Skip to main content

Skillber v1.0 is here!

Learn more

Cloud IAM

Checking access...

Cloud IAM presents unique challenges compared to traditional on-premises identity management. Cloud providers offer native IAM capabilities that must be integrated with enterprise IAM platforms to provide consistent governance across hybrid and multi-cloud environments.

Cloud IAM Comparison

CapabilityAWS IAMAzure RBAB / Entra IDGCP IAM
Identity providerIAM (AWS-native), IAM Identity Center (SSO)Entra ID (formerly Azure AD)Cloud Identity, Google Workspace
User typeIAM users, federated users, workload identitiesUsers, groups, service principals, managed identitiesGoogle accounts, service accounts, Google groups
Role typeIAM roles (service-linked, customer-managed, AWS-managed)Azure roles (built-in, custom), Entra ID rolesIAM roles (primitive, predefined, custom)
Policy languageJSON policy documentsJSON policy definition (RBAC)YAML/JSON policy bindings
FederationSAML 2.0, OIDC, custom IdP brokerSAML 2.0, OIDC, WS-FedSAML 2.0, OIDC
Conditional accessIAM conditions, SCPsConditional Access policiesContext-aware access, VPC Service Controls
Resource hierarchyOrganisation → OU → Account → ResourceManagement group → Subscription → RG → ResourceOrganisation → Folder → Project → Resource
Privileged accessIAM Access Analyzer, IAM last accessedPIM (Privileged Identity Management)Privileged Access Manager (PAM)
Audit loggingCloudTrailAzure Monitor (Activity Log, Diagnostic Settings)Cloud Audit Logs

Workload Identity

Workload identity is how applications and services authenticate to cloud resources without using human credentials.

Cloud Workload Identity Methods

CloudWorkload Identity TypeUse CaseCredential Lifecycle
AWSIAM Roles (EC2, Lambda, ECS)Instance-level service identityAutomatic rotation (AWS-managed)
AWSIAM Roles AnywhereExternal workload identityCertificate-based, short-lived
AzureManaged Identities (System-assigned, User-assigned)Azure resource identityAutomatic rotation (Azure-managed)
AzureService Principals (with certificate or secret)Application identityManual or automated rotation
GCPService AccountsResource-level identityAutomatic key rotation (Google-managed)
GCPWorkload Identity FederationExternal workload identity (AWS, on-prem)OIDC token exchange, short-lived

Workload Identity Best Practices

PracticeRationaleImplementation
Prefer cloud-managed identitiesAutomatic credential rotation reduces riskUse IAM Roles, Managed Identities, Service Accounts over long-lived keys
Use short-lived credentialsLimit blast radius of credential compromiseSTS temporary credentials, OAuth tokens with short TTL
Avoid long-lived access keysStatic keys are a primary attack vectorUse workload identity federation or managed identities
Restrict service account permissionsLeast privilege applies to workloads tooCustom roles with minimum required permissions
Monitor workload credential usageDetect anomalous access patternsCloudTrail / Activity Log / Audit Log monitoring
Rotate secrets automaticallyRegular rotation limits exposure windowAWS Secrets Manager, Azure Key Vault, GCP Secret Manager

Cloud IAM Federation

Federating Enterprise Identity to Cloud

Enterprise IdP ──> Cloud IdP ──> Cloud Resources
│ │ │
Okta/Azure AWS IAM EC2, S3, RDS
Ping/One Identity ─────────────────
Center |
SAML/OIDC ───> Role mapping |
──────── |
User attributes |
mapped to roles v
Access granted
based on role policy

Federation Architecture

ComponentAWSAzureGCP
External IdP trustIAM Identity ProviderEntra ID External IdentitiesWorkforce Identity Federation
Attribute mappingSAML assertion → IAM role session tagsClaims → directory attribute mappingSAML attributes → Google groups
ProvisioningSCIM to IAM Identity CenterSCIM to Entra IDSCIM to Cloud Identity
Role assignmentIAM roles assigned to federated usersAzure RBAC role assignmentsIAM policy bindings
Session durationConfigurable (default 1 hour, max session)Token lifetime policySession length policy

Multi-Cloud IAM

Managing IAM across multiple cloud providers requires abstraction and consistent governance:

Multi-Cloud IAM Architecture

┌─────────────────────────────────────────────────────────────┐
│ ENTERPRISE IdP (Okta/Azure AD) │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ AWS IAM │ │ Azure Entra │ │ GCP Cloud │ │
│ │ Identity Ctr│ │ ID │ │ Identity │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │ │
└─────────┼────────────────┼────────────────┼──────────────────┘
│ │ │
┌─────┴─────┐ ┌─────┴─────┐ ┌─────┴─────┐
│ AWS │ │ Azure │ │ GCP │
│ Workload │ │ Workload │ │ Workload │
└───────────┘ └───────────┘ └───────────┘

Multi-Cloud IAM Challenges

ChallengeImpactMitigation
Inconsistent policy languagesDifferent syntax and semantics for each cloudUse policy-as-code abstraction layer (OPA, Crossplane)
Identity silosSeparate user directories per cloudCentralised enterprise IdP with federation to each cloud
Audit fragmentationLogs in different formats and locationsCentralised SIEM with cloud log ingestion
Permission complexityDifferent RBAC models and inheritanceGovernance platform with cross-cloud entitlement visibility
Cost managementIAM policy violations can create unexpected costsCloud IAM policy with cost-control guardrails
Compliance consistencyDifferent compliance certifications per cloudUnified compliance framework with cloud-specific control mapping

Cloud-Native PAM

Cloud Privileged Access Challenges

ChallengeTraditional PAMCloud-Native Approach
Console accessPAM gateway proxies SSH/RDPCloud IdP with PIM/PAM, JIT elevation
API accessNot supported by traditional PAMOAuth client credentials, mTLS, short-lived tokens
Service accountsManual management in vaultManaged identities, automatic credential rotation
Infrastructure as CodeNo IaC integrationPolicy-as-code, GitOps for IAM policies
Multi-cloudSingle-cloud PAM focusCloud-agnostic PAM with federation

Cloud PAM Implementation Patterns

PatternDescriptionExample
JIT elevation through cloud IdPCloud-native privilege elevation (Azure PIM, AWS IAM Identity Center)User requests “Security Admin” role, approved for 4 hours
Cloud credential vaultingCloud secret management with rotationAWS Secrets Manager, Azure Key Vault
Session recording via cloud-native toolsCloud console session recordingAWS CloudTrail, Azure Resource Manager audit
Policy-as-code enforcementIAM policies in CI/CD pipelinesOPA Gatekeeper, AWS Config rules, Azure Policy
Just-enough-access via temporary credentialsSTS tokens for specific actionsAWS STS, Azure Managed Identity tokens

Cloud Identity Governance

Governance ActivityAWSAzureGCP
Entitlement visibilityIAM Access Analyzer, IAM Policy SimulatorEntra ID access reviews, Azure AD entitlement managementPolicy Analyzer, Policy Troubleshooter
Access certificationIAM Access Analyzer external access findingsEntra ID access reviews (automated campaigns)Recommender, policy analysis
SoD analysisIAM Access Analyzer custom policiesEntra ID entitlement management with access packagesCustom analysis through Cloud Asset Inventory
Privilege monitoringIAM last accessed, unused keys reportPIM alerts, sign-in logsService Account Key Last Used, OAuth consent
Compliance validationAWS Config, Security HubMicrosoft Defender for CloudSecurity Command Center

Key Takeaways

  • Each cloud provider has a unique IAM model — AWS (policy-based), Azure (role-based with Entra ID), GCP (policy bindings) — but all support federation with enterprise IdPs via SAML 2.0 and OIDC
  • Workload identity (IAM Roles, Managed Identities, Service Accounts) should be preferred over long-lived access keys — cloud-managed identities with automatic rotation significantly reduce credential compromise risk
  • Cloud federation requires attribute mapping from enterprise IdP to cloud roles — SAML assertions carry user attributes that are mapped to IAM roles/policies at the cloud provider
  • Multi-cloud IAM challenges include inconsistent policy languages, identity silos, fragmented audit, permission complexity, and compliance inconsistency — centralised enterprise IdP federation and policy-as-code abstraction are key mitigations
  • Cloud-native PAM replaces traditional PAM gateway approaches — JIT elevation through cloud PIM/PAM, credential vaulting in cloud secret managers, and temporary credentials through STS are the cloud-native patterns
  • Cloud IAM governance is evolving — each provider offers entitlement visibility, access certification, privilege monitoring, and compliance validation tools that integrate with enterprise IGA platforms