Add IAM to secure systems (#956)

🎫 [Jira task](https://hashicorp.atlassian.net/browse/WAF-385)
🔍
[Preview](https://unified-docs-frontend-preview-2i3p3l4lk-hashicorp.vercel.app/well-architected-framework/secure-systems/identity-access-management/define-access-requirements)
+ other pages under iam.

Author: jonathanfrappier

content/well-architected-framework/data/docs-nav-data.json

@@ -268,6 +268,39 @@
           }
         ]
       },
+      {
+        "title": "Identity and access management",
+        "routes": [
+          {
+            "title": "Define access requirements",
+            "path": "secure-systems/identity-access-management/define-access-requirements"
+          },
+          {
+            "title": "Grant least privilege",
+            "path": "secure-systems/identity-access-management/grant-least-privilege"
+          },
+          {
+            "title": "Create permissions and guardrails",
+            "path": "secure-systems/identity-access-management/create-permissions-guardrails"
+          },
+          {
+            "title": "Centralize identity management",
+            "path": "secure-systems/identity-access-management/centralize-identity-management"
+          },
+          {
+            "title": "Implement strong sign-in workflows",
+            "path": "secure-systems/identity-access-management/implement-strong-sign-in-workflows"
+          },
+          {
+            "title": "Use dynamic credentials",
+            "path": "secure-systems/identity-access-management/use-dynamic-credentials"
+          },
+          {
+            "title": "Manage access lifecycle",
+            "path": "secure-systems/identity-access-management/manage-access-lifecycle"
+          }
+        ]
+      },
       {
         "title": "Secure applications",
         "routes": [

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/centralize-identity-management.mdx

@@ -0,0 +1,95 @@
+---
+page_title: Centralize identity management
+description: Centralize identity management to manage access and improve security.
+---
+
+# Centralize identity management
+
+Designing and planning policies to manage access is part of a complete identity
+and access management strategy. A key part of that strategy is to centralize
+identity management, allowing you to enforce those policies effectively.
+
+There are several ways to grant access to systems. Most systems have built-in
+identity solutions that allow you to create local users and groups. Those users
+and groups only have access to that specific system. While isolated identity
+management may seem secure, it does not scale well and may introduce more
+security risks than centralizing identity management.
+
+## What is centralized identity management
+
+Centralizing identity management allows you to manage access to all systems
+from a single location. Solutions like LDAP, Active Directory, or cloud identity
+providers like Okta, Azure EntraID, or Google Cloud Identity provide a way to
+centralize identity management. After you centralize authentication, you then
+integrate the identity provider with other systems and authorize access for those
+users. Each user has a single username and password, but can access the systems
+required to perform their job.
+
+Having individual user accounts on multiple platforms is similar to having a
+local user on your laptop. You can log in to the laptop with the local user, but
+that username and password do not provide access to your email or other systems.
+
+## Why centralize identity management
+
+When you manage your users through a centralized
+identity provider, you can enforce strong security policies like multi-factor
+authentication (MFA), password complexity, and rotation policies. 
+
+From an end user perspective, centralizing identity management provides a
+single sign-on (SSO) experience, allowing users to access the systems they need
+with a single set of credentials. Using SSO reduces the risk of password
+fatigue and improves security by reducing the number of passwords that users
+need to remember.
+
+You can deploy HashiCorp Vault to support centralized identity management by:
+
+- **Act as an OIDC provider** - Deploy Vault as an OIDC provider gives you
+  complete control over your identity management workflow and allows you to
+  expose the OIDC provider based on your security requirements.
+- **Generate credentials** - Generate dynamic, short-lived credentials that
+  eliminate static passwords stored in different systems.
+
+Boundary provides identity-aware proxying to infrastructure without exposing
+credentials to end users: 
+
+- **Integrate with identity providers** - Connect Boundary to OIDC providers or
+  Active Directory to authenticate users based on their existing corporate
+  identities.
+- **Role-based access control** - Map users and groups from your identity
+  provider to Boundary roles, controlling which systems each user can access.
+- **Session recording and auditing** - Track which users accessed which systems,
+  creating an audit trail tied to real identities rather than shared
+  credentials.
+
+Most HashiCorp tools and services like the [HashiCorp Cloud
+Platform](https://portal.cloud.hashicorp.com/sign-in), HCP Terraform, Boundary,
+and Vault integrate with third party identity providers natively or through
+OIDC allowing you to manage access to these tools from your centralized identity
+provider.
+
+HashiCorp resources:
+
+- [Use Vault as an OIDC provider for single sign-on](/nomad/tutorials/archive/sso-oidc-vault)
+- [Vault as an OIDC identity provider](/vault/docs/secrets/identity/oidc-provider)
+
+External resources:
+
+- [NIST SP 800-63 Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63c.html)
+
+## Next steps
+
+Following these documents in order ensures a logical progression through the key
+concepts and best practices, helping you build a strong foundation to build your
+identity and access management program.
+
+- [Define access requirements](/well-architected-framework/secure-systems/identity-access-management/define-access-requirements)
+- [Grant least privilege](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege)
+- [Create permissions and guardrails](/well-architected-framework/secure-systems/identity-access-management/create-permissions-guardrails)
+- **Centralize identity management (this document)**
+- [Implement strong sign-in workflows](/well-architected-framework/secure-systems/identity-access-management/implement-strong-sign-in-workflows)
+- [Use dynamic credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials)
+- [Manage access lifecycle](/well-architected-framework/secure-systems/identity-access-management/manage-access-lifecycle)
+
+In this section of Identity and access management you learned the benefits
+of centralizing identity management. Identity and access management is part of the
+[Secure systems](/well-architected-framework/secure-systems) pillar.

