Cyber Intelligence
using your browser's print dialog (Ctrl+P / Cmd+P)

Protego Security Resource

IAM Best Practices Cheatsheet

Quick reference for securing identities across Entra ID, AWS IAM, and GCP IAM

Cross-Platform Comparison

CapabilityEntra IDAWS IAMGCP IAM
MFA enforcementConditional Access policyIAM policy + virtual MFA / FIDO2Google Workspace 2SV enforcement
Privileged accessPIM (time-bound role activation)IAM Access Analyzer + SCP guardrailsPAM (Privileged Access Manager)
Least privilege auditAccess Reviews (quarterly)IAM Access Analyzer (unused permissions)IAM Recommender (90-day analysis)
Workload identityManaged Identity (system/user)IAM Roles for services + IRSA for EKSWorkload Identity Federation
Break-glass accessEmergency Access Accounts (2+)Root account with MFA + hardware keySuper admin with hardware key
External identitiesB2B Guest Access + External IDIAM Roles for cross-accountDomain-wide delegation + Workload Identity
SSO protocolSAML 2.0 / OIDC / WS-FedSAML 2.0 / OIDC via IAM Identity CenterSAML 2.0 / OIDC via Google Workspace

Universal IAM Rules

Red Flags to Monitor

!Sign-in from impossible travel locations
!MFA registration from unrecognized devices
!Service account interactive sign-in
!Bulk permission changes outside change windows
!New global/org admin role assignments
!Conditional Access policy modifications
!OAuth app consent grants with broad scopes
!Access key creation for root/admin accounts

protego.me | IAM Best Practices Cheatsheet