Managing IAM Permissions in the Cloud: AWS vs Microsoft Azure vs Google Cloud

All of the major public clouds offer identity and access management (IAM) tools. The exact nature of the various cloud IAM tools vary, however. So do their names.

As a result, if you are familiar with the IAM solutions available from one public cloud, such as Amazon Web Services (AWS), it can be challenging to understand how IAM tools work on another platform, like Google Cloud or Microsoft Azure.

This article clarifies that issue by comparing the identity and access management tools and frameworks associated with each of the three major public clouds -- AWS, Azure, and Google. It identifies the key IAM-related terms and tools to know for each cloud and explains the approach that each cloud takes to managing user accounts, groups, access control and (where applicable) Active Directory integration.

What Is IAM in the Cloud?

In a nutshell, IAM within the context of cloud computing refers to the tools and processes that are used to manage access to various services and resources in the cloud.

IAM is similar to group and user management on a personal computer or server. Just as you’d use tools provided by your operating system to control which users and groups can access which resources (like file directories and network connections) on the local system, you use IAM to manage access to the cloud data and services (such as storage buckets or virtual machine instances) that run in the public cloud.

AWS Identity and Permissions Management

In the AWS cloud, there are three main frameworks to know in relation to identify and permissions management.

AWS IAM Roles and Policies

The first is AWS Identity and Access Management, or IAM for short. AWS IAM supports the following key functionality:

  • Create users and groups and configure which AWS-based resources each user or group can access on a permanent basis (or until you change the IAM policy).
  • Set AWS IAM Roles, which allow you to grant short-term access to an AWS resource.

Amazon recommends a variety of AWS IAM best practices, such as setting least permissions by default. You can read more about these and the tools available to implement them here.

AWS Organizations

What if you have multiple AWS accounts and want to set the same identity and access control policies for all of them, without having to configure each one manually? AWS Organizations allows you to do this by setting policies that apply to multiple AWS accounts.

AWS Directory Service

AWS Directory Service makes it possible to manage users, groups and permissions for AWS services, including EC2, using native Active Directory tools. The AWS Directory Service is an implementation of Microsoft’s Active Directory and allows you to use native Active Directory tools and features to manage AWS resources.

AWS Directory Service is useful if you use Active Directory to manage other parts of your infrastructure and you want to apply the same permissions to your AWS resources. Or maybe you just know Active Directory better than AWS IAM and prefer to use the former to manage identities and permissions rather than learning a new framework.

Azure Identity Management

Unsurprisingly given that Microsoft owns both Active Directory and the Azure cloud, Active Directory provides the default foundation for identity and permissions management in Azure. Azure Active Directory can be used to manage access for the IaaS services within the Azure Cloud, such as virtual machines. In addition, Azure Active Directory can manage access for other services associated with the Azure cloud, such as Office 365 and OneDrive.

Azure offers its own Web-based interface for Active Directory Management. You can access it from the Azure portal, where you can configure the permissions associated with each user and group.

Although Azure Active Directory is not the same tool as traditional Windows Active Directory, both tools use similar terminologies and concepts. If you are familiar with Windows Active Directory, using Azure Active Directory should be pretty simple.

It’s important to note, however, that Azure Active Directory does not integrate by default with any instances of Windows Active Directory that you use to manage on-premise infrastructure. To achieve this integration, you need to use Azure AD Connect.

Azure Identity Management with RBAC

In addition to managing accounts and permissions via Azure Active Directory, you can use Role-Based Access Control (RBAC). RBAC provides the ability to fine-tune access to specific Azure resources on a per-user, per-group or per-application basis.

Google Cloud IAM

Google Cloud Platform’s main access and identity management framework is called Google Cloud Identity & Access Management, although Google abbreviates this to just “IAM” for short. (Although Google Cloud IAM is similar to AWS IAM, the tools are not identical in functionality and should not be confused.)

The terms and concepts associated with IAM on Google Cloud can be a bit confusing, as they are more complex and nuanced than those used by AWS IAM and Azure Identity Management. For example, Google Cloud IAM defines two different types of accounts: Google accounts and Service accounts.  The former are intended for use by actual people, whereas the latter can be used to control permissions for applications.

For a full overview of Google Cloud IAM terms and concepts, refer to this documentation.

As for Active Directory, Google does not offer any tools for integrating Active Directory with Google Cloud, and it discourages the use of Active Directory for identity management on Google Cloud.

Comparison: IAM on AWS, Azure and Google Cloud

AWS Microsoft Azure Google Cloud Platform
Main access control framework AWS IAM Azure Active Directory Google Cloud IAM
Fine-tuned access control AWS IAM Azure RBAC Google Cloud IAM
Multi-Account IAM Configuration AWS Organizations Azure Active Directory Google Cloud IAM
Active Directory integration AWS Directory Service Azure AD Connect No native tool

Conclusion

It's getting more or less clear that the most robust and flexible identity and access management systems are developed in Amazon Web Service and Microsoft Azure. Small wonder - AWS being the fastest growing cloud compute company in the world and Microsoft being the holder of Active Directory asset. However, it does not mean that Google Cloud Platform is not safe. It's for sure military-state safe and has all the right services for you to play with. It's just not as flexible, comparable to AWS and Azure.