AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Navigating the Identity Maze: Strategies for IAM in Multi-Cloud and the AI Era

Sneha Malshetti shares strategies for multi-cloud IAM, AWS vs GCP architecture differences, JIT access, and navigating AI risks in identity security.

Identity and Access Management (IAM) has evolved from a back-office IT function to the critical perimeter of modern cloud security. With more than 70% of cloud attacks originating from identity vulnerabilities, mastering IAM is no longer optional—it’s survival.

We sat down with Sneha Malshetti, a Senior Security Engineer at Ethos with over a decade of experience at major enterprises like United Airlines, The Walt Disney Company, and Credit Karma. Sneha shared her deep expertise on the nuances of multi-cloud IAM, the necessity of automation in scaling access control, and the double-edged sword of AI in security.

You can read the complete transcript of the epiosde here >

What are the key architectural differences between AWS and GCP IAM?

While the core concepts of principles and authorization remain similar, AWS and GCP approach IAM from fundamentally different philosophies.

  • Identity-Centric vs. Resource-Centric: AWS is primarily identity-centric, where policies are attached to users, groups, or roles. In contrast, GCP is resource-centric, where permissions (bindings) are often applied directly to the resource (e.g., a storage bucket or project) rather than the identity itself.
  • Hierarchy: This is a major differentiator. AWS does not have a strict native IAM hierarchy within the account structure in the same way GCP does. In GCP, if you grant permissions at the root or parent level (Organization or Folder), those permissions automatically trickle down to all child projects. This inheritance can lead to over-privileged access if not carefully managed.
  • Customization: AWS relies heavily on creating custom policies JSON documents. GCP provides a robust set of pre-defined roles (like Viewer, Owner, Editor) which are easy to use but often over-privileged.

How do you manage identity federation in a multi-cloud environment?

Managing identities across multiple clouds requires a centralized strategy to avoid silos.

  • Role-Based Access Control (RBAC): The foundation is mapping your organizational roles to specific permissions in each cloud.
  • Groups over Users: A golden rule for federation is to never assign permissions directly to users. Always assign permissions to groups. If a user moves roles (e.g., from a recruiter to a data scientist), you simply move them from one group to another, ensuring their previous access is revoked automatically.
  • Production Access: In GCP specifically, avoid giving anyone direct “Owner” access in production. Use groups to strictly control and review who has this level of privilege.

How can organizations scale RBAC without creating “role explosion”?

Scaling RBAC for a 10,000-person company is vastly different from a 50-person startup. To manage this scale:

  • Delegated Permissioning: You cannot manage everything centrally. Delegate approval authority down to managers who understand the context of the access request.
  • Dual Approval: For sensitive access (like S3 administrative rights), implement a dual approval system. This requires approval from both the user’s manager (who knows why they need it) and the data owner (who knows if they should have it).

What tools and techniques work best for auditing IAM at scale?

Manual auditing is impossible in large environments. Automation and native tools are essential.

  • Access Analyzer: Use tools like AWS IAM Access Analyzer to detect unused permissions. A common threshold is to flag any role where more than 60% of permissions have been unused for 90 days.
  • Automation: For lean teams managing hundreds of accounts, build automation that hits cloud provider APIs (like the GCP Recommender API) to pull access data centrally.
  • Cost Management: Be mindful of API rate limits and costs associated with high-volume log ingestion and analysis.

How do you handle “Just-in-Time” (JIT) access and prevent privilege escalation?

Static, long-lived permissions are a security risk. JIT access minimizes this window of exposure.

  • Role Expiry: Roles should not be permanent residue. Assign expiry dates to permissions, especially for production access.
  • Time Limits: A general best practice is a 4-hour limit for privileged access in production and perhaps 8 hours for development environments.
  • Automated Break-Glass: To avoid blocking urgent work (e.g., a deployment failure on a weekend), automate break-glass access. If a valid Jira ticket exists for an incident and the requestor is on-call, the system can automatically provision temporary elevated access.

What role do Service Control Policies (SCPs) and boundaries play?

Defense in depth requires strong perimeters to prevent lateral movement and accidental exposure.

  • Permission Boundaries: Ensure that no user can create an IAM role with more privileges than they currently possess.
  • Region Restriction: Use SCPs to restrict deployments to only the specific regions your business operates in.
  • Resource Whitelisting: Use SCPs to whitelist only the specific AWS resources your company uses, preventing developers from spinning up expensive or unapproved services.
  • Hard Limits: Be aware of the hard limit of 5 SCPs per account, which requires careful planning of your policy structure.

How is AI reshaping the security landscape?

AI is a double-edged sword, serving as both a powerful tool for security engineers and a potential vector for data leakage.

  • Empowerment: AI tools now allow any engineer to understand and remediate security logs by providing step-by-step consolidation and explanation of issues.
  • Anomaly Detection: AI is crucial for parsing millions of log records to find anomalies that human analysts would miss.
  • The Trust Gap: Despite its power, AI should not be trusted for automated remediation in production. Human verification is still required before applying fixes.
  • Data Privacy: A major risk is sensitive data (PII, PCI) leaking into public LLMs. Organizations must set strict guardrails, such as using enterprise versions of tools where data is not used for training, and educating teams on what data is off-limits.

Conclusion

The conversation with Sneha Malsetti highlights that effective identity security is not just about tools, but about architecture and process. Whether navigating the structural differences between AWS and GCP, implementing Just-in-Time access to reduce blast radius, or leveraging AI for log analysis, the goal remains the same: granting the right access, to the right person, for the right time. As cloud environments grow in complexity, the organizations that treat identity as their primary security perimeter will be the ones that succeed.

People Also Read

Continue exploring Cloudanix

Connect this concept to the platform

These learning topics are most useful when tied back to cloud posture, identity, runtime, data, and agent workflows.

