In cloud security testing, what should be the primary focus during IAM assessment?

Focusing on who can access what and how those accesses are granted is the heart of IAM assessment. The main goal is to verify that identities (users, service accounts, and federated identities) have only the permissions they truly need, that those permissions are enforced consistently across the cloud environment, and that strong authentication and lifecycle controls are in place. This means reviewing IAM policies and roles, checking for overly permissive permissions, ensuring least privilege, enforcing multi-factor authentication, and ensuring service accounts don’t carry long-lived or unused credentials. It also includes ensuring proper separation of duties and monitoring for anomalous access. In contrast, DNS resolution, data backup scheduling, and network throughput checks relate to other aspects of operations—name resolution, data durability, and performance—rather than access control. So, the primary focus during IAM assessment is evaluating the configuration and effectiveness of identity and access management within the cloud environment.