diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go
index 6022cdebb5106..1106630d3c75a 100644
--- a/cmd/kops/integration_test.go
+++ b/cmd/kops/integration_test.go
@@ -141,7 +141,7 @@ func TestPhaseNetwork(t *testing.T) {
 
 // TestPhaseIAM tests the output of tf for the iam phase
 func TestPhaseIAM(t *testing.T) {
-	runTestPhase(t, "privateweave.example.com", "lifecycle_phases", "v1alpha2", true, 1, cloudup.PhaseIAM)
+	runTestPhase(t, "privateweave.example.com", "lifecycle_phases", "v1alpha2", true, 1, cloudup.PhaseSecurity)
 }
 
 // TestPhaseCluster tests the output of tf for the cluster phase
@@ -151,13 +151,6 @@ func TestPhaseCluster(t *testing.T) {
 	runTestPhase(t, "privateweave.example.com", "lifecycle_phases", "v1alpha2", true, 1, cloudup.PhaseCluster)
 }
 
-// TestPhaseCluster tests the output of tf for the security group phase
-func TestPhaseSecurityGroup(t *testing.T) {
-	t.Skip("unable to test until phase is created")
-	// TODO fix tf for phase, and allow override on validation
-	// runTestPhase(t, "privateweave.example.com", "lifecycle_phases", "v1alpha2", true, 1, cloudup.SecurityGroups)
-}
-
 // TestPhaseCluster tests the output of tf for the loadbalancer phase
 func TestPhaseLoadBalancers(t *testing.T) {
 	t.Skip("unable to test until phase is created")
@@ -333,7 +326,7 @@ func runTestPhase(t *testing.T, clusterName string, srcDir string, version strin
 
 	expectedFilenames := []string{}
 
-	if phase == cloudup.PhaseIAM {
+	if phase == cloudup.PhaseSecurity {
 		expectedFilenames = []string{
 			"aws_iam_role_masters." + clusterName + "_policy",
 			"aws_iam_role_nodes." + clusterName + "_policy",
diff --git a/cmd/kops/update_cluster.go b/cmd/kops/update_cluster.go
index 48f210b8edd7a..1329da3373370 100644
--- a/cmd/kops/update_cluster.go
+++ b/cmd/kops/update_cluster.go
@@ -108,7 +108,7 @@ func NewCmdUpdateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 	cmd.Flags().StringVar(&options.SSHPublicKey, "ssh-public-key", options.SSHPublicKey, "SSH public key to use (deprecated: use kops create secret instead)")
 	cmd.Flags().StringVar(&options.OutDir, "out", options.OutDir, "Path to write any local output")
 	cmd.Flags().BoolVar(&options.CreateKubecfg, "create-kube-config", options.CreateKubecfg, "Will control automatically creating the kube config file on your local filesystem")
-	cmd.Flags().StringVar(&options.Phase, "phase", options.Phase, "Subset of tasks to run: "+strings.Join(cloudup.Phases.List(), ","))
+	cmd.Flags().StringVar(&options.Phase, "phase", options.Phase, "Subset of tasks to run: "+strings.Join(cloudup.Phases.List(), ", "))
 	return cmd
 }
 
@@ -179,10 +179,10 @@ func RunUpdateCluster(f *util.Factory, clusterName string, out io.Writer, c *Upd
 		switch strings.ToLower(c.Phase) {
 		case string(cloudup.PhaseStageAssets):
 			phase = cloudup.PhaseStageAssets
-		case string(cloudup.PhaseIAM):
-			phase = cloudup.PhaseIAM
 		case string(cloudup.PhaseNetwork):
 			phase = cloudup.PhaseNetwork
+		case string(cloudup.PhaseSecurity), "iam": // keeping IAM for backwards compatibility
+			phase = cloudup.PhaseSecurity
 		case string(cloudup.PhaseCluster):
 			phase = cloudup.PhaseCluster
 		default:
diff --git a/docs/cli/kops_update_cluster.md b/docs/cli/kops_update_cluster.md
index c413398237848..acdf61942cf66 100644
--- a/docs/cli/kops_update_cluster.md
+++ b/docs/cli/kops_update_cluster.md
@@ -29,7 +29,7 @@ kops update cluster
       --create-kube-config      Will control automatically creating the kube config file on your local filesystem (default true)
       --model string            Models to apply (separate multiple models with commas) (default "config,proto,cloudup")
       --out string              Path to write any local output
-      --phase string            Subset of tasks to run: assets,cluster,iam,network
+      --phase string            Subset of tasks to run: assets, cluster, network, security
       --ssh-public-key string   SSH public key to use (deprecated: use kops create secret instead)
       --target string           Target - direct, terraform, cloudformation (default "direct")
       --yes                     Actually create cloud resources
diff --git a/tests/integration/update_cluster/lifecycle_phases/iam-kubernetes.tf b/tests/integration/update_cluster/lifecycle_phases/security-kubernetes.tf
similarity index 100%
rename from tests/integration/update_cluster/lifecycle_phases/iam-kubernetes.tf
rename to tests/integration/update_cluster/lifecycle_phases/security-kubernetes.tf
diff --git a/upup/pkg/fi/cloudup/apply_cluster.go b/upup/pkg/fi/cloudup/apply_cluster.go
index 736115b3d5cd9..9b61a9585df58 100644
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@@ -466,40 +466,40 @@ func (c *ApplyClusterCmd) Run() error {
 	l.WorkDir = c.OutDir
 	l.ModelStore = modelStore
 
