A UK building society discovered last quarter that a third-party contractor still held AWS administrator privileges nine months after the engagement ended. The credentials had been used twice that week — by whom, nobody could say. No alerts fired. No reviews flagged it. The contractor's IAM role had outlived the contract because nobody owned the offboarding workflow.
This is the unglamorous reality of cloud identity access management in UK financial services. The FCA's Operational Resilience policy (PS21/3), fully in force since 31 March 2025, requires firms to identify important business services, set impact tolerances, and stay within them during severe-but-plausible disruption. Identity is the connective tissue. When IAM fails, every important business service running on AWS, Azure, or GCP fails with it — and the firm is, by definition, outside tolerance.
Our consultants have audited cloud estates across UK banks, payment institutions, and asset managers. The same seven misconfigurations appear repeatedly. Each one creates a direct line between a sloppy permission and an FCA-reportable incident.
Why IAM Is the FCA's Hidden Operational Resilience Problem
PS21/3 does not name AWS IAM or Azure AD RBAC. It does not have to. The rules require firms to map dependencies that could cause intolerable harm if disrupted. Cloud identity is the dependency that, when compromised or misconfigured, takes down payments, customer onboarding, and trade settlement simultaneously.
The Bank of England, PRA and FCA's joint Discussion Paper DP3/22 on Critical Third Parties reinforced the same point: concentration risk in hyperscaler platforms is now a supervisory priority. If your IAM controls cannot prove who accessed what and when, you cannot evidence operational resilience to a supervisor — and you cannot meet the UK GDPR Article 32 obligation for appropriate technical measures.
The Seven Misconfigurations We Find Most Often
1. Standing administrator access instead of just-in-time elevation
Permanent admin roles in AWS or Global Administrator assignments in Entra ID (formerly Azure AD) are the single largest blast radius in most UK financial services estates. Replace them with PIM (Privileged Identity Management) in Entra or AWS IAM Identity Center session-based access. Approvals expire. Audit trails write themselves.
2. Service principals and IAM roles with wildcard permissions
An Action: "*" on Resource: "*" is not a configuration — it is a confession. Our team routinely finds these attached to CI/CD pipelines and legacy Lambda functions. Replace wildcards with explicit resource ARNs and scoped actions. Use AWS IAM Access Analyzer to generate least-privilege policies from CloudTrail logs.
3. No conditional access for privileged sessions
Entra ID Conditional Access policies should enforce phishing-resistant MFA (FIDO2 or Windows Hello for Business), compliant device posture, and trusted network signals before granting privileged sessions. SMS-based MFA is no longer acceptable for administrator access — NCSC guidance has been explicit on this since 2023.
4. Federated identity without break-glass discipline
SSO is sensible until the identity provider fails. Every cloud tenancy needs two break-glass accounts, hardware-token protected, excluded from conditional access, monitored for any sign-in. Most firms either have none or have ten, with passwords stored in a shared vault that everybody can read.
5. Orphaned access from leavers and contractors
The building society example at the top of this post is not unusual. IAM least privilege means nothing if the joiner-mover-leaver process does not reach every cloud platform, every SaaS integration, and every service account. Automate deprovisioning through SCIM where possible and run quarterly access recertification with named accountable owners.
6. Cross-account trust relationships without external IDs
AWS cross-account roles assumed by third-party SaaS vendors (monitoring tools, FinOps platforms, security scanners) must use the external ID condition. Without it, the confused deputy problem is live. We have seen UK PSPs grant vendor roles trust policies that any AWS account in the world could assume.
7. CloudTrail and Entra audit logs not shipped to immutable storage
If logs sit only in the account that produced them, an attacker with sufficient privilege deletes the evidence. Ship CloudTrail to a separate logging account with S3 Object Lock in compliance mode. Stream Entra sign-in and audit logs to a SIEM with write-once retention. The FCA SYSC 9 record-keeping requirements expect nothing less.
Practical Steps to Take This Quarter
Start with a single hyperscaler and a single important business service. Map every human and non-human identity that can affect it. Tag each identity with its business owner, its purpose, and the date it was last used. Anything dormant for 90 days gets disabled. Anything without a named owner gets revoked.
For AWS, run IAM Access Analyzer across every account in the organisation. For Azure, enable Microsoft Defender for Cloud's identity recommendations and Entra ID Identity Protection. For GCP, use Policy Intelligence and the Recommender API. None of these tools cost extra at the tier most UK financial services firms already pay for.
Then write the impact tolerance test. Simulate the loss of your IAM control plane for two hours during a settlement window. Document what breaks. That document is your FCA evidence base.
How Pyralink Helps
Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our team has built and audited cloud IAM architectures for regulated UK firms, and our CloudAuditX platform scans AWS, Azure, and GCP for the exact misconfigurations described above — mapped against FCA expectations, UK GDPR Article 32, and ISO 27001:2022 Annex A.9 controls.
Our fractional vCISO service (from £497/month) gives smaller financial services firms named accountability for cloud identity governance without the cost of a full-time hire. We hold £5M professional indemnity insurance and work exclusively with UK-regulated entities.