Cloud Security — Generalist Reference.

Identity — same concept, three names

• AWS. IAM users, IAM roles, IAM groups, SCPs, permission boundaries. Federation via SAML or OIDC (Cognito, IAM Identity Center).
• Azure. Entra ID (formerly AAD) users, groups, service principals, managed identities. RBAC at scope (subscription / resource group / resource). Conditional Access for policy.
• GCP. Cloud Identity users, service accounts, groups. IAM bindings at organization / folder / project / resource. Workload Identity Federation for non-GCP workloads.
• Common gotcha. All three default to deny but their inheritance models differ. AWS = explicit deny wins, no inheritance. Azure = RBAC inherits down scope. GCP = bindings inherit down resource hierarchy. Don't assume.

Network — VPC equivalents

• AWS VPC. CIDR per VPC; subnets per AZ; route tables decide reachability; security groups are stateful; NACLs are stateless.
• Azure VNet. CIDR per VNet; subnets; NSGs are stateful; Azure Firewall stateful; UDRs override system routes.
• GCP VPC. Global VPC (unlike the other two); regional subnets; firewall rules are stateful and apply by tag/SA.
• Peering. Non-transitive in all three. A peered to B and B to C ≠ A to C. Hub-and-spoke topologies use Transit Gateway (AWS), VWAN (Azure), Network Connectivity Center (GCP).
• Egress control. The single highest-impact lever for compromise containment. AWS NAT gateway + VPC endpoints + Network Firewall; Azure Firewall + Private Link; GCP Cloud NAT + VPC Service Controls.

Data — encryption-key-management split

• Provider-managed. AWS S3 SSE-S3, Azure Storage Service Encryption with platform-managed keys, GCP default encryption. Zero customer effort, zero customer control.
• Customer-managed in provider KMS. AWS SSE-KMS, Azure customer-managed keys in Key Vault, GCP CMEK in Cloud KMS. Customer controls rotation, audit, deletion; key material is provider-managed.
• Customer-supplied (BYOK + HYOK). Customer supplies key material from their HSM. AWS XKS, Azure HYOK, GCP EKM. Highest sovereignty, highest complexity.
• Crypto erasure. Delete the key, the data is unreadable. Faster than overwriting petabytes. Compliance-relevant for right-to-be-forgotten.

Control plane vs data plane

• Control plane. The API that creates/configures resources. CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs Admin Activity (GCP). Always log; usually small volume.
• Data plane. The API that reads/writes data within resources. S3 object access, KeyVault secret reads, GCS object reads. High volume; often not logged by default.
• Audit surprise. Defender thinks they have full coverage because CloudTrail is on. Attacker exfiltrates from S3 via data-plane API; defender sees nothing.
• Per-provider data-plane logging. AWS S3 Server Access Logs / CloudTrail Data Events (extra cost); Azure Storage Analytics; GCP Cloud Audit Logs Data Access (off by default).

Multi-cloud comparison table — fast lookup

• Metadata service. AWS 169.254.169.254, Azure 169.254.169.254 + header Metadata: true, GCP metadata.google.internal + header Metadata-Flavor: Google.
• Default encryption. AWS S3 since 2023 yes, Azure Blob yes, GCP yes — all at rest.
• Public block at account level. AWS Block Public Access; Azure has per-storage-account public access; GCP uniform bucket-level access.
• Org-wide policy. AWS SCP; Azure Policy + Management Groups; GCP Org Policy + Folders.