IAM Comprehensive List - razmipatel/Random GitHub Wiki
Comprehensive IAM Controls for Cloud Applications (Aligned to NIST SP 800-53 Rev. 5 & CSF)
This markdown document provides a comprehensive list of IAM controls applicable to SaaS, PaaS, and IaaS platforms, covering authentication, access control, identity lifecycle, privileged access, and governance.
Each control includes:
- Control Name
- Description (NIST-aligned)
- Expected Implementation Evidence
- Platform Applicability
Due to length, only the summary description is presented here. Full detail is provided in the exported document.
| Control Name | Description | Expected Implementation Evidence | Platform Applicability |
|---|---|---|---|
| IAM Governance Policy & Procedures | Establish documented IAM policy defining responsibilities and processes. | Policy document, governance role assignments, periodic reviews. | All |
| Identity Lifecycle Management | Manage full user and service identity lifecycle with defined owners. | Provisioning/deprovisioning records, inactive account reports. | All |
| Multi-Factor Authentication (MFA) | Enforce MFA for all users, especially privileged roles. | Config settings, enforcement policies, logs. | All |
| Federated Single Sign-On (SSO) | Use SAML/OIDC with centralized IdP to unify identity policies. | SSO configs, IdP metadata, authentication flow evidence. | All |
| Authenticator Management & Password Policy | Securely manage passwords, keys, certificates, API secrets. | Password policies, secrets vault logs, rotation evidence. | All |
| Role-Based Access Control (RBAC) | Access decisions based on job-role-aligned permissions. | Role definitions, mappings, assignment logs. | All |
| Attribute-Based Access Control (ABAC) | Dynamic access decisions based on attributes/tags. | Attribute policies, enforcement tests. | PaaS, IaaS |
| Least Privilege Enforcement | Enforce minimum necessary access to perform duties. | Role reviews, scope validation. | All |
| Separation of Duties (SoD) | Prevent conflicting role assignments and ensure oversight. | SoD matrix, review logs, conflict resolution process. | All |
| Privileged Access Management | Strict control of privileged identities and vaulting. | Inventory of privileged accounts, session logs, MFA proofs. | All |
| Non-Human Identities & Service Accounts | Govern service and app identities with least privilege. | Inventory, credential rotation records, ownership mappings. | All |
| IAM Activity Logging & Monitoring | Monitor all identity events, logins, role changes. | SIEM rules, log samples, alerts on abnormal behavior. | All |
| Periodic Access Reviews & Recertification | Regular access certification by managers. | Review logs, attestation reports, revocation actions. | All |
| Exception and Emergency Access Handling | Manage break-glass accounts and policy exceptions. | Usage logs, exception approvals, expiration monitoring. | All |
For complete descriptions and validations, refer to the full report or request a formatted PDF/Excel export.