Domain 1: Cloud Concepts, Architecture & Design Module 9 of 70

Module 9: Identity and Access Control

CCSP Domain 1 — Cloud Concepts, Architecture & Design Section C 7 min read
Cloud IAM questions on the CCSP are not about configuring specific products. They test whether you understand identity federation, the principle of least privilege in multi-tenant environments, and why cloud IAM failures are the leading cause of cloud breaches.

Why Cloud IAM Is Different

In traditional environments, identity and access control is centralized — Active Directory, LDAP, a single boundary. Cloud introduces distributed identity across multiple providers, services, and APIs. The attack surface expands dramatically, and the exam expects you to understand why IAM misconfigurations are the number-one cause of cloud security incidents.

Identity Federation

Federation allows an organization to use their existing identity provider (IdP) to authenticate users across cloud services. The exam focuses on three federation standards:

SAML 2.0

Security Assertion Markup Language uses XML-based assertions to exchange authentication and authorization data between an IdP and a service provider (SP). SAML is mature and widely used for web-based SSO. The exam may present SAML as the appropriate choice for enterprise web application federation.

OAuth 2.0

An authorization framework (not authentication) that allows third-party applications to obtain limited access to a service. OAuth issues access tokens, not identity assertions. The exam tests whether you understand that OAuth alone does not authenticate users — it authorizes access to resources.

OpenID Connect (OIDC)

Built on top of OAuth 2.0, OIDC adds an identity layer. It provides both authentication and authorization. The exam may present scenarios where both authentication and API authorization are needed — OIDC is the appropriate answer.

Exam trap: OAuth 2.0 is not an authentication protocol. If a question asks about authenticating users, OAuth alone is incorrect. OIDC (which uses OAuth underneath) or SAML are authentication solutions. OAuth is for authorization — granting access to resources.

Multi-Factor Authentication (MFA)

The exam treats MFA as a baseline control, not an optional enhancement. Cloud environments are accessible from anywhere, making stolen credentials especially dangerous. The exam expects you to know the three authentication factors (something you know, have, are) and to recognize that SMS-based MFA is weaker than authenticator apps or hardware tokens due to SIM-swapping attacks.

Privileged Access Management (PAM)

Cloud environments have powerful administrative accounts (root accounts, subscription owners, organization admins) that can bypass most controls. The exam tests PAM concepts including:

  • Just-in-time (JIT) access: Elevate privileges only when needed, for a limited duration
  • Break-glass procedures: Emergency access to privileged accounts with audit trails and automatic revocation
  • Service accounts: Non-human identities used by applications and automation, which are often over-privileged and rarely rotated

Least Privilege in Cloud

The principle of least privilege is straightforward on-premises but complex in cloud. Cloud IAM policies can be incredibly granular — down to specific API actions on specific resources at specific times. The exam tests whether you understand that overly permissive policies (like granting full admin access because it is easier) violate least privilege and dramatically increase blast radius if credentials are compromised.

Identity as the New Perimeter

In cloud environments without traditional network boundaries, identity becomes the primary security control. The exam expects you to understand the concept of zero trust architecture: never trust, always verify. Every access request is authenticated, authorized, and continuously validated regardless of where it originates.

Common Exam Traps

  • Confusing authentication with authorization: Authentication verifies identity. Authorization determines what that identity can do. They are separate controls.
  • Assuming federation eliminates the need for local accounts: Emergency break-glass accounts should exist outside the federated identity system in case the IdP fails.
  • Overlooking non-human identities: Service accounts, API keys, and machine identities often have more access than human users and are frequently compromised.

Key Takeaways

Cloud IAM is the most critical control plane. Federation enables centralized identity across distributed services. OAuth is authorization, not authentication. MFA is a baseline, not an option. Privileged accounts require JIT access and monitoring. Least privilege must be enforced at the IAM policy level. Identity is the perimeter in cloud environments.

Next Module Module 10: Network and Virtualization Security