Experiencing a security incident? Get emergency response →
All Whitepapers

Whitepaper · Identity & Access Management

Identity & Access Management Checklist

Most access problems we find aren't access granted incorrectly; they're access that was correct once and never removed. This checklist follows identity through its lifecycle.

Category:
Identity & Access Management
Read time:
10 minutes
Covers:
Workforce IAM & cloud IAM (AWS/Azure/GCP)

When we find a former employee's account still active, or a contractor's cloud role still granting admin access eight months after their contract ended, the access itself was usually granted correctly at the time. The gap is almost always in what happens (or doesn't happen) afterward: a role change, a project ending, an offboarding step that depended on someone remembering to do it manually.

That's why this checklist follows the standard identity lifecycle model: joiner, mover, leaver, rather than listing IAM controls in isolation. Each stage is where a specific category of risk gets introduced, or should get removed.

Joiner, Mover, Leaver

J

Joiner

Access is granted based on role, via a request/approval process, not by cloning an existing employee's permissions wholesale.

M

Mover

When someone changes roles or teams, old access is removed as part of the transition, not just left in place alongside new access.

L

Leaver

Access across all systems, including cloud consoles, API keys, and third-party SaaS, is revoked on a defined timeline, triggered automatically from HR offboarding.

Lifecycle checklist:

  • Access requests are role-based and approved by someone other than the requester.

  • Role/team changes trigger a review of existing access, not just provisioning of new access.

  • Offboarding is triggered from a single source of truth (HR system) and covers cloud accounts, SaaS apps, VPN and physical access.

  • Quarterly access reviews catch anything the lifecycle process missed, treated as a backstop rather than the primary control.

What We Find in Cloud IAM Reviews

Cloud IAM (AWS, Azure, GCP) deserves its own section. The lifecycle issues above apply, but cloud environments add a layer of machine identities and inherited permissions that's easy to lose track of:

~40%

of reviewed cloud roles grant broader permissions than the workload actually uses

~25%

of access keys found are unused for 90+ days but not deactivated

~30%

of privileged roles lack MFA enforcement at the identity provider

1 in 4

environments still have at least one root/owner-level account used for routine tasks

Figures are directional, based on patterns observed across recent CipherTrivia cloud IAM reviews, not a statistical sample of all environments.

A Least-Privilege Reference Model

The diagram below shows how identity, roles and permissions should connect: a single identity provider as the source of truth, role-based access mapped to least-privilege permission sets, and break-glass access for emergencies that's logged and time-limited.

Diagram of a least-privilege identity and access management model showing a central identity provider with MFA enforced as the source of truth for all users, connected to role-based access groups that map to least-privilege permission sets in cloud accounts, with a separate time-limited and logged break-glass emergency access path, and automated deprovisioning triggered from the HR system
Figure 1: One identity source, role-based mapping, and an auditable emergency path.

Frequently Asked Questions

What does an IAM review actually involve?

We review your identity provider configuration, role/group structure, cloud IAM policies (for over-permissioned roles, unused credentials, and root account usage), and your joiner/mover/leaver processes, typically through a combination of configuration review and interviews with your IT/security team.

We use a single sign-on provider: does that cover this?

SSO centralizes authentication, which is a strong foundation, but doesn't automatically mean authorization (what each identity can actually do once authenticated) is well-managed. Those are the cloud IAM and role-mapping issues this checklist focuses on.

How does this relate to the SOC 2 / ISO 27001 access review requirement?

Directly: the lifecycle checklist above is largely what auditors are checking when they ask for access review evidence. See our SOC 2 & ISO 27001 Compliance Checklist for that framing.

Can you help us implement fixes, or just identify issues?

Both: we typically deliver a prioritized findings report, and can also support implementation (role redesign, automated deprovisioning workflows, break-glass procedures) depending on scope.

About the Author

RP

Ravi Prasad

Identity & Access Management Consultant, CipherTrivia · AWS Security Specialty & Azure AZ-500

Ravi runs IAM and cloud access reviews at CipherTrivia, across AWS, Azure and GCP environments. He's reviewed access for organizations ranging from early-stage startups to multi-account enterprise environments, and built this checklist around the lifecycle gaps he sees repeat across all of them.

Find out who really has access to what

An IAM review maps your identity lifecycle and cloud permissions against this checklist; see our identity & access management services.

Schedule a Meet