HISTORY OF CLOUD COMPUTING AND MY PERSONAL EXPERIENCE WITH AWS IDENTITY AND ACCESS MANAGEMENT (IAM).

Reference

by Joseph Ndambombi Honpah

Blog 2: “WHAT IS CLOUD COMPUTING?”

1. INTRODUCTION TO CLOUD COMPUTING.

Have you ever wondered how cloud computing came into existence?

Cloud based computing has modified how individuals and businesses interact with technology, reviewing the traditional standard of computing resources. Cloud computing refers to the on-demand delivery of computing services such as storage, processing power and applications over the Internet, enabling users to access resources flexibly and efficiently without owning and maintaining physical infrastructure.

https://cdn.codecoda.com/img/blog/cloud-computing-architecture-schema.png

The history of cloud computing boils down back in the 1960s when a computer scientist by name John McCarthy came up with a suggestion that “computation may someday be organized as a public utility,” such as water or electricity. This vision began actively with the advent of time-sharing systems and the commercialization of internet services in the late 20th century. Reference for more details.

Amazon Web Services (AWS) later came into picture in early 2000s marking a significant milestone with its first cloud computing services Amazon S3 (Simple Storage Service) and Amazon EC2 (Elastic Compute Cloud). Which popularized the pay-as-you-go model and the concept of Infrastructure as a Service (IaaS). This was followed by the emergence of major players like Microsoft Azure, Google Cloud Platform, and IBM Cloud, which expanded the range of cloud offerings to include Platform as a Service (PaaS) and Software as a Service (SaaS). These services coordinated access to powerful computing capabilities, enabling startups, enterprises, and governments to innovate and scale with unique agility.

Today cloud computing is a cornerstone of modern IT infrastructure. It powers everything from artificial intelligence and big data analytics to remote work and global collaboration. The cloud has also become critical for digital transformation across industries, driving innovations such as serverless computing, containerization, and edge computing.

Looking ahead into the future of cloud computing appears even more transformative. Trends like hybrid and multi-cloud environments, quantum computing integration, and the increasing role of artificial intelligence promise to expand its potential. With the growing focus on sustainability, cloud providers are investing in greener data centers and renewable energy sources to minimize their environmental impact.Due to this initiative, AWS included a new pillar just for this it’s Well-Architected Framework: https://docs.aws.amazon.com/wellarchitected/latest/framework/sustainability.html

As we move forward, cloud computing is assured to become even more universal and powering a world where innovation knows no bounds.

2. INTRODUCTION TO AWS(AMAZON WEB SERVICE).

Amazon Web Services (AWS) is a subsidiary of Amazon, designed to provide cloud computing services to individuals, businesses, and governments. During the early 2000s, Amazon had developed internal services that could be sectioned and reused leading to the realization that this framework could benefit external users.

• In 2002 Amazon officially launched AWS, offering its first services like Amazon S3 (Simple Storage Service) and Amazon EC2 (Elastic Compute Cloud). These products introduced the concept of scalable, pay-as-you-go infrastructure, where customers paid only for the resources they used, eliminating the need for large upfront hardware investments and thereby reducing cost.
• 2006, AWS was formally relaunched with the core services

Amazon S3 which is a scalable storage service for storing and retrieving data (Object storage). S3 supports objects from 0 bytes up to 5TB.

Amazon EC2 which is a virtual server environment offering resizable compute capacity. These services marked the foundation of modern cloud computing.

• 2009 AWS Introduced the attachment of Amazon EBS (Elastic Block Store), a persistent block storage for EC2 instances, enhancing its capabilities for enterprise applications.

• 2012 AWS held its first re:Invent conference, which has since become an annual event showcasing new services, customer stories, and innovative solutions.
• 2014 AWS Lambda was launched, with serverless computing introduced with Lambda, allowing developers to run code without managing servers, charging only for execution time.

