ThreatFoundacademy
Cloud Security
Cloud Security

IAM: the real cloud perimeter

Why identity, not the network, is where cloud breaches happen.

9 min read

In the cloud, the network firewall isn’t the perimeter — identity is. Most cloud breaches are an identity or permissions failure, not a kicked-in firewall.

The model

  • Principals — users, roles, and services that can act.
  • Policies — what a principal is allowed to do (identity policies) and who can touch a resource (resource policies).
  • Roles — temporary, assumable identities; the right way to grant access without long-lived keys.

How cloud gets breached

  • Over-permissive policies (Action: "*", Resource: "*").
  • Leaked long-lived access keys in git, logs, or client code.
  • Privilege-escalation chains (a role that can edit policies → grant itself admin).
  • SSRF → metadata service → IAM credentials (see the SSRF lesson).

A single leaked long-lived access key with broad permissions is frequently game over for an entire account. Treat keys like passwords — and prefer not to have them at all.

Defense

Least privilege (grant only what’s needed), short-lived role credentials instead of static keys, MFA on humans, and full audit logging (CloudTrail) so you can see what an identity did.