Keith Worfolk
Keith Worfolk

Our previous blog on cloud solution security examined the 4 foundational capabilities of effective security implementation development and deployment.

Cloud solution security architectures must be built progressively, with additional layers of advanced security functions built on the previous iteration of foundational capabilities.

In this second of three instalments, we look at 3 Identity and Access Management (IAM) implementations forming the next layer of your cloud solutions security architecture and best practices to deploy them and further secure your cloud footprint.


Understand and master cloud IAM capabilities

Cloud IAM implementations enhance security by restricting access to central resources, preventing unauthorized intrusions and limiting resource use to relevant users.

Well-defined, thorough IAM policies enable more granular oversight and control by assigning permissions to specific user roles. Users can only retrieve permissions related to their role, enhancing control by segregating access based on user tasks and minimal resources instead of project-based structures.

Optimize cloud IAM configurations with the following best practices:

Develop robust top-level IAM policies that span all relevant cloud solution processes, users, IAM entities, and roles

Restrict authority to assume certain roles to necessary IAM entities – particularly those with higher levels of access

Adhere to a “Principle of Least Privilege” within a broader Roles-Based Access Control (RBAC) model. Higher potential for IAM-related cloud exposures and costs makes the double configuration (least privilege and RBAC) best practice

Restrict access or even specific actions at the resource level rather than by domain or process

Note that the extent to which resource-level restrictions are possible depends on the Cloud Service Provider:

On Lambda (server-less computing), providing “List Functions” access to an IAM entity grants the user/resource the right to list all the account’s Lambda functions

Up to 46% of Amazon Web Services (AWS) privileges cannot be restricted by resource-level

75% of EC2 privileges cannot be controlled at the resource level

Such IAM gaps can be filled with other AWS services that enable IAM teams to tag resources and create resource clusters based on application/solution scope or sensitivity. Security Control Policies (SCPs) can then further control access, e.g. restrict all access to built-in root accounts.

Other access restriction gaps do exist among Cloud Service Provider (CSP) services. It is critical for IAM teams to familiarize themselves with the platforms available to develop IAM strategies, policies, and configurations best suited to the target cloud solution landscape.


Enhance Demilitarized Zone (DMZ) filtering with resource-based controls

Cloud networks traditionally deploy a DMZ to minimize exposure between resources and untrusted networks, like the Internet. The DMZ buffer zone can be fortified further with internal filtering at the resource level:

Control user access and activity within the Active Directory and other network resources with Security Groups

Enhance granularity with access policies at the object-level (e.g. instances, containers, databases, buckets)

Enable business object access rules management at the “IT business” and process/application owners level, rather than per IT resources

Facilitate secure process flow management with business- and domain-level objects (e.g., Web Server, Database, Gateway) and automate implementation filtering rules at appropriate levels

Leave the expert IT security practitioners to translate as needed to resource-level controls


Protect high privileges with Privileged Access Management

The innermost implementation best practice is to enhance protection of high privileges (i.e. traditional Privileged Access Management – PAM) and secure access to critical, high-level resources. Currently a critical topic within the cloud community, standard PAM controls include:

Utilize dedicated CSP’s IAM boundaries and controls to restrict privilege escalation. The precise controls differ from platform to platform – e.g., leveraging IAM boundaries in AWS versus the Azure Contributor role.

Conduct dynamic analysis of your cloud IAM configuration and provide guidance with third-party tools. IAM scanning modules can detect and report on the most privileged cloud entities (e.g. SkyArk) regularly.

Establish Multi-Factor Authentication (MFA) protocols for all administrator accounts. MFA is generally native to cloud platforms (or at least a well-integrated third-party tool) and comes as a free option – there is no good reason not to implement this fundamental control.


The specific IAM implementations needed to secure solutions effectively will differ by target architecture, designed solutions, and platform infrastructure. Consult expert advisory for guidance on securing your cloud footprint and solutions with an IAM configuration optimized to your needs.

This is the second in our 3-part blog series on securing cloud solutions. You can read the first blog on foundational capabilities here. Stay tuned for the final blog on advanced topics, publishing here on Thursday, November 9!

Talk to a Wavestone expert for guidance identifying and implementing the right IAM functions for your cloud solution security needs.


Keith Worfolk
Principal Consultant

Keith is a client-focused IT executive, innovation expert, and trusted industry advisor with a consistent record of delivering visionary enterprise and Cloud solutions, platforms (IaaS, PaaS, and SaaS), and BI/analytics and AI/ML solutions via secure, scalable architectures for growing organizations.

6 Operational and Strategic Benefits of GenAI-Driven Tech Procurement

Nov 30, 2023

The procurement of technology services stands at a fascinating crossroads, with the introduction of generative AI marking a transformative shift in how organizations approach this critical function. Read our blog for 6 key operational and strategic capabilities enabled by GenAI-driven tech procurement.

Navigating Complex Procurement: 5 Challenges and Best Practices

Nov 23, 2023

Effective procurement drives efficiency, cost savings, and supply chain reliability, and comes with its fair share of complex challenges. Overcoming them requires a multifaceted approach integrating strategic thinking, innovative solutions, collaboration, and proactive risk management. Read our blog for a detailed examination of 5 major procurement challenges and top-line strategies for success.

Have a Question? Just Ask

Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.

Ask Wavestone