IAM - Identity and Access Management
About 2 min read
IAM (Identity and Access Management) is a mechanism for centrally managing "who" can perform "what kind of operations" on "which resources." By integrally controlling authentication (identity verification) and authorization (granting of permissions), it ensures appropriate access to an organization's resources. With the spread of cloud environments, IAM has evolved from a mere user management tool into a security foundation at the core of zero trust architecture. IAM misconfiguration is one of the leading causes of data breaches and system compromises, making it a top-priority item on any security checklist.
The Difference Between Authentication and Authorization
The most important concept for understanding IAM is the distinction between authentication and authorization. These two are closely related but are entirely different processes.
- Verifies "who are you?"
- Password, biometrics, MFA
- Performed at login
- Issues an ID token
- Determines "what are you allowed to do?"
- Roles, policies, scopes
- Performed at resource access
- Validates the access token
A common misconception is to assume that "being able to log in means all operations are permitted." It is easier to understand if you think of authentication as the gatekeeper at the entrance and authorization as the key to each room. OAuth is a representative protocol for authorization, and SSO for authentication.
Comparison of Access Control Models
There are several models for implementing authorization in IAM, chosen according to an organization's scale and requirements. Designing access control is an area where the balance between security and operational efficiency is put to the test.
| Model | Decision Criterion | Example | Challenge |
|---|---|---|---|
| RBAC | Role | Administrator, editor, viewer | Role explosion (combinatorial growth) |
| ABAC | Attributes (department, time of day, IP) | The Condition element in AWS IAM policies | Increasing policy complexity |
| PBAC | Policy (rule engine) | OPA (Open Policy Agent) | High introduction and operating costs |
In practice, the mainstream approach is a hybrid one that uses RBAC as the foundation while combining ABAC where fine-grained control is needed. AWS IAM adopts exactly this hybrid model, allowing attribute-based conditions to be added to a role-based core structure via the Condition element.
The Principle of Least Privilege
The principle of least privilege is a concept that forms the foundation of IAM design. Users and services are granted only the minimum permissions necessary to carry out their tasks, and no unnecessary permissions whatsoever. In practice, however, it is easy to give in to the temptation to "just grant broad permissions to get things working." Just like a corporate password policy, IAM policies also require regular review and removal of unnecessary permissions.
Incidents Caused by IAM Misconfiguration
IAM misconfiguration is the leading cause of security incidents in cloud environments. The patterns of misconfiguration are wide-ranging, including public access permissions on S3 buckets, excessive IAM role permissions, and hard-coded access keys. In the 2019 Capital One incident, the combination of a WAF misconfiguration and excessive IAM role permissions led to the leak of the personal information of more than 100 million people.
To prevent such incidents, it is effective to introduce automated IAM policy auditing tools (such as AWS IAM Access Analyzer and Azure AD Privileged Identity Management) and to version-control configurations through Infrastructure as Code (IaC). When implementing zero trust security as well, IAM is the foundation that should be established first.IAM and cloud security books (Amazon) are recommended for systematic learning.
Was this article helpful?