Why architecture matters here
IAM is a control plane; it does not fail dramatically — it drifts. Least privilege at day one becomes over-privileged at year three because roles accumulate permissions and nobody removes them. Attackers find the accumulated privilege and pivot.
The architecture matters because prevention is the layered defense. Boundaries cap what a role can do even if its policy is expanded. SCPs cap what an entire org can do. ABAC scopes access by tag. Sessions add temporal limits. Audit trail catches drift.
Understanding the layers means designing them together instead of hoping any single one holds.
The architecture: every piece explained
The top strip is identity. Human users federate through SSO — no local passwords, no long-lived keys. Workload identity lets services assume roles via short-lived tokens (STS, workload identity federation, GKE workload identity). Groups + roles aggregate permissions by function; users assume roles rather than getting direct grants. Policies are JSON allow/deny statements attached to identities or resources.
The middle row is the constraint layers. Permission boundary caps the maximum a role can effectively be granted; a delegated admin can grant only within this boundary. Service Control Policies apply org-wide guardrails (e.g., no root user, no public S3 buckets). Conditions + ABAC restrict access by tag — role X can only access resources tagged with the same cost-center. Session controls require MFA and cap duration.
The lower rows are lifecycle and observation. Access review quarterly re-attests role assignments and permissions. Audit trail streams every API call to a central log store for detection. Ops defines break-glass procedures for emergency access, drift detection to find over-privilege, and threat detection to catch abuse.
End-to-end flow
End-to-end: an engineer needs to debug a production issue. She authenticates via SSO, is prompted for MFA. She assumes the prod-debug role, which is bounded to read-only actions. Her session has a 1-hour cap. She queries the necessary logs. Every API call is written to CloudTrail. A workload service assumes a role via STS with no long-lived credentials to read a secret from Secrets Manager; the role's policy allows only that specific secret ARN. An SCP prevents any account from disabling CloudTrail. Quarterly, the org runs an access review; drift is flagged and corrected. If a compromise happens, audit trail replay identifies scope and enables surgical remediation.