using your browser's print dialog (Ctrl+P / Cmd+P)
Protego Security Resource
IAM Best Practices Cheatsheet
Quick reference for securing identities across Entra ID, AWS IAM, and GCP IAM
Cross-Platform Comparison
| Capability | Entra ID | AWS IAM | GCP IAM |
|---|---|---|---|
| MFA enforcement | Conditional Access policy | IAM policy + virtual MFA / FIDO2 | Google Workspace 2SV enforcement |
| Privileged access | PIM (time-bound role activation) | IAM Access Analyzer + SCP guardrails | PAM (Privileged Access Manager) |
| Least privilege audit | Access Reviews (quarterly) | IAM Access Analyzer (unused permissions) | IAM Recommender (90-day analysis) |
| Workload identity | Managed Identity (system/user) | IAM Roles for services + IRSA for EKS | Workload Identity Federation |
| Break-glass access | Emergency Access Accounts (2+) | Root account with MFA + hardware key | Super admin with hardware key |
| External identities | B2B Guest Access + External ID | IAM Roles for cross-account | Domain-wide delegation + Workload Identity |
| SSO protocol | SAML 2.0 / OIDC / WS-Fed | SAML 2.0 / OIDC via IAM Identity Center | SAML 2.0 / OIDC via Google Workspace |
Universal IAM Rules
Red Flags to Monitor
!Sign-in from impossible travel locations
!MFA registration from unrecognized devices
!Service account interactive sign-in
!Bulk permission changes outside change windows
!New global/org admin role assignments
!Conditional Access policy modifications
!OAuth app consent grants with broad scopes
!Access key creation for root/admin accounts
protego.me | IAM Best Practices Cheatsheet