• 2018 AWS became a major revenue driver for Amazon, reaching $25 billion in revenue. By this time, it accounted for a significant portion of Amazon’s operating income.
• 2020 AWS announced sustainability initiatives and edge computing services like AWS Outposts, Lambda@edge, AWS Greengrass bringing cloud services closer to on-premises environments.
• 2023 Adam Selipsky succeeded Andy Jassy (who became Amazon CEO) as the head of AWS, focusing on expanding the business globally.

AWS has numerous advantages it offers over traditional IT infrastructures and competing cloud providers such as:

A. Scalability and Flexibility

• AWS provides instant scalability, allowing businesses to scale their infrastructure up or down based on demand. Such as Auto scaling, Load balancing.

B. Cost-Effectiveness

• Users pay only for the resources they consume, eliminating upfront capital expenses (Pay-As-You-Go Model) and no need to pay for hardware cost.
• AWS offers cost-saving options for predictable workloads and unused capacity such as spot and reserved instances.

C. Security and Compliance

• AWS uses robust security protocols, including data encryption, multi-factor authentication (MFA), and firewalls to provide built in security.

D. Speed and Agility

• Users can deploy infrastructure in minutes, accelerating development cycles.

E. Reliability

• AWS is built on a robust infrastructure with redundancy and failover mechanisms to ensure maximum uptime.

F. High-Performance Computing

• AWS offers powerful compute options for high-performance tasks like Simulations and data analysis, Graphics rendering and machine learning training.

The benefits of AWS make it a powerful and versatile platform for businesses and developers. Whether you’re a startup, an enterprise, or an individual, AWS offers the tools, resources, and infrastructure to support your specific needs while enabling innovation and cost efficiency. Refer for more benefits of AWS cloud computing

3. INTRODUCTION TO IAM.

AWS Identity and Access Management (IAM) is a foundational service provided by Amazon Web Services, that helps individuals or organizations to securely control access to AWS resources. It allows administrators to manage permissions, define roles, and enforce security policies for users, groups, and applications interacting with AWS services. By granting the principle of least privilege, IAM ensures that users and systems have only the permissions necessary to perform their tasks, thereby reducing security risks. AWS Training and Certification provides a 10-minute video introduction to IAM:

Introduction to AWS Identity and Access Management.

**Use Cases
**IAM is widely used in scenarios requiring granular access control, such as:

• Multi-User Environments: Assigning specific roles and permissions to employees based on their responsibilities.
• Application Authentication: Providing applications with access to AWS services using IAM roles and policies.
• Compliance and Auditing: Monitoring access patterns, ensuring that security protocols align with regulatory requirements.
• Federated Access: Integrating with identity providers (e.g., Google, Microsoft Active Directory) to manage user access seamlessly.

Billing
**IAM itself is a **free service, and customers are not charged for creating users, groups, roles, or policies. Costs only arise indirectly when users perform actions that consume AWS resources, such as running EC2 instances or accessing S3 storage. For a complete list of charges and prices for IAM Access Analyzer, see IAM Access Analyzer pricing.

IAM was launched in May 2011 as a way to provide more robust identity and access management for its growing suite of services. Over time, IAM has undergone significant enhancements to meet evolving security needs:

• 2012 Introduced AWS Identity Federation, allowing users to log in using external identity providers.
• 2015 Rolled out IAM Roles for EC2, enabling applications running on EC2 to securely interact with AWS services without hardcoding credentials.
• 2018 Launched AWS IAM Access Analyzer, a tool to identify resources shared outside an organization.
• 2020 Expanded support for fine-grained permissions with service-specific condition keys and improved auditing features.

Today, IAM remains a critical pillar in AWS’s security framework, continuously evolving to address the complex security requirements of modern cloud environments. Its role in enabling secure and scalable cloud usage ensures it is indispensable for AWS customers worldwide. IAM is integrated with many AWS services. For a list of AWS services that work with IAM and the IAM features the services support, see AWS services that work with IAM.

4. PERSONAL EXPERIENCE WITH IAM

Working with AWS Identity and Access Management (IAM) can be both empowering and challenging. It’s a robust system, but mistakes can happen, often with significant consequences. Here’s a candid recount of some IAM missteps I’ve encountered, how I identified them, and what I learned from each experience.

