Blog post

Governance and Policy Management Differences Between AWS, Azure and GCP

By Marco Meinardi | December 07, 2020 | 3 Comments

Infrastructure, Operations and Cloud Management for Technical ProfessionalsCloud Computing for Technical Professionals

Governance and policy is becoming one of the most important areas of public cloud management. Governing the thousands of configuration options that public cloud providers offer is fundamental to allow organizations to use cloud safely. Although AWS, Azure and GCP offer services for policy management for the same goals, their implementations differ significantly. Client organizations who want to implement a multicloud governance strategy need to appreciate and master these differences to uniformly achieve governance.

Today I am proud to announce my latest publication: “Key Services Differences Between AWS, Azure and GCP: Governance and Policy Management“. The research describes and compares cloud provider implementations in four key areas: hierarchical structure, policy enforcement, metadata tagging and landing zone setup. It provides a detailed comparison and 12 architectural diagrams to help technical professional implement policy management on the three providers. Additionally, more than 70 external links and references help technical professionals navigate the cloud providers’ documentation to quickly locate evidence and find additional guidance.

For example, the figure below shows the policy management workflows in AWS, with an indication of the governance tools for preventative and retrospective policy enforcement.

Azure Policy can implement the same workflow in Microsoft Azure, allowing organizations to share the same policy code for both preventative and retrospective controls. Yet, GCP provides powerful tools for preventative enforcement but lacks a service for auditing configurations and remediating policy violations. Such differences are hard to assess, especially when vendors’ marketing departments are working hard to highlight strengths and hide weaknesses.

The four areas explored in this research are:

  • Hierarchical structure: The mandatory constructs that serve as resource containers, for example, an AWS account, an Azure subscription or a GCP project. They serve as policy scopes and are organized in a hierarchy that provides for policy inheritance.
  • Policy enforcement: The mechanisms that enforce policies programmatically and provide consequences for noncompliant operations. Policy enforcement includes RBAC, configuration management and auditing.
  • Metadata tagging: The means to describe deployed resources using arbitrary metadata. The applied metadata is then used for different management use cases, with the most common being cost allocation. This area includes capabilities to ensure a consistent application of tags.
  • Landing zone setup: The mechanisms to get started with cloud environments that are placed in a prebuilt governance framework. A “landing zone” is a fully equipped set of hierarchical constructs, policies, network and identity configurations where infrastructure and platform resources can landsafely.

You can access the full research at “Key Services Differences Between AWS, Azure and GCP: Governance and Policy Management” (paywall). Should you want to discuss further, feel free to schedule an inquiry call with me by emailing or through your Gartner representative.

Follow me on Twitter (@meinardi) or connect with me on LinkedIn for further updates on my research. Looking forward to talking to you!

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment


  • Jeff Mitchell says:

    I’m not sure how I am suppose to be able to access this report.

  • I´d like to receive this report

  • Talal says:

    Cannot find a way for Auto Tag Resources in AWS as it is in Azure.
    Azure Policy section seems way ahead for Auditing and Prevention and Remediation, on top of that is Azure blueprints.
    is there a way in AWS for auto tagging using policies?