Identity and Access Management (IAM) Security Study Plan
This page is updated based on jassics/security-study-plan/iam-security-study-plan
This study plan is based on milestones. Check how much you can cover within the timeline - the more you cover, the better a candidate you are for job roles that need strong Identity & Access Management skills (AppSec, Cloud Security, Product Security, GRC, Security Architecture, and more).
Also, I assume you have already checked and are comfortable with the Common Security Skills study plan.
It covers what you need to excel at IAM from both application and cloud perspectives.
How this connects: Use this plan alongside the AWS, Azure, and GCP security study plans for cloud-specific IAM, and with the Application Security study plan when designing or reviewing secure systems.
In Short
- IAM is not just "creating users and groups" - it is access control for everything.
- Think of IAM as the new perimeter across apps, APIs, cloud, and SaaS.
- You must be comfortable with AuthN/AuthZ concepts and common protocols.
- You should understand how IAM is implemented in AWS, Azure, and GCP at a high level.
- You should recognize common IAM misconfigurations and how to avoid them.
ToC
- IAM Fundamentals - 2 weeks
- Authentication (AuthN) Deep Dive - 2 weeks
- Authorization (AuthZ) & Access Control - 2 weeks
- Cloud Provider IAM (AWS/Azure/GCP) - 3-4 weeks
- Identity Lifecycle, Privileged Access & Federation - 2-3 weeks
- Threats, Misconfigurations & Hardening - 2-3 weeks
- Books
- Videos
- Courses
- Certifications
- Interview Questions
IAM Fundamentals
Duration: 2 weeks
Week 1-2: Core Concepts
- What is IAM? Digital identities, principals, subjects, resources, permissions, policies.
- Types of Identities: human identities (users, groups), machine identities (service accounts, workloads), external identities (partners, customers, B2B/B2C).
- Access Models: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC).
- Core Principles: least privilege, separation of duties, Zero Trust (never trust, always verify), Just-In-Time (JIT) and Just-Enough-Access (JEA).
Authentication (AuthN) Deep Dive
Duration: 2 weeks
Week 3: Traditional AuthN
- Credentials - passwords, password policies, password managers
- Multi-Factor Authentication (MFA) - SMS, TOTP apps, FIDO keys
- Sessions & Cookies - session IDs, secure flags, timeouts
Week 4: Modern Protocols
- OAuth 2.0 (high level) - roles (resource owner, client, auth server), grant types
- OpenID Connect (OIDC) - ID token, userinfo endpoint, common flows
- SAML 2.0 basics - assertions, IdP vs SP, SSO scenarios
- Modern web/mobile auth patterns - SPA and mobile apps using OAuth/OIDC
Authorization (AuthZ) & Access Control
Duration: 2 weeks
Week 5-6: AuthZ Models & Implementation
- RBAC - roles, role hierarchies, the role-explosion problem
- ABAC - policies based on user/resource/environment attributes
- Policy Languages & Engines (high level) - XACML, OPA/Rego, custom JSON/YAML policies
- Application-Level Authorization - route/method-level access control, object-level (BOLA) and function-level (BFLA) authorization, mapping business roles to technical permissions - see API Security for BOLA in depth
Cloud Provider IAM (AWS/Azure/GCP)
Duration: 3-4 weeks
Week 7-8: AWS IAM Basics
- Core Concepts - principals, policies, actions, resources, conditions
- Identity Types - IAM users, groups, roles, root account
- Policies - identity-based vs resource-based policies, SCPs (Organizations)
- Common Services - IAM, AWS SSO/IAM Identity Center, STS, KMS
- Hands-on - create roles, attach policies, test access
Week 9: Azure & GCP IAM Overview
- Azure - Entra ID (formerly Azure AD), roles, role assignments, scopes (MG → Sub → RG → Resource)
- GCP - IAM policies, members, roles, service accounts, resource hierarchy
- Compare Patterns - how roles/scopes differ across AWS/Azure/GCP, and common misconfigurations (overly broad roles, wildcard permissions)
Identity Lifecycle, Privileged Access & Federation
Duration: 2-3 weeks
Week 10-11: Identity Lifecycle & PAM
- Lifecycle - joiner/mover/leaver processes
- Provisioning & Deprovisioning - HR systems, directories, SCIM basics
- Privileged Access Management (PAM) - break-glass accounts, session recording/approvals, JIT privileged access
Week 12: Federation & B2B/B2C
- Federation Concepts - trusting external IdPs, SSO across organizations
- Common Scenarios - SAML/OIDC from a corporate IdP to SaaS/cloud
- Security Considerations - trust boundaries, token lifetimes, revocation
Threats, Misconfigurations & Hardening
Duration: 2-3 weeks
Week 13-15: Attacks & Defenses
- Common IAM Attacks - credential stuffing, password spraying, MFA fatigue/bypass, OAuth misconfig (open redirect, overbroad scopes), IDOR/BOLA/BFLA from missing authz checks, privilege escalation via misconfigured roles/policies
- Cloud IAM Pitfalls -
*:*permissions, public buckets, overly broad service roles, long-lived access keys - Hardening Practices - enforce MFA for admins/remote access, regular access reviews and certification, least-privilege role design and periodic cleanup, conditional/risk-based access where available
Books
- A solid book on Identity & Access Management in enterprise or cloud contexts
- Books on OAuth 2.0 / OpenID Connect and modern authentication patterns
- Cloud security books with strong IAM chapters (AWS/Azure/GCP)
Videos
- Conference talks on IAM, SSO, OAuth/OIDC pitfalls, and cloud IAM misconfigurations
- Cloud provider official IAM deep-dive videos (AWS re:Invent, Azure, GCP)
- Talks on Zero Trust and modern identity-centric security
Courses
- Cloud security fundamentals courses with strong IAM modules
- Vendor-specific identity courses (AWS, Azure, GCP IAM)
- Courses focused on OAuth 2.0 / OIDC and modern auth patterns
Certifications
- Cloud security certifications (AWS/Azure/GCP) where IAM is a major exam component
- Identity-focused or access management certifications, if aligned with your goals
- General security certs (CISSP, CCSP, etc.) for broader IAM context
Interview Questions
Reuse questions from Application Security, AWS Security, and Common Security, but focus on Identity & Access:
- How would you design authentication and authorization for a new web/mobile app?
- How would you migrate on-prem identities to a cloud IdP safely?
- How do you enforce least privilege across many AWS accounts or Azure subscriptions?
- How would you investigate and respond to a suspected IAM credential compromise?
Practice next: AWS Security interview questions for hands-on IAM scenarios, and jassics/security-study-plan for the latest updates to this plan.