| Hierarchy | Account is the boundary; Org via SCPs | Org → Folder → Project → Resource | Tenant → Management Group → Subscription → Resource Group → Resource |
| Default stance | Deny | Deny | Deny |
| Wildcard risk | "Action": "*" on "Resource": "*" |
Primitive roles (viewer/editor/owner) | Owner or Contributor assigned broadly |
The hierarchy point is worth pausing on. AWS is relatively flat — the account is the primary security boundary. GCP’s hierarchy means a binding at the Organisation level propagates down to every project. Azure’s hierarchy means a role assignment at the Management Group level flows through every subscription beneath it. The blast radius of a misconfiguration scales with how high in the hierarchy it sits.
This will matter in EP05 and EP06 when we go deep on GCP and Azure specifically. For now, the takeaway is: understand where in the hierarchy a permission is granted, because the same permission granted at the wrong level has a very different security implication.
Framework Alignment
If you’re mapping this episode to a control framework — for a compliance audit, a certification study, or building a security program — here’s where it lands:
| Framework | Reference | What It Covers Here |
|---|---|---|
| CISSP | Domain 1 — Security & Risk Management | IAM as a risk reduction control; blast radius is a risk variable |
| CISSP | Domain 5 — Identity and Access Management | Direct implementation: who can do what, to which resources, under what conditions |
| ISO 27001:2022 | 5.15 Access control | Policy requirements for restricting access to information and systems |
| ISO 27001:2022 | 5.16 Identity management | Managing the full lifecycle of identities in the organization |
| ISO 27001:2022 | 5.18 Access rights | Provisioning, review, and removal of access rights |
| SOC 2 | CC6.1 | Logical access security controls to protect against unauthorized access |
| SOC 2 | CC6.3 | Access removal and review processes to limit unauthorized access |
Key Takeaways
- IAM evolved from Unix file permissions → directory services → cloud policy engines, driven by scale and the failure modes of each prior model
- Cloud IAM is deny-by-default: every access requires an explicit Allow somewhere in the policy chain
- Identities are human or machine; in production, machines dominate — and they’re the under-governed majority
- A policy binds a principal to actions on resources; every word is a deliberate security decision
- The hardest IAM problems aren’t technical — they’re organisational: drift, unused permissions, machine identities nobody owns, and access reviews that never happen
- The gap between granted and used permissions is where attackers find room to move
What’s Next
Now that you understand what IAM is and why it exists, the next question is the one that trips up even experienced engineers: what’s the difference between authentication and authorization, and why does conflating them cause security failures?
EP02 works through both — how cloud providers implement each, where the boundary sits, and why getting this boundary wrong creates exploitable gaps.
Next: EP02 — Authentication vs Authorization: The Two Pillars of IAM