Cloud Services Cross-Reference: Security & Identity
This document provides a side-by-side reference of security and identity services across Amazon Web Services (AWS), Microsoft Azure, Oracle Cloud Infrastructure (OCI), and Google Cloud Platform (GCP). Each section covers a distinct security domain, listing the equivalent or nearest service from each provider with brief notes on unique capabilities or architectural differences.
Identity & Access Management (IAM)
Core IAM controls who can access cloud resources and what actions they can perform. All four providers implement policy-based access control, role assignments, and least-privilege principles, but differ significantly in policy language, inheritance model, and federation integration.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| Core IAM service | AWS IAM | Azure RBAC (via Microsoft Entra ID) | OCI IAM | Google Cloud IAM |
| Policy model | JSON-based identity and resource policies | Role definitions applied to scopes (subscription, resource group, resource) | HCL-like compartment policies (Allow group X to manage Y in compartment Z) |
Resource-based IAM policies with roles and bindings |
| Built-in roles | AWS managed policies (300+) | Azure built-in roles (150+) | OCI predefined policies and dynamic groups | Predefined roles (basic, predefined, custom) |
| Custom roles | Customer managed policies; inline policies | Custom roles with fine-grained action lists | Custom IAM policies | Custom roles with selected permissions |
| Service accounts / instance roles | IAM roles for EC2 (instance profiles); IAM roles for services | Managed identities (system-assigned and user-assigned) | Instance principals; resource principals; dynamic groups | Service accounts |
| Attribute-based access control | ABAC via tags and condition keys | Azure ABAC (condition-based role assignments in preview/GA for storage) | Tag-based conditions in policies | IAM Conditions (attribute-based) |
| Permission boundaries | IAM permission boundaries | Management group policies + Azure Policy | Compartment hierarchy limits scope | Organization policy constraints |
| Cross-account access | IAM roles with trust policies; resource-based policies | Cross-tenant B2B collaboration; Lighthouse | Cross-tenancy policies | Workload identity federation; cross-project IAM |
| Just-in-time privileged access | AWS IAM Identity Center temporary elevation | Microsoft Entra Privileged Identity Management (PIM) | OCI IAM time-bounded policy conditions | PAM (Privileged Access Manager) - GA 2024 |
Notable distinctions:
- OCI organizes all resources within compartments; policies are attached to compartments, making resource isolation structural rather than purely policy-driven.
- Azure RBAC is inseparable from Microsoft Entra ID; all role assignments are rooted in the Entra directory.
- Google Cloud uses a unified IAM model across GCP resources with no separate "resource policy" concept — all access is granted at the resource or project level via IAM bindings.
Directory Services
Directory services manage user and group identities, often acting as the authoritative source for authentication across an organization.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| Cloud-native directory | AWS IAM Identity Center (built-in identity store) | Microsoft Entra ID (formerly Azure Active Directory) | OCI Identity Domains | Cloud Identity |
| Managed Active Directory | AWS Managed Microsoft AD (via AWS Directory Service) | Microsoft Entra Domain Services (managed AD) | Not available natively; use AD on compute instances | Managed Service for Microsoft Active Directory |
| AD Connector / Sync | AD Connector (proxy to on-prem AD) | Microsoft Entra Connect (hybrid sync) | Oracle Directory Services integration via LDAP bridge | AD Connector for Google Workspace / Cloud Identity |
| LDAP support | AWS Directory Service Simple AD (Samba-based) | Microsoft Entra Domain Services (LDAP enabled) | OCI Identity Domains LDAP gateway | Cloud Identity LDAP |
| User lifecycle management | IAM Identity Center with SCIM provisioning | Entra ID Governance (lifecycle workflows, access packages) | OCI Identity Domains (SCIM 2.0 provisioning) | Cloud Identity (SCIM provisioning) |
| Group management | IAM groups; IAM Identity Center groups | Entra ID security groups, Microsoft 365 groups, dynamic groups | OCI groups; identity domain groups; dynamic groups | Google Groups; Cloud Identity groups |
Notable distinctions:
- Microsoft Entra ID is the industry-dominant cloud directory, with deep integration across Microsoft 365, Intune, Dynamics, and thousands of SaaS apps.
- OCI Identity Domains replaced Oracle Identity Cloud Service (IDCS) as the unified identity platform; IDCS is no longer offered as a separate service.
