Governance and policy is becoming one of the most important areas of public cloud management. Governing the thousands of configuration options that public cloud providers offer is fundamental to allow organizations to use cloud safely. Although AWS, Azure and GCP offer services for policy management for the same goals, their implementations differ significantly. Client organizations who want to implement a multicloud governance strategy need to appreciate and master these differences to uniformly achieve governance.
Today I am proud to announce my latest publication: “Key Services Differences Between AWS, Azure and GCP: Governance and Policy Management“. The research describes and compares cloud provider implementations in four key areas: hierarchical structure, policy enforcement, metadata tagging and landing zone setup. It provides a detailed comparison and 12 architectural diagrams to help technical professional implement policy management on the three providers. Additionally, more than 70 external links and references help technical professionals navigate the cloud providers’ documentation to quickly locate evidence and find additional guidance.
For example, the figure below shows the policy management workflows in AWS, with an indication of the governance tools for preventative and retrospective policy enforcement.
Azure Policy can implement the same workflow in Microsoft Azure, allowing organizations to share the same policy code for both preventative and retrospective controls. Yet, GCP provides powerful tools for preventative enforcement but lacks a service for auditing configurations and remediating policy violations. Such differences are hard to assess, especially when vendors’ marketing departments are working hard to highlight strengths and hide weaknesses.
The four areas explored in this research are:
Hierarchical structure: The mandatory constructs that serve as resource containers, for example, an AWS account, an Azure subscription or a GCP project. They serve as policy scopes and are organized in a hierarchy that provides for policy inheritance.
Policy enforcement: The mechanisms that enforce policies programmatically and provide consequences for noncompliant operations. Policy enforcement includes RBAC, configuration management and auditing.
Metadata tagging: The means to describe deployed resources using arbitrary metadata. The applied metadata is then used for different management use cases, with the most common being cost allocation. This area includes capabilities to ensure a consistent application of tags.
Landing zone setup: The mechanisms to get started with cloud environments that are placed in a prebuilt governance framework. A “landing zone” is a fully equipped set of hierarchical constructs, policies, network and identity configurations where infrastructure and platform resources can land, safely.
You can access the full research at “Key Services Differences Between AWS, Azure and GCP: Governance and Policy Management” (paywall). Should you want to discuss further, feel free to schedule an inquiry call with me by emailing firstname.lastname@example.org or through your Gartner representative.