Cloud — Identity and Access Management (IAM) for the beginner

The different components of IAM for the major public cloud service providers — AWS, Azure, GCP, and OCI.

Author: Monowar Mukul (AWS Certified Solutions Architect Professional, Azure Solutions Architect Expert, GCP Professional Cloud Architect, OCI Architect Professional)

Identity and Access Management (IAM) encompasses the good practices and rules that must be followed when establishing authentication and authorization for a user to access an organization’s systems and applications.

In the past, measures were implemented to assure security in an organization by only allowing users to access company resources through company devices on premises. However, as companies adopt the remote working model, this option is no longer viable. IAM emerges as the solution to ensure security in the cloud.

Identity refers to the individuals who can authenticate (sign in) to a cloud account. To allow access to cloud resources, ensuring that the user attempting to authenticate is who they claim to be is crucial. Technologies like Single Sign-On (SSO) and Multi-Factor Authentication (MFA) should be implemented to enhance security.

Once a user successfully authenticates, access management becomes necessary. It is important to note that successful authentication does not automatically grant full access to all available resources. Robust access control policies need to be implemented to regulate access within the cloud environment.

A practical solution for managing access to cloud resources is utilizing groups with well-defined rules and privileges at different granularity levels. This allows for efficient management of access to cloud resources.

In the case of Azure, every user who requires access to Azure resources needs an Azure user account. This account contains all the necessary information for authenticating the user during the sign-on process. Upon authentication, Azure AD generates an access token to authorize the user, determining their access permissions to specific resources.

Inviting them as guest users to the organization’s directory can facilitate collaboration with external individuals. Invitations can be emailed, containing a redemption link or a link to a shared app.

Groups function similarly to IAM and enable adding users to groups, with the assignment of appropriate rights as required.

Azure AD supports two types of groups. Firstly, security groups are commonly used to manage member and computer access to shared resources for a group of users. This allows for granting permissions to all members simultaneously instead of individually adding permissions for each member. Secondly, Microsoft 365 groups provide collaboration opportunities by granting members access to shared mailboxes, calendars, files, SharePoint sites, and more. This type of group also permits providing access to individuals outside the organization.

Unlike AWS, Azure does not have the concept of IAM Roles. Instead, it employs applications and service principles. Applications can be registered to access identities, whether custom-developed or off-the-shelf applications compatible with Azure AD (e.g., Office 365, Salesforce). Service principals are assigned to these applications to assume identities and gain access to Azure resources. Application usage of the service principal requires supplying a set of keys or a certificate.

Azure offers a Role-Based Access Control (RBAC) system to grant resource permissions. These permissions can be assigned at the subscription, resource group, or resource level, allowing for granular control. Custom RBAC roles can also be created if the built-in roles do not meet specific requirements.

Policies play a vital role in IAM. They define the permissions of a member or a resource within a service. Each resource can have only one policy attached to it, ensuring precise control over access.

In the case of Google Cloud (GCP), an organization serves as the root node for all resources. IAM within GCP includes roles such as Organization Admin and Project Creator. The Organization Admin is responsible for defining higher-level policies and assigning roles, while the Project Creator can determine who can create new projects within the organization. The Workspace Super Admin assigns select users the Organization Admin role.

Oracle Cloud IAM (Identity and Access Management) is a comprehensive security framework provided by Oracle Cloud Infrastructure (OCI) to manage user identities, control access to resources, and enforce security policies within an Oracle Cloud environment. IAM enables organizations to control their cloud resources and ensure that only authorized users and services can access them. Key features of Oracle Cloud IAM include Users, Groups, Policies, Roles, Federation, and Multi-Factor Authentication (MFA). In OCI, -a prominent feature is Compartments which are logical containers that help you organize and manage your cloud resources. IAM enables you to create and manage compartments, and you can assign specific access policies to control who can access or manage resources within a compartment

To conclude, this blog has provided an overview of the essential components of IAM in major public cloud service providers. IAM enables granting granular access to specific cloud resources, following the security principle of least privilege, where individuals have permissions only as required.

Authors Bio

Monowar Mukul, who is currently working as a Solution Designer in the Cloud domain. Monowar Mukul has over two decades of experience in IT management and hands-on work with various technologies (Infrastruture, Database, Applications, DevOps). He worked in large-scale IT transformation projects focused on business goals, such as next-gen platform migrations, and Cloud adoption through XaaS programs. He has worked across diverse business sectors in Australia, including tertiary education, energy, government, mining, transport, and finance. Additionally, Monowar Mukul achieved certifications from all four major cloud vendors, namely AWS (Amazon Web Services) Solution Architect Professional, Azure Solution Architecture Certified Expert (Microsoft Azure), Google Professional Cloud Architect (Google Cloud Platform) and Oracle Certified Architect Professional.