Multi-Cloud IAM Rosetta Stone

The root user has unrestricted access to all resources in the AWS account. Best practice is to lock it down with MFA and avoid daily use.

The highest-privilege role in Entra ID (Azure AD). Can manage all aspects of the directory and all services that use Entra ID for identity.

A Cloud Identity / Google Workspace super admin with irrevocable access to manage the organization and assign Organization Admin roles.

AWS managed policies granting full IAM management or full access to all AWS services and resources.

An Azure RBAC built-in role that grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

A basic IAM role granting full access to almost all Google Cloud resources, including permission to manage IAM policies.

An AWS managed policy that grants read-only access to all AWS services without allowing any write or modification operations.

An Azure RBAC built-in role that lets you view all resources but not make any changes or manage access.

A basic IAM role granting read-only access to view existing resources and data across Google Cloud services.

AWS Identity and Access Management is the core service for managing users, groups, roles, and permissions for AWS resources.

Microsoft Entra ID (formerly Azure Active Directory) is the cloud identity and access management service for Azure and Microsoft 365.

Google Cloud Identity is an Identity-as-a-Service (IDaaS) platform that manages users and groups for Google Cloud and Workspace.

An IAM role is an identity with specific permissions that can be assumed by services, applications, or federated users instead of a single person.

Azure Managed Identities provide an automatically managed identity in Entra ID for applications to use when connecting to resources.

A special Google account that belongs to an application or compute workload rather than an individual user, used for server-to-server auth.

A JSON document defining permissions (Allow/Deny) attached to identities or resources to control access to AWS services and resources.

A service that creates, assigns, and manages policies to enforce rules and effects on Azure resources for governance and compliance.

A policy binding that attaches one or more members to a role at a specific level (org, folder, project, or resource) in the hierarchy.

AWS uses identity-based and resource-based JSON policies attached to IAM users, groups, and roles to implement access control.

Azure Role-Based Access Control provides built-in and custom roles assigned at management group, subscription, resource group, or resource scope.

GCP IAM uses predefined, basic, and custom roles bound to members at organization, folder, project, or resource level.

AWS IAM supports virtual MFA devices, hardware tokens, and FIDO security keys to add a second factor to user sign-in.

Microsoft Entra multifactor authentication requires two or more verification methods including the Authenticator app, phone, or FIDO2 keys.

Google's 2-Step Verification adds a second layer of identity verification via prompts, security keys, TOTP apps, or backup codes.

Centrally manage workforce access to multiple AWS accounts and applications using SAML 2.0 federation and a built-in identity store.

Seamless single sign-on via Entra ID allows users to authenticate once and access all registered cloud and on-premises applications.

Google Cloud Identity supports SAML-based SSO and third-party IdP integration for unified login across Google Cloud and Workspace.

AWS Security Token Service issues temporary, limited-privilege credentials via AssumeRole, AssumeRoleWithSAML, or AssumeRoleWithWebIdentity.

Azure Managed Identities automatically acquire and rotate OAuth 2.0 tokens from Entra ID without storing secrets in code.

Allows external workloads to impersonate service accounts and access Google Cloud resources without exporting service account keys.

An AWS account is the fundamental isolation boundary containing resources, with its own billing and IAM configuration.

An Azure subscription is a logical container used to provision resources, acting as a billing and access-control boundary.

A Google Cloud project organizes resources, serves as an IAM and billing boundary, and is the base unit of resource ownership.

Centrally manage multiple AWS accounts with consolidated billing, service control policies (SCPs), and organizational units (OUs).

Organize subscriptions into a hierarchy of management groups for efficient governance, policy, and access management at scale.

The root node of the Google Cloud resource hierarchy, linked to a Cloud Identity domain, providing centralized policy and access control.

An advanced IAM feature that sets the maximum permissions an IAM entity can have, even if broader policies are attached.

Define repeatable sets of Azure resources, policies, and role assignments that comply with organizational standards and requirements.

Deny policies let you set guardrails that override IAM allow policies, preventing specific principals from using certain permissions.

Records API calls and management events across AWS services for governance, compliance, and operational and risk auditing.

Azure Activity Log provides insight into subscription-level events like resource creation, updates, and role assignment changes.

Provides Admin Activity, Data Access, System Event, and Policy Denied logs for who did what, where, and when across GCP.

Helps you protect access to applications, services, and IT resources by managing, rotating, and retrieving database credentials, API keys, and other secrets.

Azure Key Vault securely stores and manages secrets, keys, and certificates with access policies and Entra ID-based access control.

A secure and convenient service for storing API keys, passwords, certificates, and other sensitive data with versioning and IAM-based access.

Key Management Service creates and controls encryption keys used to encrypt data, integrating with most AWS services for server-side encryption.

Azure Key Vault manages cryptographic keys and supports HSM-backed keys for encrypting Azure resources and custom applications.

Manage cryptographic keys for cloud services, supporting symmetric, asymmetric, and HSM-backed keys for encryption and signing.

AWS IAM policy conditions use context keys (IP, time, tags, MFA) to control when a policy grants or denies access.

Entra ID Conditional Access evaluates signals like user, device, location, and risk to enforce access decisions and session controls.

Role bindings can include CEL-based conditions that restrict when permissions are granted based on resource attributes and request context.

A collection of IAM users that lets you specify permissions for multiple users, simplifying permission management for teams.

Security and Microsoft 365 groups in Entra ID that can be assigned roles and used for resource access management.

Google Groups can be used as principals in IAM policies, enabling group-level permission management across projects and resources.

Analyzes resource policies to identify resources shared with external entities and validates IAM policies against best practices.

Enables regular reviews of user access, group memberships, and role assignments to maintain least-privilege and compliance.

Machine-learning-based recommendations to right-size IAM roles, remove unused permissions, and enforce the principle of least privilege.

IAM roles in one account can be assumed by principals in another account, enabling secure cross-account resource access.

Azure Lighthouse enables cross-tenant management, while Entra ID B2B provides guest user access across tenant boundaries.

Grant IAM roles to identities from other projects or organizations at the resource, project, folder, or org level.