Federated Identity, Least Privilege, JIT Privilege — With Evidence
Cloud IAM is how you prove who, decide what, and record why across AWS, Azure, and GCP.
SolveForce implements cloud identity as a Zero-Trust system: SSO/MFA federation → RBAC/ABAC entitlements → Just-in-Time (JIT) elevation via PIM/PAM → workload identity (no long-lived keys) — wired to SIEM/SOAR so audits pass cleanly.
Connective tissue:
☁️ Cloud → /cloud • 🔐 Identity → /iam • 👤 Lifecycle → /identity-lifecycle
🧷 Privileged → /pam • 🚪 Per-App → /ztna • 🛡️ Edge → /nac / /sase
🔑 Keys/Secrets → /key-management • /secrets-management • /encryption
📊 Evidence/Automation → /siem-soar
🎯 Outcomes (Why SolveForce Cloud IAM)
- One identity everywhere — SSO/MFA federation to AWS/Azure/GCP and SaaS; no shadow users.
- Least privilege, fast — RBAC/ABAC by attributes (role, BU, geo, risk), JIT elevation with approvals & recording.
- Keyless workloads — OIDC/SPIFFE/SVID federation; managed identities; remove long-lived keys from repos.
- Policy-as-code — guardrails that block risky changes before merge.
- Audit-ready — grants, revokes, reviews, PAM sessions, and policy diffs streamed to SIEM with WORM options.
🧭 Scope (What We Build & Operate)
- Federation & Access
- AWS: IAM Identity Center / SAML, permission sets, account assignments, SCPs.
- Azure: Entra ID federation, PIM (JIT), custom roles/role assignments, Conditional Access.
- GCP: Org/Folders, IAM Conditions, Workload Identity Federation, VPC Service Controls for data perimeters.
- Entitlement Models
- RBAC/ABAC with tags/conditions (env, data class, geo, device posture).
- Birthrights vs. requestable roles (catalog), SoD rules, license governance.
- Privileged Access
- JIT elevation (PIM/STS) with approvals, time-boxed roles, session recording (& CLI). → /pam
- Workload Identity & Secrets
- AWS IRSA (K8s OIDC), Azure Managed Identity / Workload Identity, GCP Workload Identity Federation.
- Secrets in vault; KMS/HSM CMKs; envelope encryption; rotation/quorum. → /secrets-management • /key-management
- Per-session Access
- ZTNA for private apps; SASE for web/SaaS; NAC gates on device posture. → /ztna • /sase • /nac
- Governance & Reviews
- Access reviews (managers/owners), SoD monitoring, event-driven recert for movers, exception workflow.
- Evidence & Detection
- CloudTrail / Activity / Admin logs, Access Analyzer/Defender recommendations, SCC findings → SIEM/SOAR with detectors for wildcard policies and unused roles. → /siem-soar
🧱 Building Blocks (Spelled Out)
- Org Guardrails (Policy-as-Code)
- Deny public storage; CMEK-required; blocked regions; restrict privileged actions to break-glass.
- CI gates (OPA/Conftest/Checkov/Policy Controller) on IAM/IaC PRs. → /infrastructure-as-code
- Role Design
- Small, composable roles; least-privilege statements; scoped resource ARNs/IDs; explicit session duration and MFA requirement.
- ABAC tags (owner, env, data-class) enforced end-to-end.
- Key/Secret Elimination
- Prefer OIDC/STS; detect & revoke static keys; rotate on HR/SoD or repo event.
- Conditional Access
- Device posture (MDM/UEM + EDR), geo/ASN, risk score; step-up MFA for admin planes.
- Vendor & Contractor Access
- Clientless ZTNA, sponsor & time-box, watermarks/recording for admin actions; auto-expire.
🧰 Reference Architectures (Choose Your Fit)
A) Federated Enterprise (Multi-Cloud)
IdP SSO/MFA → AWS/Azure/GCP; permission sets/role assignments via catalog; SCP/Org Policies as rails; JIT via PIM/STS; logs → SIEM.
B) Cloud-Native K8s with Workload Identity
IRSA / Workload Identity Federation; no node credentials; secretless CI/CD; vault sidecar; policy controller blocks risky manifests.
C) Data Perimeter (GCP + BigQuery/GCS)
VPC SC per perimeter; CMEK/HSM keys; IAP/ZTNA for admins; DLP tags/row-level security; Cloud Armor for APIs.