A. Over-Permissive Policies

In the early days in tech industries, I created policies that were overly broad, such as attaching AdministratorAccess or using “Action”: “” with “Resource”: “”. It was a quick way to get things working, especially during urgent deployments, but it exposed resources unnecessarily.

How I Realized It:
During a routine security check, an audit tool flagged multiple users and roles with excessive permissions. Additionally, one instance of a misconfigured access policy allowed unintended access to sensitive S3 buckets.

Lessons Learned:

• The principle of least privilege is non-negotiable.
• Avoid shortcuts during policy creation, even under time pressure.

How to avoid It:

• Use AWS managed policies as a starting point and refine them based on specific needs.
• Regularly run IAM Access Analyzer to identify and mitigate over-permissive policies.

B. Hardcoding Access Keys

I once embedded access keys in application code for testing purposes, intending to replace them later. Unfortunately, the code was committed to a public repository. While the keys were inactive, it created an unnecessary risk.

How I Realized It:
A security scan alerted me to the exposed keys, and AWS automatically flagged the incident in the Trusted Advisor Service.

Lessons Learned:

• Hardcoding credentials, even temporarily, is a bad practice.
• Public repositories are a high-risk environment for sensitive data.

How to Avoid It:

• Use IAM Roles for applications running on AWS (e.g., EC2 or Lambda) to avoid needing hardcoded keys.
• Enable AWS Secrets Manager for securely storing and retrieving sensitive data.
• Add pre-commit hooks or tools like Git Secrets to prevent accidental leaks.

C. Insufficient Multi-Factor Authentication (MFA) Enforcement.

In my early days in AWS cloud, I neglected to enforce Multi-Factor Authentication (MFA) for the root account and critical IAM users. While no security breaches occurred, this left the environment vulnerable to phishing or brute-force attacks.

How I Realized It:
During an AWS Well-Architected Review, MFA enforcement was flagged as a major gap in our security posture.

Lessons Learned:

• Protecting root and privileged accounts with MFA is crucial.
• Even if no breaches occur, overlooking MFA undermines best practices.

How to Avoid It:

• Mandate MFA for all users with elevated privileges.
• Use IAM policies to enforce MFA and block access if not enabled.
• Leverage AWS Config to continuously monitor and report on MFA compliance.

D. Ignoring Service-Linked Roles

I deleted an IAM role that was service-linked to AWS CloudFormation, thinking it was unused. This broke critical workflows and caused failed stack deployments.

How I Realized It:
CloudFormation deployments started failing immediately with error messages indicating a missing role.

Lessons Learned:

• Service-linked roles are crucial for the operation of specific AWS services.
• Deleting roles without understanding their purpose can disrupt production systems.

How to Avoid It:

• Verify role dependencies before deletion using tools like IAM Access Analyzer.
• Consult AWS documentation to understand service-linked roles and their importance. For information about service-linked roles: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html

E. Neglecting Role and User Rotation

Some IAM users and roles were left active long after the employees or applications associated with them were no longer in use. This created potential vulnerabilities.

**How I Realized It:
**A periodic review using AWS IAM Credential Report showed users with keys that hadn’t been rotated or used in years.

Lessons Learned:

• Stale credentials are a security risk, even if unused.
• Regularly auditing IAM resources is essential for maintaining hygiene.

How to Avoid It:

• Implement automated cleanup scripts or workflows to disable unused users and roles.
• Use IAM Access Advisor to monitor usage and deactivate unused permissions.
• Enforce strict key rotation policies and lifecycle management for roles.

An Upgraded IAM Mindset:

Working with IAM has taught me that security is a continuous process requiring vigilance and adherence to best practices. Each mistake reinforced the importance of balancing functionality and security while leveraging AWS tools to automate monitoring and compliance.

IAM isn’t just about granting access — it’s about controlling and auditing it effectively. By learning from these missteps, I’ve adopted a proactive approach to avoid similar issues in the future and ensure that IAM configurations align with organizational security goals.

