Cloud IAM: From Zero to Master
A 12-episode series on identity and access management across AWS, GCP, and Azure — from the foundational deny-by-default model to privilege escalation paths to zero trust architecture.
Written for: Security engineers, cloud architects, and DevOps practitioners who design, audit, or defend cloud access control at production scale. No vendor content. No marketing. Production-grade depth.
Format: Each episode is a standalone deep dive with ASCII diagrams, CLI examples, production gotchas, and compliance framework alignment (CISSP, ISO 27001, SOC 2). Read in order or jump to what you need.
Episode Guide
| # | Title | Status |
|---|---|---|
| 1 | What Is Cloud IAM — and Why Every API Call Depends on It | ✓ Published |
| 2 | Authentication vs Authorization: AWS AccessDenied Explained | ✓ Published |
| 3 | IAM Roles vs Policies: How Cloud Authorization Actually Works | ✓ Published |
| 4 | AWS IAM Deep Dive: Users, Groups, Roles, and Policies Explained | ✓ Published |
| 5 | GCP IAM Policy Inheritance: How the Resource Hierarchy Controls Access | ✓ Published |
| 6 | Azure RBAC Explained: Management Groups, Subscriptions, and Scope | ✓ Published |
| 7 | OIDC Workload Identity: Eliminate Cloud Access Keys Entirely | ✓ Published |
| 8 | AWS IAM Privilege Escalation: How iam:PassRole Leads to Full Compromise | ✓ Published |
| 9 | AWS Least Privilege Audit: From Wildcard Permissions to Scoped Policies | Coming Apr 19 |
| 10 | SAML vs OIDC: Which Federation Protocol Belongs in Your Cloud? | Coming Apr 20 |
| 11 | Kubernetes RBAC and AWS IAM: The Two-Layer Access Model for EKS | Coming Apr 21 |
| 12 | Zero Trust Access in the Cloud: How the Evaluation Loop Actually Works | Coming Apr 22 |
Total reading time: ~4 hours across all 12 episodes.
What You’ll Be Able to Do
After completing this series you’ll be able to:
- Explain the deny-by-default evaluation model and why cloud IAM is structurally different from traditional access control
- Debug AWS
AccessDeniederrors systematically — identify whether the issue is the credential, the policy, or the trust chain - Design IAM architectures across AWS, GCP, and Azure that are auditable and maintainable at scale
- Replace static service credentials with workload identity federation (IRSA, GKE Workload Identity, AKS Workload Identity)
- Identify and block the IAM privilege escalation paths attackers use to move from limited access to full account compromise
- Audit existing IAM configurations for over-permission using cloud-native tooling
- Map IAM controls to CISSP Domain 5, ISO 27001, and SOC 2 CC6 requirements
Start Here
New to cloud IAM? Start with What Is Cloud IAM — the foundational model that everything else builds on.
Already know the basics? Jump to OIDC Workload Identity (EP07) if you’re dealing with static credential sprawl, or AWS IAM Privilege Escalation (EP08) if you’re doing a security review.
Get new episodes in your inbox → linuxcent.com/subscribe