Cloud IAM is a distributed access control framework that governs who (identity) can perform what actions (authorization) on which resources across multi-cloud and hybrid environments. It enforces least privilege, enables centralized policy management, and secures both human and non-human identities — including service accounts, AI agents, and machine workloads — through authentication protocols, role assignments, and continuous verification. Modern IAM integrates zero trust principles, treating every access request as potentially hostile until cryptographically verified, and shifts from static permission models to attribute-based and policy-as-code approaches that adapt to context, risk signals, and organizational boundaries. With non-human identities now outnumbering humans by 82:1 in cloud environments and agentic AI adding new delegation complexity, identity remains the primary attack vector — protecting resources means governing every identity interaction, not just human logins.
What This Cheat Sheet Covers
This topic spans 16 focused tables and 176 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Core IAM Concepts
Every IAM system is built on a small set of primitives that repeat across providers, frameworks, and architectures. Mastering these definitions removes ambiguity when reading policies, designing access models, or debugging authorization failures.
| Concept | Example | Description |
|---|---|---|
User, service account, AI agent, device | Entity that requests access — can be human, application, workload, or device. | |
arn:aws:iam::123456789012:user/alice | Authenticated identity making a request, mapped to an IAM entity. | |
Password + MFA token | Verification that an identity is who it claims to be. | |
Allow user to read S3 bucket | Determination of what actions an authenticated identity can perform. | |
JSON document with Allow/Deny | Formal rules defining permissions, evaluated on every request. | |
ec2-read-only-role | Collection of permissions that can be assumed temporarily by an identity. | |
s3:GetObject, compute.instances.start | Granular action allowed on a specific resource type. |