5. BEST PRACTICES

Over the years in AWS cloud, I’ve seen IAM play a pivotal role in ensuring secure and efficient cloud operations for various organizations. Here are some notable successes and lessons learned:

A. Scaling Securely in Multi-Account Environments

In one scenario, an organization migrated to AWS Organizations to manage multiple AWS accounts. By combining IAM roles with Service Control Policies (SCPs), we ensured:

• Centralized governance across all accounts.
• Strict control over permissions without impacting individual teams’ productivity. This approach reduced misconfigurations, minimized the attack surface, and enhanced security audits across accounts.

**Key Takeaway
**IAM roles, when paired with AWS Organizations, provide a scalable and secure foundation for managing multi-account architectures.

B. Implementing Granular Access Control for Third-Party Integrations

For an e-commerce company integrating with external analytics tools, creating custom IAM roles with fine-grained permissions limited access to only the necessary S3 buckets and data. This ensured the tool operated effectively without exposing sensitive resources.

**Key Takeaway:
**Always apply the principle of least privilege to integrations, start with minimal permissions and adjust as required.

C. Automation with Temporary Credentials

A logistics company transitioned from using static IAM access keys to relying on IAM roles with temporary credentials through AWS STS (Security Token Service). This significantly reduced the risk of credential leaks while automating key rotation for developers and applications.

**Key Takeaway:
**Whenever possible, prefer roles and temporary credentials over long-term access keys.

What Should Always Be Done When Starting with IAM

Enable MFA anywhere

• Protect the root account and all users with multi-factor authentication (MFA).
• Enforce MFA through IAM policies for privileged operations. See, https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

Define Roles Before Users

• Design a role-based access control (RBAC) system from the beginning. See, https://docs.aws.amazon.com/redshift/latest/dg/t_Roles.html
• Assign roles to users instead of granting direct permissions.

Leverage AWS Managed Policies First

• Start with AWS-managed policies for common use cases and then refine or create custom policies if needed.

Use IAM Access Analyzer

• Identify resources that are accessible outside the AWS environment and ensure proper restrictions. https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

Regularly Audit IAM Configurations

• Use tools like AWS Config, Credential Reports, and AWS Trusted Advisor to monitor compliance and catch misconfigurations.

What Should Never Be Done with IAM

Grant Wildcard Permissions

• Avoid policies like “Action”: “” or “Resource”: “”. These can inadvertently open access to unintended resources and services.

Use Root Account for Daily Tasks

• Never use the root account for routine operations. Instead, create administrative IAM users or roles for day-to-day management. See, Root user best practices for your AWS account.

Embed Static Access Keys in Code

• Hardcoding access keys in scripts or applications is a major security risk. Use IAM roles for applications running on AWS services like EC2 or Lambda.

Ignore IAM Policy Versioning

• Always review and update policies as your architecture evolves. Outdated policies can leave gaps or grant excessive permissions.

Delete Roles or Policies Without Checking Dependencies

• Always verify if a role or policy is in active use before deleting it to avoid disrupting workflows or critical operations.

AWS IAM is the backbone of cloud security and access management, but its effectiveness depends on how thoughtfully it is configured and maintained. By following best practices, avoiding common pitfalls, and leveraging automation, organizations can create a secure, scalable, and efficient cloud environment. IAM’s flexibility makes it a powerful tool, but with great power comes the responsibility to use it wisely.

6. CONCLUSION.

IAM (Identity and Access Management) is a framework of policies and technologies that ensures the right individuals or systems have appropriate access to resources at the right time. Use IAM to manage access to cloud resources, enforce least privilege, and secure user identities. Avoid using IAM when access management is better handled by external tools or when over-complicating policies could lead to security misconfigurations. With IAM, you can create fine-grained access controls, enable multi-factor authentication, and automate secure resource provisioning.

Tired of juggling complex IAM policies? In the next post, we’ll dive into crafting scalable, foolproof IAM strategies, exploring advanced techniques like policy simulations, automated audits, and how to spot and fix security gaps before they become costly mistakes.

JOSEPH NDAMBOMBI HONPAH