Platform CNAPP+

See how Cloudanix connects code, cloud, identity, data, access, and AI agents in one graph.

 Detection Cloud Detection and Response

Move from isolated logs to graph-backed cloud investigation and response.

 Graph Attack Path Analysis

Prioritize vulnerabilities and misconfigurations by reachability and blast radius.

 AI Security Agentic AI Security

Secure coding agents, MCP tool access, and temporary cloud credentials.

What Our Users Are Saying

Customer Reviews

Cloudanix is trusted by security leaders worldwide to deliver proactive, reliable, and cutting-edge cloud security.

One day, I changed the password of a root account, and my CTO called me within less than a minute to confirm if I did so. I was not expecting a reaction this quick. He told me Cloudanix alerted him of this password change and that he wanted to confirm as it was a critical security notification. I couldn't believe it!

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Compliance is one way of staying secure, but what I want is the ability to go deeper and attain 'true security.' Cloudanix provides us the capability to do so.

Vishal Madan
Vishal Madan
Head of Engineering, iMocha

Cloudanix is building for the future of the cloud, which makes the product all the more desirable.

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Cloudanix gave us the visibility we were missing. Being able to move from permanent access to a robust Just-In-Time (JIT) workflow has fundamentally changed our security posture without slowing down our engineering velocity.

Pavan Kumar Lekkala
Pavan Kumar Lekkala
SRE Lead, HugoHub

We are excited to leverage Cloudanix's comprehensive multi-cloud DevSecOps solution to secure our production workloads on AWS. Cloudanix has demonstrated that it can solve many challenges that DevSecOps teams face while continually adding new features such as SOC2 compliance and drift detection.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Managing third-party partner access was once a major concern for our security posture. With Cloudanix JIT Cloud, we've effectively achieved zero third-party risk. We can now grant access confidently, knowing that it is temporary, audited, and automatically revoked, resulting in a 100% reduction in our privileged access exposure.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

The snooze feature and responsible alerts have helped us save time and prioritize what to tackle first.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Implementing Cloudanix JIT internally allowed us to practice what we preach. By eliminating permanent access to our own clouds and databases, we've neutralized the risk of standing privileges, ensuring our own 'keys to the kingdom' are never left exposed.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

The problem with permissions is a lot of times, the gaps are left open due to oversights from inside the organization itself. With Cloudanix's CIEM, we get a complete view of user permissions and access. This enables us to update the permissions, reducing the attack surface.

Nilesh Pethani
Nilesh Pethani
Application Architect, iMocha

In the world of Fintech, trust is our currency. Cloudanix provided the frictionless visibility we needed to secure our EKS workloads across AWS, ensuring we stay audit-ready for SOC2 and GDPR without slowing down our engineering velocity.

Amol Naik
Amol Naik
Head of Security & Infrastructure, HugoHub

Cloudanix delivered value within 5 minutes of onboarding. Continuous monitoring, timely detection, and excellent documentation helped us attain a great cloud security posture.

Divyanshu Shukla
Senior DevSecOps, Meesho

Technology strategies and business strategies are in a state of constant change which includes centralization and decentralization of responsibilities. Regardless of strategic shift, we still have intellectual property to protect. Cloudanix are critical partners for us in our public cloud security posture across our three cloud providers.

Jerry Locke
Jerry Locke
Senior Director Global Solutions Engineering, Eversana

Cloudanix has been amazing. They opened up a common Slack channel with us — and it feels like we are talking to our own team and getting things done with Cloud security. The support team is always available, friendly, helpful, and ready to go out of their way.

Satish Mohan
Satish Mohan
CTO, Airgap Networks

Beyond just access management, Cloudanix CSPM has given us a unified view of our AWS environment. The real-time alerting and anomaly detection allow us to prevent any untoward activity before it happens, which is critical for a marketplace connecting 50+ financial institutions.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

For a Fintech company, data is our most valuable — and most sensitive — asset. Cloudanix DAM hasn't just improved our visibility; it has given us control. The ability to mask data and prevent unauthorized queries in real-time is a game-changer for our compliance and customer trust.

Jiten Gala
Jiten Gala
President Engineering and Product, Kapittx

Our clients, especially in the Middle East financial sector, demand absolute accountability. Cloudanix JIT Cloud has been a competitive differentiator for us, allowing us to provide secure, governed access to customer accounts that meet their strictest audit and compliance requirements.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

Cloudanix is always on my team's lips because of its exceptional support. Be it a small or big query, Cloudanix has gone above and beyond to resolve them. This one's a keeper for us.

Sujit Karpe
Sujit Karpe
CTO, iMocha

For a long-lasting partnership, great support goes a long way. Cloudanix has delivered exceptional support whenever required. Their edge is their team is always ready to go beyond to solve any issues that we have. This speaks volumes about the culture at Cloudanix.

Akash Maheshwari
Akash Maheshwari
Co-founder, MoveInSync

Beyond the technology, Cloudanix feels like an extension of our own team. Their willingness to stand up a dedicated Middle East tenant for us and provide exceptional support at a sensible price makes them a long-term partner for Hugosave.

Surya Tamada
Surya Tamada
CTO, HugoHub

The real-time notifications that Cloudanix provides are a real lifesaver. Their adaptive notifications ensure that my team stays productive and doesn't get interrupted all the time.

Digvijay Singh
Staff Security Engineer, Meesho

The whole point in technological evolution is to help improve the world we live in. We must protect that and to do so requires an effective and efficient security strategy. The Cloudanix team helped make our public cloud security posture management strategy a reality. The symbiotic relationship we have allows for a continuous feedback loop which is how business should operate.

Larry Wheat
Larry Wheat
Staff Solutions Engineer, Eversana

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo