Dear security people, Dear cloud engineers,

as some of you might know the last few years my focus area was in security operations and basically doing everything to defend the company I worked for against threat actors.

This means everything around I&R, SIEM, EDR, Threat Hunting, managing various security solutions and implementations of security controls around detection, prevention & response. This was in a traditional large scale enterprise setup which means prevent the worse case scenario which primarily is/was:

“lets prevent the bad guys talking over our windows domain / stealing all our data”

and started at the initial access phase per Mitre ATT&CK.


as many of your will know the journey to the public cloud is in full swing and myself and my (ex)team for the last 3 years also had a focus and worked on cloud security.

Mostly Azure and GCP.

I recently changed job and my focus is now purely cloud security with all of its security domains. In detail this means the three main hyperscalers and security IN the cloud (what we are responsible for) and not OF the vendor/provider.

Visualising IAM for all 3 Clouds

As IAM is the most critical security domains to ‘get right’ in cloud I was re-learning, testing (hacking/breaking/red teaming vulnerable labs) and studying (AWS is new for me) IAM for all three clouds.

I was struggling somewhat with the different terminology used in three clouds and the lack of visualisation (especially in GCP documentation) and decided to ‘draw’ some thing out so it ‘clicks’ in my head along with some notes of the terminology used by the cloud providers.

To be honest it was a bit of an “Identity Crisis” cause I did wonder why I choose to do cloud security with full knowledge of knowing that I need to protect ‘all 3 clouds’… .

One thing let to another and the results are below…

Thank you and I honestly hope you find it useful and this helps you with your studies.

Notes / Caveats

The drawing / mind-map grew naturally and yes are slightly different for each cloud. I tried to stay consistent but I am also not spending the next 6 months re-drawing and perfecting this (I spend considerable personal time on this and my family is complaining :) )

Generally this is in no way a complete picture of all the IAM pieces in each cloud

Federation topics or specific services having their own unique IAM implementations/challanges are not all shown e.g. most PaaS databases have their own ‘database admin’ or all cloud storage solutions offer ‘access’ outside the main IAM service (mhh except GCP…)

I am not 100% sure the below is accurate on what is shown, from text and bubble boxes to flows/links… but should be very accurate

I used the cloud provider terminology

Ping me on twitter / mastodon / linkedin if you see any key mistakes or comment below if you identity mistakes or thinks “key security risk” below are not highlighted (I am easy to find)

The diagrams/pdfs are best printed in A3 size not A4 (or US letter)

This was drawn in Miro as a ‘let me just quickly draw this out’ grew over time if anyone wonders

Yes AWS is complex (but also incredible powerful / granular)

Read the cloud providers documentation and try/test things in each cloud… this is not study or ‘pass exam’ material (but could help?)


Version: 26 November 2022

PDF Vector graphics:

(Medium compresses the image quality to not usable)

AWS Diagram, open PDF though


Version: 26 November 2022

PDF Vector graphics:

(Medium compresses the image quality to not usable)


Version: 26 November 2022

PDF Vector graphics:

(Medium compresses the image quality to not usable)