- Google Cloud Identity is the standalone identity product; organizations using Google Workspace already have it included.
Single Sign-On & Federation
SSO and federation allow users to authenticate once and access multiple applications or cloud accounts without re-entering credentials.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| Cloud SSO service | AWS IAM Identity Center | Microsoft Entra ID SSO | OCI Identity Domains (built-in SSO) | Cloud Identity / Google Workspace SSO |
| SAML 2.0 federation | IAM Identity Center SAML apps; IAM SAML identity providers | Entra ID enterprise applications (SAML) | OCI Identity Domains SAML federation | Cloud Identity SAML SSO; Identity Platform |
| OIDC / OAuth 2.0 | Cognito; IAM OIDC identity providers | Entra ID app registrations | OCI Identity Domains OAuth 2.0 / OIDC | Identity Platform; Cloud Identity OIDC |
| Social identity / CIAM | Amazon Cognito | Entra External ID (B2C) | OCI Identity Domains (social login) | Identity Platform (Firebase Auth) |
| Workforce federation to multiple accounts | IAM Identity Center permission sets across AWS Organizations | Entra ID enterprise app with multiple role assignments | OCI Identity Domains multi-tenancy federation | Workforce Identity Federation |
| Workload federation (OIDC from external IdP) | IAM roles with OIDC web identity; Outbound Identity Federation (2025) | Workload Identity Federation | OCI Dynamic Groups + OIDC token validation | Workload Identity Federation |
Notable distinctions:
- AWS IAM Identity Center is the recommended SSO hub for multi-account AWS Organizations environments; it replaced the original "AWS SSO" branding.
- OCI Identity Domains provides SSO with pre-built integrations for Oracle SaaS applications (Fusion, NetSuite, etc.), a meaningful advantage for Oracle-centric organizations.
- Google Workspace organizations get SSO built-in; standalone GCP customers use Cloud Identity or the Identity Platform for consumer apps.
Key Management
Key management services (KMS) provide centralized creation, storage, rotation, and auditing of cryptographic keys used to encrypt data at rest and in transit.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| Core KMS | AWS Key Management Service (AWS KMS) | Azure Key Vault (Keys) | OCI Vault | Cloud KMS |
| HSM-backed keys | AWS KMS with HSM backing (FIPS 140-2 Level 2/3) | Azure Key Vault Premium (FIPS 140-3 Level 3 HSMs) | OCI Vault HSM-protected keys (FIPS 140-2 Level 3) | Cloud HSM (within Cloud KMS) |
| Dedicated HSM | AWS CloudHSM (dedicated, single-tenant) | Azure Managed HSM (dedicated, FIPS 140-3 Level 3) | OCI Dedicated KMS | Cloud HSM |
| External key management (HYOK / BYOK) | AWS KMS External Key Store (XKS) | Azure Key Vault with customer-managed keys; Double Key Encryption (M365) | OCI External KMS | Cloud EKM (External Key Manager) |
| Key rotation | Automatic annual rotation (AWS managed); manual for CMKs | Automatic rotation policy on key vault | Manual rotation with version tracking; policy-based auto-rotation | Automatic and manual rotation |
| Key types | AES-256, RSA 2048/3072/4096, ECC | RSA, EC, symmetric (AES) | AES, RSA, ECDSA | AES-256, RSA 2048/3072/4096, EC |
| Envelope encryption | Data keys encrypted with CMK | Key encryption key (KEK) model | Master encryption key (MEK) model | Data encryption keys wrapped by KMS key |
| Audit trail | AWS CloudTrail integration | Azure Monitor + Key Vault diagnostics | OCI Audit service | Cloud Audit Logs |
Notable distinctions:
- OCI Vault serves dual purpose: key management and secrets management within the same service, unlike AWS which separates KMS and Secrets Manager.
- Azure Key Vault is the single service for keys, secrets, and certificates — a unified control plane across all three asset types.
- Google Cloud EKM allows keys to be held entirely outside Google, addressing sovereignty requirements.
