This guide explains practical, actionable steps to configure Identity and Access Management (IAM) policies to meet FAR 52.204-21 and CMMC 2.0 Level 1 Control AC.L1-B.1.II — focusing on least privilege, authenticated access, and limiting system access to authorized users and devices — with concrete AWS, Azure, and GCP implementation examples for small businesses.
Understanding the Compliance Requirement (AC.L1-B.1.II / FAR 52.204-21)
The Compliance Framework practice requires that contractor systems only allow access to authorized users and devices, consistent with the principle of least privilege and basic safeguarding of Federal Contract Information (FCI). For small businesses this translates to: enforce user authentication (MFA where practical), restrict privileges to the minimum needed to perform duties, control and manage service accounts, and log access attempts for audit. Documented, enforceable IAM controls across your cloud providers are the technical mechanism to show you met this control.
High-level implementation approach
Begin with a short checklist: (1) map roles to business functions and FCI access needs, (2) apply role-based access control (RBAC) or equivalent, (3) enforce MFA and conditional access where available, (4) avoid long-lived credentials and use short-lived roles/service tokens, and (5) enable centralized logging and periodic access review. Keep a written policy that ties each IAM assignment to a business justification to satisfy auditors and to make periodic reviews meaningful.
AWS: recommended controls and concrete steps
In AWS implement least privilege with IAM roles and policies, use AWS Organizations + Service Control Policies (SCPs) to prevent overly permissive actions at the account level, and require MFA for interactive access. Practical steps: create narrowly scoped IAM policies (resource ARNs and specific actions), attach policies to groups or roles (not users), and use role assumption for console/API access. Enable CloudTrail, AWS Config, and IAM Access Analyzer to detect overly permissive permissions.
AWS technical examples
Example CLI: create a role for developers to access a specific S3 bucket only:
aws iam create-policy --policy-name DevS3LimitedAccess --policy-document '{
"Version":"2012-10-17",
"Statement":[
{"Effect":"Allow","Action":["s3:GetObject","s3:PutObject"],"Resource":"arn:aws:s3:::acme-fci-bucket/*"},
{"Effect":"Deny","Action":["s3:DeleteObject"],"Resource":"arn:aws:s3:::acme-fci-bucket/*"}
]
}'
For account-level hardening, create an SCP that denies creation of broad admin roles or prevents creation of IAM users with console passwords unless MFA is set, and enable AWS IAM Access Analyzer and CloudTrail logs forwarded to a central account for audit and retention.
Azure: recommended controls and concrete steps
In Azure, use Azure AD for identity governance, Azure RBAC for resource permissions, and Conditional Access policies to require MFA and compliant devices. Use Privileged Identity Management (PIM) to make admin elevation time-bound and require approval for role activation. Assign roles at the smallest scope (resource group or resource) and create custom roles if built-in roles are too permissive.
Azure technical examples
Practical commands and settings: assign a least-privilege role with the CLI:
az role assignment create --assignee user@acme.example --role "Storage Blob Data Contributor" --scope /subscriptions/0000/resourceGroups/rg-fci/providers/Microsoft.Storage/storageAccounts/acmefci
In the Azure portal, build a Conditional Access policy that blocks legacy authentication, requires MFA for all users accessing management endpoints, and limits access to devices marked as compliant (requires Intune/endpoint management). Note: Conditional Access requires Azure AD Premium P1 licensing — include licensing in your compliance plan.
GCP: recommended controls and concrete steps
On GCP use IAM roles (prefer predefined over owner/editor), enforce service account discipline, and apply IAM Conditions and Access Context Manager for contextual restrictions (e.g., IP ranges, device attributes). Use Workload Identity or Workload Identity Federation instead of long-lived service account keys. Enable Cloud Audit Logs and IAM Recommender to identify overprivileged bindings.
GCP technical examples
Bind a narrowly scoped role via gcloud:
gcloud projects add-iam-policy-binding my-project \
--member="user:dev@acme.example" \
--role="roles/storage.objectViewer" \
--condition='expression=request.auth.claims.email=="dev@acme.example",title="DevObjectViewer",description="Limit to dev account"'
Use VPC Service Controls to create a perimeter around resources that store FCI to reduce the risk of data exfiltration to other projects or external networks.
Small-business scenario: practical rollout in 6 steps
For a 10-person contractor handling FCI: (1) Inventory who needs access to FCI and map roles (e.g., admin, developer, finance), (2) create provider-specific role templates (RBAC roles in Azure, IAM roles in AWS/GCP), (3) enforce MFA for all human users and block legacy auth, (4) replace static keys with roles/short-lived tokens and rotate any required keys, (5) centralize logs to a single account/project with retention aligned to contract requirements, and (6) run quarterly access reviews and annually test role assignments. Document the mapping from each IAM assignment to the AC.L1-B.1.II control requirement for audits.
Compliance tips, best practices, and risk of non‑implementation
Best practices: enforce least privilege, use role assumption patterns, remove or deactivate unused accounts, manage service accounts centrally and rotate credentials, enable MFA and conditional access, and maintain centralized, immutable logs. Keep change control and justification records for every role/policy change. Risks of not implementing these controls include unauthorized data access or exfiltration, failure to meet FAR reporting obligations, potential contract termination or financial penalties, and reputational damage — and for small contractors the risk of losing government contracts if FCI safeguards are demonstrably absent.
Summary: Implementing AC.L1-B.1.II and the FAR 52.204-21 requirement across AWS, Azure, and GCP is achievable for small businesses by applying core IAM principles — least privilege, MFA, RBAC, short-lived credentials, and centralized logging — and using each cloud's specific tools (SCPs and Access Analyzer in AWS, Conditional Access and PIM in Azure, IAM Conditions and Workload Identity in GCP). Start with a role-to-function map, implement narrow policies, enforce authentication and device posture, and document everything to demonstrate compliance during audits.
