I often get questions about how to get started in IAM (Identity and Access Management), specifically, what skills to learn and practice on in order to work in IAM. In my opinion, one of the quickest and most useful ways to get started with understanding IAM is by setting up a cloud platform.
No matter if you choose AWS, Azure, GCP, or something else, you will need to configure IAM controls for your environment. Most of these platforms provide you with some sort of initial root account, and it is best practice to NOT use that account for every task. Instead, you should setup other accounts for daily work.
You should also be sure to properly secure your root accounts. AWS will let you know right on the dashboard if you haven’t setup MFA on you root account, for example. MFA (multi factor authentication) is a very common technology that you should be familiar with as an IAM professional.
While I personally have my own environments in AWS, Azure, and GCP, I am currently more familiar with AWS and Azure as I use them more. I have been using AWS for many years in my own business, and I use both AWS and Azure for my dev/test lab as well as on the job.
You can’t go wrong with either of these, but there are a few reasons I would suggest starting with AWS if you can. (even though I personally prefer the Azure interface). A couple of those reasons are AWS Organizations and AWS IAM Identity Center.
Start with AWS Organizations and IAM Identity Center
Setting up your AWS Organization will give you experience using best practices to setup management, security, and workload accounts. This is great because you’ll need to configure your users access to do so.
I HIGHLY recommend enabling IAM Identity Center, which is basically an IdP (Identity Provider) platform in AWS that enables SSO into multiple AWS accounts as well as any SaaS applications you connect.
You’ll get familiar with setting up permission sets for specific connections, adding users to groups, apps, or accounts, setting MFA policy, and configuring SSO just by setting up your own environment. And this can be done for free.
Use Azure AD to get familiar with IAM as well
Azure AD is pretty much the same thing on the Microsoft side. It is an Identity Provider that will allow you to manage users, groups, and their access to resources within Azure as well as logging into SaaS applications via SSO. To be honest I think it is a little more straight forward (that could just be my Windows admin experience talking), that’s why I suggest starting with AWS first. But, you can definitely start with Azure!
I haven’t spent too much time with GCP yet, but it is on my list to explore as well, and I’m sure the same tools are available. Bottom line, I truly believe this is the best way for anyone to learn on their own as the barrier to entry is pretty low.
Bottom line, there are options
IAM is a huge field, and there are tons of specialized applications and tools. However, I think starting with one of the big 3 cloud providers and getting familiar with the process of creating users, groups, and assigning permissions to both will take you a long way in understanding how to securely manage identities in the cloud.
This, in my opinion, helps you build skills that will also translate well in non cloud environments as well.
Here are a couple links to help you get started:
- What is IAM Identity Center? – https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html?icmpid=docs_sso_console
- What is Azure AD? – https://learn.microsoft.com/en-us/azure/active-directory/
Leave a Reply