D) Azure PIM & Conditional Access
Entra PIM for admin roles (JIT + approval); device compliance required; Privileged session recording; access reviews & identity Governance.
E) Vendor “Clean Room”
ZTNA portal, SSO/MFA; requestable roles; scoped private endpoints; time-boxed accounts; audit-only credentials; SOAR auto-revoke on inactivity.
📐 SLO Guardrails (You Can Measure)
| KPI / SLO (p95 unless noted) | Target (Recommended) |
|---|---|
| Role/Policy propagation | ≤ 60–120 s |
| Joiner time to productive cloud access | ≤ 15–60 min post-HR create |
| Mover delta apply | ≤ 15 min |
| Leaver full revoke (human) | ≤ 5–15 min (IdP→SaaS→keys) |
| Leaver full revoke (privileged) | ≤ 1–5 min (kill sessions) |
| Standing admin roles | = 0 (JIT only) |
| Orphaned accounts (monthly) | = 0 |
| Evidence completeness (audits/incidents) | = 100% |
SLO breaches open tickets and trigger SOAR (bulk revoke, rotate keys, quarantine device, disable vendor). → /siem-soar
🔒 Compliance Mapping
- SOX / ISO 27001 / SOC 2 — approvals, recerts, change evidence in SIEM; least-privilege proof.
- PCI DSS — unique IDs, MFA, admin session recording (PAM), key custody & rotation, SoD.
- HIPAA — minimum necessary, termination procedures, access logs & BAAs.
- NIST 800-53/171 / CMMC — AC/IA/AU/CM families; workload identity; continuous monitoring.
- FedRAMP-aligned — org policies, continuous monitoring (SCC/Defender/GuardDuty), audit exports.
📊 Observability & Evidence
- Identity: SSO/MFA, Conditional Access, IAP/ZTNA decisions, PIM elevations.
- IAM: role/permission changes, Access Analyzer/Defender/SCC findings, anomalous API calls.
- Workloads: IRSA/WIF/OIDC token issuance logs; secret reads.
- PAM: approvals, session recordings, command logs.
Exported to SIEM, with SOAR playbooks for auto-revoke/rotate/notify and ticket linkage. → /siem-soar
🛠️ Implementation Blueprint (No-Surprise Rollout)
1) Baseline & scope — clouds, accounts/subscriptions/projects; HRIS/SoT; identity types (EE, contractor, service).
2) Federation & SSO/MFA — configure IdP; Conditional Access; device posture. → /iam
3) Org guardrails — SCP/Org Policies; deny-public; CMEK-required; restricted regions; log sinks.
4) Role design & catalog — RBAC/ABAC, SoD, birthrights vs requestable roles; approver matrix.
5) Privileged model — PIM/STS JIT; PAM session recording; break-glass w/ TTL + audit. → /pam
6) Workload identity — IRSA/Managed Identity/WIF; secretless CI/CD; policy controllers.
7) Revocation & reviews — leaver automations; quarterly recerts; mover triggers. → /identity-lifecycle
8) Evidence & detections — SIEM dashboards; SOAR playbooks; “wildcard policy” & unused role detectors. → /siem-soar
9) Operate & improve — SLO boards; monthly cleanup of unused entitlements; auto-remediation for drift.
✅ Pre-Engagement Checklist
- ☁️ Clouds/regions; account/subscription/project topology; on-ramps.
- 🔐 IdP/SSO/MFA posture; Conditional Access; device posture sources (MDM/UEM/EDR).
- 🧭 RBAC/ABAC strategy; SoD matrices; approver map; license governance.
- 🧷 PIM/JIT requirements; PAM tooling; break-glass SOP.
- 🤖 Workload identity plan (IRSA/Managed Identity/WIF); secrets/keys posture (vault/KMS/HSM).
- 🗂️ App & SaaS catalog; SCIM readiness; review cadence.
- 📊 SIEM/SOAR destinations; detectors; reporting cadence; audit calendar.
🔄 Where Cloud IAM Fits (Recursive View)
1) Grammar — identities traverse /connectivity & /networks-and-data-centers.
2) Syntax — enforced in /cloud via federation, org policies, and workload identity.
3) Semantics — /cybersecurity preserves truth; keys/logs/backups prove control.
4) Pragmatics — /solveforce-ai flags risky access and proposes safe reductions.
5) Foundation — consistent terms via /primacy-of-language; cataloged in the Codex.