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/create-permissions-guardrails.mdx

@@ -0,0 +1,118 @@
+---
+page_title: Create permissions and guardrails
+description: Write effective identity and access management (IAM) policies that enforce permissions guardrails by using least privilege.
+---
+
+# Create permissions and guardrails
+
+Once you have defined your access requirements, you can begin writing
+policies that enforce permissions guardrails by using [least
+privilege](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege)
+policies.
+
+Creating policies and enforcing guardrails is the process of translating
+requirements into policies that define what users, applications, and systems can
+do. Writing effective permissions involves converting the requirements for each
+role or function within your organization when you [defined your access
+requirements](/well-architected-framework/secure-systems/identity-access-management/define-access-requirements)
+into policies for your systems.
+
+## What are permissions
+
+Permissions are the specific actions that users, applications, or systems can
+take on resources. Permissions are typically defined in policies and used to
+control access to resources in a system.
+
+You can grant or deny permissions based on various factors, including the user's
+role, group membership, the resources they access, and the context of the access
+request. For example, a user may have permission to read data from a database
+but not to write data to it.
+
+The following is an example of a database permission and AWS S3 bucket policy
+that follows least privilege:
+
+<CodeBlockConfig hideClipboard>
+
+```plaintext
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_user;
+```
+
+</CodeBlockConfig>
+
+The PostgreSQL role `readonly_user` with the `SELECT` permission can select data from
+tables, but not write or modify data.
+
+An example AWS IAM policy that follows least privilege allows read-only access
+to download files from the "company-reports" S3 bucket.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::company-reports",
+                "arn:aws:s3:::company-reports/*"
+            ]
+        }
+    ]
+}
+```
+
+## Define permissions as code
+
+Where possible, define your permissions in policies as code. Defining
+permissions in policies as code allows you to version control your policies,
+track changes over time, and collaborate with your team. You can then use tools like
+HashiCorp's Terraform or Red Hat's Ansible to deploy and update your policies.
+Most systems support writing policies in JSON, YAML, or XML.
+
+<VideoEmbed url="https://www.youtube.com/watch?v=cOOw4d_6WyA"/>
+
+Some systems like HashiCorp's Vault and Sentinel support policies in custom languages like
+the HashiCorp Configuration Language (HCL). JSON is another widely supported
+format. HashiCorp Vault supports JSON based policies, in addition to HCL. AWS
+Identity and Access Management (IAM) supports JSON-based policies. Other systems
+like Active Directory may require scripting the policies in other languages like
+PowerShell to create Group Policy Objects (GPOs).
+
+Terraform helps you manage your policies for supported tools and services,
+allowing you to define, update, and enforce policies as code. Using automation
+to manage policies ensures that your policies are consistent, auditable, and can
+be version controlled.
+
+HashiCorp resources:
+
+- [Access controls with Vault policies](/vault/tutorials/policies/policies)
+- [Policy as code with Sentinel](/sentinel/docs/concepts/policy-as-code)
+- [Create IAM policies with Terraform](/terraform/tutorials/aws/aws-iam-policy)
+- [Use templates with Waypoint](/waypoint/tutorials/hcp-waypoint/use-template)
+
+External resources:
+
+- [Define, update, share, and enforce policies using code](https://developer.ibm.com/articles/policy-as-code-ansible-automation-engine-and-open-policy-agent/)
+- [Introduction to policy as code with automation](https://www.redhat.com/en/blog/policy-as-code-automation)
+
+## Next steps
+
+Following these documents in order ensures a logical progression through the key
+concepts and best practices, helping you build a strong foundation to build your
+identity and access management program.
+
+- [Define access requirements](/well-architected-framework/secure-systems/identity-access-management/define-access-requirements)
+- [Grant least privilege](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege)
+- **Create permissions and guardrails (this document)**
+- [Centralize identity management](/well-architected-framework/secure-systems/identity-access-management/centralize-identity-management)
+- [Implement strong sign-in workflows](/well-architected-framework/secure-systems/identity-access-management/implement-strong-sign-in-workflows)
+- [Use dynamic credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials)
+- [Manage access lifecycle](/well-architected-framework/secure-systems/identity-access-management/manage-access-lifecycle)
+
+In this section of **Identity and access management**, you learned the
+difference between granting excessive permission and how it relates to the
+concept of least privilege. Identity and access management is part of the
+[Secure systems](/well-architected-framework/secure-systems) pillar.

