Back to roadmap
IAM security

Identity and Access Management (IAM) Security Study Plan

Milestone-based roadmap for strong IAM skills across applications, APIs, cloud platforms, and enterprise identity lifecycle.

IAM is modern access perimeter for apps, cloud, and SaaS. This plan builds practical depth in authentication, authorization, cloud IAM, federation, privileged access, and IAM hardening from both application and cloud perspectives.

Expected pace

13-16 weeks

Pair with cloud and AppSec plans for deeper implementation.

Focus areas

Build strong AuthN/AuthZ fundamentals and protocol fluency.
Understand AWS, Azure, and GCP IAM models at practical level.
Learn identity lifecycle, federation, and privileged access controls.
Recognize misconfigurations and implement IAM hardening patterns.

In short

IAM is more than users and groups.
Treat identity as security perimeter.
Master least privilege, separation of duties, JIT, and JEA.
Learn both app-level and cloud-level access control.
Continuously review access and remove excess permissions.
IAM FundamentalsAuthentication (AuthN) Deep DiveAuthorization (AuthZ) and Access ControlCloud Provider IAM (AWS/Azure/GCP)Identity Lifecycle, Privileged Access and FederationThreats, Misconfigurations and HardeningBooksVideosCoursesCertificationsInterview Questions

Section 1

IAM Fundamentals

2 weeks

Build mental model for principals, resources, policies, and access control models.

Week 1-2: Core Concepts

IAM basics: digital identities, principals, resources, permissions, and policies.
Identity types: human, machine, and external identities.
Access models: DAC, MAC, RBAC, ABAC.
Principles: least privilege, separation of duties, zero trust, JIT, JEA.

Section 2

Authentication (AuthN) Deep Dive

2 weeks

Understand how users and services prove identity across traditional and modern flows.

Week 3: Traditional AuthN

Credential management: passwords, policy quality, and password managers.
MFA methods: SMS, TOTP, hardware keys (FIDO).
Sessions and cookies: secure flags, lifecycle, timeout handling.

Week 4: Modern Protocols

OAuth 2.0 high-level roles and grant flow basics.
OIDC concepts: ID token, userinfo, common web and mobile flows.
SAML basics: assertions, IdP/SP trust, SSO scenarios.
Auth patterns for SPA and mobile clients using OAuth/OIDC.

Section 3

Authorization (AuthZ) and Access Control

2 weeks

Learn how access decisions are made and enforced in services and APIs.

Week 5-6: AuthZ Models and Implementation

RBAC design, hierarchies, and role explosion pitfalls.
ABAC policies using user/resource/environment attributes.
Policy engines at high level: XACML, OPA/Rego, JSON/YAML policy models.
Route and method level enforcement in applications.
Object-level and function-level auth risks: BOLA and BFLA.
Map business roles to technical permissions safely.

Section 4

Cloud Provider IAM (AWS/Azure/GCP)

3-4 weeks

Understand IAM implementations in major clouds and compare cross-cloud patterns.

Week 7-8: AWS IAM Basics

AWS IAM core model: principals, actions, resources, conditions.
Identity types: IAM users, groups, roles, root account.
Policy types: identity-based, resource-based, SCP basics.
IAM Identity Center, STS, and KMS IAM interactions.
Hands-on: create roles, attach policies, and test access boundaries.
AWS Security Study Plan

Week 9: Azure and GCP IAM Overview

Azure Entra ID, RBAC roles, assignments, scope hierarchy.
GCP IAM: members, roles, service accounts, resource hierarchy.
Compare AWS/Azure/GCP role and scope models.
Common cloud IAM pitfalls: wildcards, broad scopes, excessive role grants.
Azure Security Study PlanGCP Security Study Plan

Section 5

Identity Lifecycle, Privileged Access and Federation

2-3 weeks

Manage identity safely across joiner/mover/leaver lifecycle and multi-org trust boundaries.

Week 10-11: Identity Lifecycle and PAM

Joiner/mover/leaver lifecycle and timely access changes.
Provisioning/deprovisioning with directory and SCIM basics.
PAM patterns: break-glass, approvals, session recording, JIT privileged access.

Week 12: Federation and B2B/B2C

Federation trust concepts with external IdPs.
SAML/OIDC federation for SaaS and cloud workloads.
Security concerns: token lifetimes, revocation, trust boundary mapping.

Section 6

Threats, Misconfigurations and Hardening

2-3 weeks

Connect IAM theory to real attacks and practical hardening controls.

Week 13-15: Attacks and Defenses

Credential stuffing, password spraying, MFA fatigue and bypass social engineering.
OAuth/OIDC misconfig risks: overbroad scopes, redirect issues.
Authorization flaws causing IDOR/BOLA/BFLA exposures.
Cloud IAM escalation via excessive policy privileges and trust misconfigurations.
Pitfalls: *:* style permissions, long-lived keys, overbroad service roles.
Hardening: enforce MFA, run access reviews, clean unused privileges.
Use conditional/risk-based access where platform supports it.

Section 7

Books

Read IAM and modern authentication material with practical cloud chapters.

Enterprise/cloud IAM books with practical implementation patterns.
OAuth 2.0 and OIDC focused books for modern auth depth.
Cloud security books with strong IAM chapters for AWS/Azure/GCP.

Section 8

Videos

Use provider deep dives and conference talks on IAM attack patterns and defenses.

Talks on IAM, SSO, OAuth/OIDC pitfalls, and cloud IAM misconfigurations.
Official deep dives from AWS re:Invent, Microsoft, and Google Cloud channels.
Zero trust and identity-centric security talks.

Section 9

Courses

Pick IAM-heavy cloud courses and protocol-focused auth training.

Cloud security fundamentals courses with strong IAM modules.
Vendor-specific IAM training for AWS, Azure, and GCP.
OAuth 2.0/OIDC practical implementation courses.

Section 10

Certifications

Choose certs where IAM depth is meaningful part of exam scope.

Cloud security certifications with major IAM coverage.
Identity-focused certifications aligned with access management roles.
General certs like CISSP/CCSP for broad IAM governance context.

Section 11

Interview Questions

Practice identity-first answers spanning app auth, cloud IAM, and incident response.

How would you design AuthN/AuthZ for new web/mobile app?
How would you migrate on-prem identities to cloud IdP safely?
How do you enforce least privilege across many cloud accounts/subscriptions?
How would you investigate suspected IAM credential compromise?