In 2025, identity isn’t just a login; it’s the foundation of every security boundary.
From on-prem servers to Kubernetes clusters and cloud consoles, identity is the new perimeter. For system and cloud administrators, mastering Identity and Access Management (IAM) means understanding how authentication, authorization, and accounting (AAA) work together and how to enforce them consistently across platforms.
The three pillars of IAM: AAA
| Function | Purpose | Common examples |
|---|---|---|
| Authentication | Prove who the user is. | Passwords, certificates, SSH keys, SSO tokens, biometrics. |
| Authorization | Decide what the user can do. | File permissions, IAM roles, sudo rules, RBAC policies. |
| Accounting / Auditing | Track what the user did. | Logs, change history, API audit trails. |
Each of these layers reinforces the others. A strong password policy without proper authorization still leads to privilege escalation; detailed logging without identity correlation leaves blind spots.
IAM across environments
Windows Active Directory
- Authentication: Kerberos (domain) or NTLM (local).
- Authorization: Group Policy, NTFS ACLs, and domain groups.
- Accounting: Event Viewer → Security logs (4624, 4625, 4720, 4726 events).
PowerShell examples:
# List domain admins:
Get-ADGroupMember -Identity "Domain Admins" | Select-Object Name, SamAccountName
# Detect recently added privileged users:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728; StartTime=(Get-Date).AddDays(-7)} |
Select-Object TimeCreated, @{n='UserAdded'; e={$_.Properties[0].Value}}
- Authentication: PAM modules, /etc/passwd, or LDAP.
- Authorization: File ownership, sudo policy, SELinux/AppArmor profiles.
- Accounting: /var/log/auth.log or /var/log/secure.
Bash snippets:
# List users with sudo privileges:
grep -Po '^sudo.+:\K.*$' /etc/group | tr ',' '\n'
# Find accounts inactive for 90 days:
sudo awk -F: '{if($7=="/bin/bash") print $1}' /etc/passwd |
while read u; do
lastlog -u "$u" | awk '/Never logged in/ || $NF+0>90{print $1,$NF}'
done
- Authentication: Local accounts or directory binding.
- Authorization: dseditgroup, sudoers, MDM policies.
- Accounting: Unified Logs (log show --predicate 'subsystem=="com.apple.Security"').
Zsh snippet:
# List admin group members:
dscl . -read /Groups/admin GroupMembership
AWS IAM
- Authentication: AWS root user, IAM users, federated roles, STS tokens.
- Authorization: IAM policies and permission boundaries.
- Accounting: CloudTrail logs.
CLI examples:
# List IAM users without <a href="https://negativepid.blog/online-citizenship-in-spain/">MFA</a>:
aws iam list-users --query 'Users[?!contains(MFADevices[].SerialNumber, `arn:`)]'
# Enforce <a href="https://negativepid.blog/designing-least-privilege-in-the-cloud/">least privilege</a> using policy simulator:
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::<acct>:user/Admin \
--action-names s3:ListBucket ec2:TerminateInstances
Azure AD / Entra ID
PowerShell AZ module examples:
# List users without MFA:
Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods.Count -eq 0} |
Select-Object DisplayName, UserPrincipalName
# Enforce Conditional Access via template:
New-AzureADMSConditionalAccessPolicy -DisplayName "Require MFA" `
-State "enabled" -Conditions @{Users=@{IncludeUsers=@("All")}} `
-GrantControls @{BuiltInControls=@("mfa")}
- Authentication: Google Identity, Service Accounts, Federation.
- Authorization: IAM roles (primitive, predefined, custom).
- Accounting: Cloud Audit Logs.
Gcloud snippets:
# List users with Owner role:
gcloud projects get-iam-policy my-project \
--flatten="bindings[].members" \
--filter="bindings.role:roles/owner" \
--format="table(bindings.members)"
Identity in a Zero-Trust world
Automating IAM Audits with R and JSON
# Summarize inactive AWS IAM users:
library(jsonlite)
library(dplyr)
iam_data <- fromJSON("aws_iam_users.json", flatten = TRUE)
iam_data$Users %>%
filter(PasswordLastUsed < Sys.Date() - 90) %>%
select(UserName, CreateDate, PasswordLastUsed) %>%
arrange(desc(PasswordLastUsed))
# Compare Azure and AWS policy overlap:
azure <- fromJSON("azure_roles.json", flatten = TRUE)
aws <- fromJSON("aws_policies.json", flatten = TRUE)
intersect(azure$roleDefinitionName, aws$PolicyName)
Such quick checks can highlight excessive privileges or cross-cloud policy drift.
Key takeaways
- Identity is the new perimeter.
- Apply least privilege everywhere.
- Audit continuously, not quarterly.
- Use automation and JSON analysis to scale IAM visibility.
- Favor federated and passwordless authentication over static credentials.