There are many similarities between the three biggest cloud platforms on the market today. However, there are many subtle differences, glossary conflicts and feature gaps.

Here is a table of some of the common functionalities and how they are implemented on each of the three major cloud platforms:

Function Azure AWS GCP
Top Level Organization Azure Subscription AWS Master Account Organization
Mid-Level Organizational Nodes Azure Subscription AWS Child Account Folders
Resource Containers Resource Groups N/A Projects
Resource Tagging Tags Tags Labels
User Accounts Office 365 / Azure AD & Microsoft Account IAM User G-Suite & Google Account
Service Accounts Azure AD Service Principle IAM User / IAM Role Service Account
Privileges Collection Role Definitions IAM Policy IAM Role

Organization Hierarchy

Azure users a two-tier hierarchy consisting of a single root Azure Subscriptions with a recursive hierarchy of “child” Subscriptions and a last-leaf tier consisting of “Resource Groups”.

AWS users a two-tier hierarchy consisting of a single root AWS Account with a recursive hierarchy of “child” AWS Accounts. AWS does not have a logical resource container in the same way that Azure and GCP do with Resource Groups and Projects respectively but rather relies on tagging to organize resources into logical groups.

GCP uses a three-tier hierarchy consisting of a single root element dubbed “Organization” and a recursive hierarchy of “Folders” with a last-leaf tier consisting of “Projects”.

Interactive Access

AWS uses AWS IAM to control access. IAM is a proprietary directory inside of AWS itself. Users can be synced with other directory services such as on-premise Active Directory or Azure Active Directory.

Azure uses Azure Active Directory to control access. Customers who already use Office 365 will find that they are already using Azure Active Directory because Office 365 uses Azure Active Directory underneath the hood. Account Management is done within the Azure portal or within Office 365 Administration. Users can be synced with other directory services such as on-premise Active Directory. Azure also supports the use of Microsoft Accounts but even in this situation an Azure Active Directory tenant will be created behind the scenes with a single account in it.

GCP uses Google Accounts to control access. Google Accounts can be either public GMail accounts or G-Suite accounts. Account Management is done outside of GCP in Google Account Administration. Users can be synced with other directory services such as on-premise Active Directory.

Programmatic Access

AWS uses AWS IAM Users that have been provisioned with Access Keys for programmatic access.

Azure uses Service Principals within Azure Active Directory for programmatic access.

GCP uses Service Accounts created as special Google Accounts intended only for machine use. Roles can be established allowing users to control Service Accounts.

Implicit Execution Time Access

AWS uses IAM Roles that have been specified as the EC2 instance role to allow a Virtual Machine to have certain access privileges implicitly.

Azure…

GCP uses Service Accounts that have been specified when configuring a Virtual Machine. You can specify either a custom Service Account or use the default Service Account generated by GCP. If using a default Service Account it will use a concept of Scopes rather than IAM Roles to determine access. If using a custom Service Account it will use the IAM Roles that you assign to that Service Account.