This post gives a practical, cloud-agnostic playbook for implementing Identity and Access Management (IAM) controls in AWS, Azure, and GCP to meet FAR 52.204-21 and CMMC 2.0 Level 1 control AC.L1-B.1.II (limit access to authorized users and devices) with step-by-step actions, small-business scenarios, and concrete technical examples.
What the control requires (Compliance Framework — Practice)
The key objective of AC.L1-B.1.II under the Compliance Framework is to ensure only authorized users and devices can access contractor information systems and that access is provisioned, reviewed, and revoked in a controlled manner. Practically this means: implement least-privilege accounts and roles, enforce multi-factor authentication (MFA), use identity federation/SSO where possible, control service accounts, log and audit IAM events, and perform periodic access reviews. For small businesses this translates into a small set of repeatable IAM rules that apply across cloud providers.
Implementation steps — AWS
AWS: configure Identity Center, roles, MFA, and policies
Steps for a small business (10–50 employees): enable AWS IAM Identity Center (SSO) integrated with your corporate IdP (Azure AD or Okta) using SAML/SCIM so user lifecycle is automated. Create Permission Sets for job functions (e.g., dev-readonly, dev-deploy, finance-billing) instead of attaching user policies. Enforce MFA by policy condition or at the IdP; add an IAM policy condition that requires MFA for console access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireMFA",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Lock down long-lived credentials: forbid root usage for day-to-day tasks, rotate access keys monthly using automation (AWS Secrets Manager + Lambda), and prefer short-lived STS roles for CI/CD. Enable CloudTrail and configure trail to send logs to a central, immutable S3 bucket with MFA Delete (if possible) and to CloudWatch Logs for alerting. Use AWS Organizations Service Control Policies (SCPs) to enforce global constraints (e.g., deny public S3 writes).
Implementation steps — Azure
Azure: Azure AD, Conditional Access, RBAC, and PIM
In Azure, source identities from Azure AD or federated IdP and enable Conditional Access policies that require compliant devices and MFA for interactive sign-ins. Use Azure RBAC with assignment scopes (subscription/resource group/resource) rather than built-in admin accounts. For privileged roles, implement Azure AD Privileged Identity Management (PIM) to provide just-in-time (JIT) elevation and time-bound role activation. Example Azure CLI to assign Reader to a group at a resource group scope:
az role assignment create --assignee-object-id --assignee-principal-type Group --role "Reader" --scope /subscriptions//resourceGroups/
</code></pre>
For service principals, avoid client secrets where possible — use managed identities for Azure resources or certificates and restrict scope of service principal roles. Enable Azure AD sign-in logs and export them to Log Analytics/Storage for retention and review. Automate deprovisioning with SCIM from your HR system or IdP to Azure AD to ensure former employees lose access quickly.
Implementation steps — GCP
GCP: Cloud IAM, Workload Identity, and context-aware access
On GCP, use Cloud Identity or Google Workspace as the centralized identity provider and enforce 2-Step Verification across the organization via the Admin Console. Use predefined or custom IAM roles and bind them to groups, not individuals. Prefer Workload Identity Federation for CI/CD pipelines and external services to avoid long-lived service account keys; where service accounts are needed, create short-lived keys or use workload identity pools. Example gcloud command to grant Storage Object Viewer to a group on a bucket:
gsutil iam ch group:devs@example.com:objectViewer gs://my-bucket
Use VPC Service Controls and Access Context Manager to restrict access by source IP or device posture where required, and enable Cloud Audit Logs for admin, data access, and system events. Regularly run gcloud iam roles/permissions checks with automated scripts to detect over-permissioned principals.
Real-world examples and scenarios for a small business
Example 1 (software startup): integrate Okta as IdP with AWS IAM Identity Center and Azure AD, assign three permission sets (developer, CI runner, finance) and enforce Okta MFA; deprovision through HR-triggered SCIM. Example 2 (consultancy handling small amounts of CUI): use GCP with Google Workspace, restrict console access via conditional access rules that permit only managed Chromebooks and require 2-step verification, and use a central service account for backups with a scoped, auditable role and no long-lived keys. These patterns reduce human error and speed audits for FAR 52.204-21 and CMMC Level 1 assessors.
Compliance tips, best practices, and technical checks
Enforce least privilege by creating job-role permission templates; automate IAM provisioning/deprovisioning with SCIM/IdP connectors; require MFA for all interactive logins; prefer short-lived credentials (STS, managed identities, workload identity pools); rotate and avoid service account keys; enforce device posture checks where possible; tag principals and resources for ownership and periodic access reviews. Implement continuous checks: run scripts monthly that list principals with Owner/Admin roles, detect unused keys older than 30 days, and export IAM changes to your SIEM. Keep audit logs for contract-required retention periods and produce an access-review report before major contract renewals.
Risk of not implementing the requirement
Failing to implement these IAM controls exposes CUI and contractor systems to unauthorized access, insider misuse, and credential compromise. Consequences include data breaches, loss of government contracts, financial penalties, reputational damage, and failing CMMC assessments — all of which are particularly damaging to small businesses reliant on a few government contracts. Operationally, weak IAM increases incident response time and recovery costs.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 AC.L1-B.1.II in the cloud is achievable for small businesses by centralizing identity, enforcing MFA and least privilege, automating lifecycle management, using short-lived credentials and managed identities, and retaining/monitoring audit logs; implement the provider-specific steps above, automate checks, and document your process to make audits straightforward and reduce risk.
