Introduction
Ever wondered how companies control who can access what in their systems? Thatβs IAM (Identity and Access Management)βthe backbone of secure authentication and authorization in cloud environments and enterprise networks.
The History of IAM
IAM started as simple username-password authentication, but modern IT environments required scalability, role-based access, and multi-factor authentication (MFA).
Key IAM Milestones
| Year | Development | Notes |
|---|
| 1960s | Unix Permissions | Simple file-based authentication |
| 1990s | LDAP & Active Directory | Centralized user management |
| 2000s | SAML, OAuth, OpenID | Web authentication standards |
| 2010s | AWS IAM, Zero Trust | Cloud-based access control |
| 2020s | Passwordless IAM | Biometrics, FIDO2, and hardware keys |
π‘ Verdict: IAM evolved from simple logins to multi-layered security for cloud and enterprise systems.
Further Reading:
How IAM Works
IAM systems ensure only authorized users can access specific applications, resources, or data.
IAM Components
- Identity Providers (IdP) β Store and verify user identities (e.g., Azure AD, Okta).
- Authentication Mechanisms β Validate users via passwords, MFA, biometrics.
- Authorization Policies β Define who can access what (RBAC, ABAC, Zero Trust).
- Audit Logs & Compliance β Track access and prevent unauthorized activities.
Step-by-Step IAM Flow
- User logs in β IAM system verifies identity (password, SSO, MFA).
- IAM grants an access token β Based on permissions and roles.
- User accesses a resource β System checks authorization rules.
- Audit logs track activity β Ensures security and compliance.
This ensures least privilege access, reducing the risk of data breaches and insider threats.
IAM vs. Other Security Models
| Feature | IAM | OAuth | RBAC | Kerberos |
|---|
| User Authentication | β
Yes | β
Yes | β No | β
Yes |
| Access Control | β
Yes | β No | β
Yes | β No |
| Role-Based Permissions | β
Yes | β No | β
Yes | β No |
| Single Sign-On (SSO) | β
Yes | β
Yes | β No | β
Yes |
| Cloud & API Access | β
Yes | β
Yes | β No | β No |
π‘ Verdict: IAM combines multiple security principles, while OAuth, RBAC, and Kerberos focus on specific tasks.
10 IAM Code Examples
1. Creating an AWS IAM User via CLI
1
| aws iam create-user --user-name dev_user
|
2. Assigning a Policy to an IAM User (AWS CLI)
1
| aws iam attach-user-policy --user-name dev_user --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
|
3. Creating an IAM Role with JSON Policy (AWS CLI)
1
2
3
4
5
6
7
8
9
10
| {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
|
4. Creating an IAM Role in Python (Boto3)
1
2
3
4
5
6
7
8
| import boto3
iam = boto3.client('iam')
response = iam.create_role(
RoleName='DeveloperRole',
AssumeRolePolicyDocument='{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole"}]}'
)
print(response)
|
5. Checking IAM Policies in AWS CLI
1
| aws iam list-policies --scope AWS
|
6. Authenticating with OAuth (Python Flask Example)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| from flask import Flask, redirect, request
from authlib.integrations.flask_client import OAuth
app = Flask(__name__)
oauth = OAuth(app)
oauth.register(
"google",
client_id="GOOGLE_CLIENT_ID",
client_secret="GOOGLE_CLIENT_SECRET",
authorize_url="https://accounts.google.com/o/oauth2/auth",
access_token_url="https://oauth2.googleapis.com/token",
)
@app.route("/login")
def login():
return oauth.google.authorize_redirect("http://localhost/callback")
|
7. Implementing Role-Based Access Control (RBAC) in Python
1
2
3
4
5
6
7
8
9
10
| roles = {
"admin": ["read", "write", "delete"],
"user": ["read"]
}
def has_permission(role, action):
return action in roles.get(role, [])
print(has_permission("admin", "delete")) # True
print(has_permission("user", "delete")) # False
|
8. Setting Up SSH Key-Based Authentication
1
| ssh-keygen -t rsa -b 2048 -C "user@example.com"
|
9. Checking IAM Access Logs (AWS CLI)
1
| aws iam list-access-keys --user-name dev_user
|
10. Enforcing Multi-Factor Authentication (MFA) in AWS IAM
1
| aws iam enable-mfa-device --user-name dev_user --serial-number arn:aws:iam::123456789012:mfa/dev_user --authentication-code-1 123456 --authentication-code-2 456789
|
Key Takeaways
- IAM is the foundation of modern access control and authentication.
- It supports user authentication, role-based access, and compliance tracking.
- IAM is essential for cloud security and API protection.
- Alternatives like OAuth, RBAC, and Kerberos complement IAM for specific use cases.
References
- IAM Wikipedia
- AWS IAM Documentation
- OAuth vs IAM
- RBAC vs ABAC
