AWS IAM vs Cloud IAM vs Azure AD

AWS IAM, Google Cloud IAM, and Azure Active Directory (now Entra ID) are the identity and access management systems for the three major cloud providers. Each takes a different approach to the fundamental question: who can do what on which resources?

Policy Models

AWS IAM — Policy-Based

AWS IAM uses JSON policy documents that specify Effect (Allow/Deny), Action (s3:GetObject), Resource (arn:aws:s3:::my-bucket/), and optional Conditions. Policies attach to users, groups, or roles. AWS also has resource-based policies (S3 bucket policies, SQS queue policies), Service Control Policies for organization-wide guardrails, and permission boundaries. The system is powerful but complex.

Google Cloud IAM — Role-Based Hierarchy

GCP IAM uses a hierarchical model: Organization > Folders > Projects > Resources. Roles (bundles of permissions) are bound to members at any level of the hierarchy, and permissions inherit downward. A role granted at the folder level applies to all projects within that folder. GCP offers predefined roles (viewer, editor, owner plus hundreds of service-specific roles) and custom roles.

Azure AD (Entra ID) — Identity-Centric

Azure combines Azure AD for identity (users, groups, enterprise apps) with Azure RBAC for resource access. Azure AD handles authentication, conditional access, and enterprise SSO. Azure RBAC handles authorization with built-in roles assigned at management group, subscription, resource group, or resource scope.

Least Privilege Tooling

All three providers offer tools to achieve least privilege: AWS IAM Access Analyzer identifies unused permissions, GCP IAM Recommender suggests tighter roles based on usage, and Azure AD Access Reviews periodically validate access grants.

For IAM and security concepts in system design interviews, see our interview questions and pricing for access.