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/define-access-requirements.mdx

@@ -0,0 +1,103 @@
+---
+page_title: Define access requirements
+description: Identify and collect requirements to help you identify access requirements for your systems.
+---
+
+# Define access requirements
+
+Defining access requirements for your organization is an important step in
+creating secure systems. Identifying what requirements you need to implement can
+seem overwhelming. There are steps you can take to simplify identifying the
+requirements you need and collecting the necessary documentation to implement
+the access requirements.
+
+## What are access requirements
+
+Every system you interact with today includes a set of access requirements. These
+requirements define who can access the system, what actions they can take, and
+under what conditions they can access the system. Access requirements come from
+several sources, including:
+
+- Industry regulations that define role-based access controls or separation of
+  duties requirements (PCI, HIPAA).
+- Local, federal, or international regulatory standards that define data privacy
+  and protection (CCPA, Sarbanes-Oxley, GDPR).
+- Current best operational practices that define security controls (SOC 2, NIST,
+  ISO 27001).
+
+When you understand which regulations and standards apply to your organization, you can
+begin to identify the specific access requirements that you need to implement
+for your systems and teams.
+
+## How to define access requirements
+
+Start by identifying the regulations and standards that apply to your
+organization from both an industry and geographic perspective. These regulations
+often align with specific security practices, such as [NIST SP
+800-53](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) for access control.
+
+Once you have identified and collected the requirements that apply to your
+organization, you need to document those requirements and begin mapping the
+specific access controls to your systems and teams. Documenting these
+requirements helps you ensure that you are meeting the necessary regulations and
+standards.
+
+You should also designate a group responsible for staying up-to-date on changes to
+regulations and standards that may affect your access requirements. When
+regulations, standards, or best practices change, you need to update your access
+requirements accordingly. The group responsible for staying up-to-date on
+regulation updates evangelizes the need for strong security practices across
+your organization.
+
+Documenting and maintaining your access requirements helps you ensure that you
+can meet audit requirements, such as those for SOC 2 or ISO 27001. Auditors will
+want to see that you have a clear understanding of your access requirements and
+that you are implementing the necessary controls to meet those requirements.
+
+As you begin defining your access requirements, also think about how you can
+manage these controls at scale. HashiCorp's Terraform helps you deploy [policies
+as code](/well-architected-framework/secure-systems/compliance-and-governance/policy-as-code)
+such as policies for Vault or Sentinel to manage access controls across your
+systems.
+
+[Project
+infragraph](https://www.hashicorp.com/en/blog/building-intelligent-infrastructure-automation-with-hashicorp),
+announced at HashiConf 2025, is a real-time infrastructure graph that provides
+visibility into your infrastructure and its relationships. By understanding
+relationships between your resources, you can better define and manage access
+requirements.
+
+You can apply to our private beta for project infragraph
+[here](https://www.hashicorp.com/en/project-infragraph-private-beta).
+
+HashiCorp resources:
+
+- [Access controls with Vault policies](/vault/tutorials/policies/policies)
+- [Policy as code with Sentinel](/sentinel/docs/concepts/policy-as-code)
+- [Create IAM policies with Terraform](/terraform/tutorials/aws/aws-iam-policy)
+- [Use templates with Waypoint](/waypoint/tutorials/hcp-waypoint/use-template)
+
+External resources:
+
+- [NIST cybersecurity framework](https://www.nist.gov/cyberframework)
+- [Define, update, share, and enforce policies using code](https://developer.ibm.com/articles/policy-as-code-ansible-automation-engine-and-open-policy-agent/)
+- [Understanding separation of duties](https://www.pingidentity.com/en/resources/blog/post/separation-of-duties.html)
+
+## Next steps
+
+Following these documents in order ensures a logical progression through the key
+concepts and best practices, helping you build a strong foundation to build your
+identity and access management program.
+
+- **Define access requirements (this document)**
+- [Grant least privilege](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege)
+- [Create permissions and guardrails](/well-architected-framework/secure-systems/identity-access-management/create-permissions-guardrails)
+- [Centralize identity management](/well-architected-framework/secure-systems/identity-access-management/centralize-identity-management)
+- [Implement strong sign-in workflows](/well-architected-framework/secure-systems/identity-access-management/implement-strong-sign-in-workflows)
+- [Use dynamic credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials)
+- [Manage access lifecycle](/well-architected-framework/secure-systems/identity-access-management/manage-access-lifecycle)
+
+In this section of Identity and access management, you learned the importance
+of identifying and collecting access requirements from common sources such as
+industry and regulatory standards. Identity and access management is part of the
+[Secure systems](/well-architected-framework/secure-systems) pillar.