-	iamLifecycle := lifecyclePointer(fi.LifecycleSync)
+	stageAssetsLifecycle := lifecyclePointer(fi.LifecycleSync)
+	securityLifecycle := lifecyclePointer(fi.LifecycleSync)
 	networkLifecycle := lifecyclePointer(fi.LifecycleSync)
 	clusterLifecycle := lifecyclePointer(fi.LifecycleSync)
-	stageAssetsLifecycle := lifecyclePointer(fi.LifecycleSync)
 
 	switch c.Phase {
 	case Phase(""):
 	// Everything ... the default
 	case PhaseStageAssets:
-		stageAssetsLifecycle = lifecyclePointer(fi.LifecycleSync)
-		iamLifecycle = lifecyclePointer(fi.LifecycleIgnore)
 		networkLifecycle = lifecyclePointer(fi.LifecycleIgnore)
+		securityLifecycle = lifecyclePointer(fi.LifecycleIgnore)
 		clusterLifecycle = lifecyclePointer(fi.LifecycleIgnore)
 
-	case PhaseIAM:
+	case PhaseNetwork:
 		stageAssetsLifecycle = lifecyclePointer(fi.LifecycleIgnore)
-		networkLifecycle = lifecyclePointer(fi.LifecycleIgnore)
+		securityLifecycle = lifecyclePointer(fi.LifecycleIgnore)
 		clusterLifecycle = lifecyclePointer(fi.LifecycleIgnore)
 
-	case PhaseNetwork:
+	case PhaseSecurity:
 		stageAssetsLifecycle = lifecyclePointer(fi.LifecycleIgnore)
-		iamLifecycle = lifecyclePointer(fi.LifecycleIgnore)
+		networkLifecycle = lifecyclePointer(fi.LifecycleIgnore)
 		clusterLifecycle = lifecyclePointer(fi.LifecycleIgnore)
 
 	case PhaseCluster:
 		if c.TargetName == TargetDryRun {
 			stageAssetsLifecycle = lifecyclePointer(fi.LifecycleExistsAndWarnIfChanges)
-			iamLifecycle = lifecyclePointer(fi.LifecycleExistsAndWarnIfChanges)
+			securityLifecycle = lifecyclePointer(fi.LifecycleExistsAndWarnIfChanges)
 			networkLifecycle = lifecyclePointer(fi.LifecycleExistsAndWarnIfChanges)
 		} else {
 			stageAssetsLifecycle = lifecyclePointer(fi.LifecycleIgnore)
-			iamLifecycle = lifecyclePointer(fi.LifecycleExistsAndValidates)
 			networkLifecycle = lifecyclePointer(fi.LifecycleExistsAndValidates)
+			securityLifecycle = lifecyclePointer(fi.LifecycleExistsAndValidates)
 		}
+
 	default:
 		return fmt.Errorf("unknown phase %q", c.Phase)
 	}
@@ -540,7 +540,7 @@ func (c *ApplyClusterCmd) Run() error {
 					&model.DNSModelBuilder{KopsModelContext: modelContext, Lifecycle: networkLifecycle},
 					&model.ExternalAccessModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
 					&model.FirewallModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
-					&model.SSHKeyModelBuilder{KopsModelContext: modelContext, Lifecycle: iamLifecycle},
+					&model.SSHKeyModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle},
 				)
 
 				l.Builders = append(l.Builders,
@@ -548,7 +548,7 @@ func (c *ApplyClusterCmd) Run() error {
 				)
 
 				l.Builders = append(l.Builders,
-					&model.IAMModelBuilder{KopsModelContext: modelContext, Lifecycle: iamLifecycle},
+					&model.IAMModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle},
 				)
 			case kops.CloudProviderDO:
 				l.Builders = append(l.Builders,
diff --git a/upup/pkg/fi/cloudup/phase.go b/upup/pkg/fi/cloudup/phase.go
index f3fcce72c0fdc..2d9b9eb2fa97d 100644
--- a/upup/pkg/fi/cloudup/phase.go
+++ b/upup/pkg/fi/cloudup/phase.go
@@ -18,13 +18,24 @@ package cloudup
 
 import "k8s.io/apimachinery/pkg/util/sets"
 
+// Phase is a portion of work that kops completes.
 type Phase string
 
 const (
-	PhaseIAM         Phase = "iam"
-	PhaseNetwork     Phase = "network"
-	PhaseCluster     Phase = "cluster"
+	// PhaseStageAssets uploads various assets such as containers in a private registry
 	PhaseStageAssets Phase = "assets"
+	// PhaseNetwork creates network infrastructure.
+	PhaseNetwork Phase = "network"
+	// PhaseIAM creates IAM profiles and roles, security groups and firewalls
+	PhaseSecurity Phase = "security"
+	// PhaseCluster creates the servers, and load-alancers
+	PhaseCluster Phase = "cluster"
 )
 
-var Phases = sets.NewString(string(PhaseIAM), string(PhaseNetwork), string(PhaseCluster), string(PhaseStageAssets))
+// Phases are used for validation and cli help.
+var Phases = sets.NewString(
+	string(PhaseStageAssets),
+	string(PhaseSecurity),
+	string(PhaseNetwork),
+	string(PhaseCluster),
+)