CIAM Cheat Sheet 2026
The 30 highest-yield CIAM facts, distilled from real exam questions. Print it, save it as a PDF, or study it here β free, no sign-up.
100 questions
90 min time limit
70% to pass
- A cloud administrator is granted temporary elevated access via an automated workflow that expires after 4 hours. This is an example of: β Just-in-time (JIT) privileged access
- Which component of a PAM architecture acts as a proxy to enforce session control and policy without exposing target system credentials to end users? β Privileged access gateway
- What is the primary purpose of IAM audit logs? β Providing a record of who accessed what resources and when for security and compliance
- Which best practice addresses the risk of an administrator using a single account for both privileged and non-privileged tasks? β Requiring separate admin and standard user accounts
- Which of the following is a security advantage of using OAuth 2.0 Authorization Code flow with PKCE over the Implicit flow for single-page applications? β PKCE prevents authorization code interception attacks without requiring a client secret
- According to GDPR and privacy-by-design principles, which IAM practice directly supports the 'data minimization' principle? β Provisioning only the attributes required for a specific transaction
- A 'ghost account' in IAM governance terminology refers to: β An active account belonging to a user who no longer exists in the HR system
- Which authorization model assigns permissions based on a user's job function within an organization? β Role-Based Access Control (RBAC)
- Which process ensures that users only retain access rights that are still required for their current job function? β Access certification
- Which IAM governance activity should an organization perform quarterly to ensure privileged access remains appropriate? β Access certification (recertification) campaign
- Which token format is most commonly used in modern OAuth 2.0 and OpenID Connect implementations? β JSON Web Token (JWT)
- Which regulation most directly mandates timely access revocation as part of identity lifecycle controls for US healthcare organizations? β HIPAA Security Rule
- Which OWASP category directly addresses broken or misconfigured access control mechanisms in web-based CIAM applications? β Broken Access Control
- In identity lifecycle management, what is a 'role explosion' risk? β An unmanageable proliferation of fine-grained roles that increases complexity
- What is PKCE (Proof Key for Code Exchange) designed to prevent in OAuth 2.0 public clients? β Authorization code interception attacks
- A service account has been granted local administrator rights on 500 servers with the same password. Which PAM risk does this represent? β Lateral movement risk
- What is the CIA triad in information security? β Confidentiality, Integrity, Availability
- Which of the following best describes a 'possession factor' in multi-factor authentication? β Something the user has, like a hardware token
- What is the purpose of the 'entryTTL' operational attribute in an LDAP directory? β Specifies the remaining time-to-live for a dynamically created directory entry
- What is the CIA triad in information security? β Confidentiality, Integrity, Availability
- Which standard protocol is commonly used for automated provisioning and deprovisioning of identities across cloud services? β SCIM 2.0
- What LDAP control (OID 1.2.840.113556.1.4.319) enables a client to page through large search result sets? β Simple Paged Results control
- Which standard protocol enables a client to obtain user identity information from an authorization server using a RESTful API after obtaining an access token? β OpenID Connect (OIDC)
- Which access control model is considered the most flexible but also the most administratively complex due to policy rule management? β ABAC
- What is 'role mining' used for in identity lifecycle management? β Analyzing existing access patterns to discover and define roles
- What is the PRIMARY risk of allowing users to self-register without any verification in a CIAM system? β Account enumeration and fake account creation enabling fraud
- Knowledge-Based Authentication (KBA) used during identity proofing is primarily intended to: β Verify that a claimant has knowledge of information associated with their identity
- Which control provides assurance that access granted to a user matches what was formally approved in the provisioning request? β Provisioning reconciliation
- Which regulation requires US federal agencies to use FIPS 201-compliant credentials for logical access to IT systems? β FISMA
- Which control helps prevent 'ghost accounts'βactive accounts belonging to users who have left the organization? β Periodic access reconciliation against the HR system
Turn these facts into recall: