Domain 4: Cloud Application Security Module 48 of 70

Module 48: IAM Solutions for Cloud Applications

CCSP Domain 4 — Cloud Application Security Section C 6–8 min read
The CCSP exam expects you to design IAM solutions that work across cloud services and federated environments — not just configure a single login page.

Application-Level IAM vs. Infrastructure IAM

The exam distinguishes between two IAM contexts:

  • Infrastructure IAM — who can manage cloud resources (create VMs, modify networks). Covered in Domain 3
  • Application IAM — who can access the application and what they can do within it. Covered here in Domain 4

Application IAM handles end-user authentication, authorization, session management, and identity federation across multiple applications.

If the exam asks about controlling user access to an application feature, the answer involves application-level IAM (OAuth, OIDC, RBAC). If it asks about controlling who can deploy cloud resources, the answer involves infrastructure IAM.

Token-Based Authentication

Modern cloud applications use token-based authentication instead of server-side sessions:

  • JWT (JSON Web Tokens) — self-contained tokens with claims, signed by the issuer
  • Access tokens — short-lived tokens authorizing API access
  • Refresh tokens — longer-lived tokens used to obtain new access tokens
  • ID tokens — OIDC tokens containing user identity claims

Key exam concepts:

  • JWTs must be validated (signature, expiration, issuer, audience) on every request
  • Access tokens should have short expiration times (minutes, not hours)
  • Refresh tokens must be stored securely and can be revoked
  • Token replay attacks are mitigated by short expiration and token binding

Federation and SSO for Applications

Cloud applications often federate identity across organizations:

  • SAML 2.0 — enterprise SSO for web applications. The IdP issues SAML assertions to the SP
  • OIDC — modern alternative to SAML, built on OAuth 2.0. Better for mobile and SPA applications
  • Social login — delegating authentication to Google, Microsoft, or other identity providers
  • Multi-IdP federation — supporting multiple identity providers for different user populations

The exam expects you to select the correct protocol: SAML for enterprise web SSO, OIDC for modern applications and mobile, OAuth 2.0 for API authorization.

Application Authorization Models

Beyond authentication, the exam tests how applications enforce authorization:

  • RBAC — users assigned to roles with predefined permissions. Simple but can lead to role explosion
  • ABAC — permissions based on attributes (user department, resource sensitivity, time of day)
  • ReBAC (Relationship-Based Access Control) — authorization based on relationships between users and resources (common in social and collaboration apps)
  • Policy-as-code — authorization rules defined in code and evaluated at runtime (OPA, Cedar)

The exam rewards candidates who understand that RBAC is the baseline, but complex cloud applications often need ABAC or policy-as-code for fine-grained control.

Next Section C Review: Architecture and IAM