Secrets Management
Secrets management covers secure storage, retrieval, rotation, and access control for credentials, API keys, database passwords, and other sensitive configuration values.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| Core secrets service | AWS Secrets Manager | Azure Key Vault (Secrets) | OCI Vault Secrets | Google Secret Manager |
| Automatic secret rotation | Native rotation with Lambda functions for supported databases (RDS, Redshift, DocumentDB) | Key Vault rotation policies; event-driven rotation via Event Grid | Manual rotation; custom rotation with Functions | Manual rotation; version-based management |
| Secret versioning | Version stages (AWSCURRENT, AWSPENDING, AWSPREVIOUS) | Enabled/disabled versions with timestamps | Version numbers with state transitions | Versions with aliases (latest) |
| Cross-service access | IAM resource policies on secret; VPC endpoint | Key Vault access policies or Azure RBAC; private endpoint | IAM policies granting secret read; private endpoint | IAM bindings; VPC Service Controls |
| Parameter store (config/non-secret) | AWS Systems Manager Parameter Store (free tier; no automatic rotation) | Azure App Configuration | OCI Configuration (no dedicated equivalent; use tags/custom) | Cloud Run environment variables; Secret Manager |
| Encryption at rest | AWS KMS CMK | Key Vault HSM or software key | OCI Vault master encryption key | Google-managed or CMEK key |
Notable distinctions:
- AWS separates non-secret configuration (Parameter Store, free) from secrets with rotation (Secrets Manager, paid). Both are commonly used together.
- Azure Key Vault is a single service covering keys, secrets, and certificates with consistent access policy and RBAC across all three.
- OCI Vault is also unified for keys and secrets; certificates are a separate OCI Certificates service.
Certificate Management
Certificate management services issue, store, deploy, and renew TLS/SSL certificates for public-facing and internal workloads.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| Public TLS certificates | AWS Certificate Manager (ACM) — free for ACM-integrated services | Azure App Service Certificates; Azure Front Door managed certificates | OCI Certificates (public CA-issued) | Google-managed certificates (via load balancers) |
| Private / internal CA | ACM Private CA (AWS Private Certificate Authority) | Azure Key Vault private certificates; Entra ID certificate-based auth | OCI Certificates (private CA hierarchy) | Certificate Authority Service (CA Service) |
| Certificate deployment | Automatic deployment to ALB, CloudFront, API Gateway, etc. | Automatic deployment to App Service, Application Gateway, Front Door | Deploy to OCI Load Balancer, API Gateway | Automatic deployment to HTTPS load balancers |
| Auto-renewal | ACM handles renewal automatically for ACM-managed certs | Managed certificates auto-renew; Key Vault rotation policies | Automatic renewal for OCI-managed certificates | Automatic renewal for Google-managed certs |
| Certificate import | Import third-party certs into ACM | Import certificates into Key Vault | Import certificates into OCI Certificates | Import certificates for use on load balancers |
| PKCS#12 / PEM export | Not available for ACM-issued public certs | Exportable if created as exportable; policy-controlled | Downloadable certificate bundles | Not exportable for Google-managed; CA Service yes |
Notable distinctions:
- OCI Certificates provides a dedicated Certificate Authority Service within OCI, enabling organizations to build private PKI hierarchies for internal services.
- AWS ACM public certificates are free but cannot be exported — they exist purely for AWS service consumption.
- Google Certificate Authority Service (CA Service) provides full FIPS-compliant CA infrastructure; Google-managed certificates are simpler but not downloadable.
Web Application Firewall (WAF)
WAF services filter and monitor HTTP/HTTPS traffic to protect web applications from common exploits including SQL injection, cross-site scripting (XSS), and Layer 7 DDoS.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| WAF service | AWS WAF | Azure Web Application Firewall (WAF) | OCI Web Application Firewall (WAF) | Google Cloud Armor |
| Deployment points | ALB, CloudFront, API Gateway, AppSync | Application Gateway, Front Door, CDN | Load Balancer (WAF Firewall Policy); Edge (WAF Edge Policy) | Load Balancer (HTTP/S); Cloud CDN |
| Managed rule sets | AWS Managed Rules (OWASP, bot, specific threats); Marketplace rules | OWASP Core Rule Set; Bot Manager rules; Microsoft managed rules | OCI-managed rulesets; ModSecurity rules; bot mitigation | Google pre-configured rules (OWASP); threat intelligence rules |
| Custom rules | Rule groups with conditions (IP, geo, strings, regex, rate) | Custom rules with conditions (match, rate limiting) | Custom rules; access control lists | Security policies with custom rules; advanced expressions |
| Bot mitigation | AWS WAF Bot Control (managed rule group) | Azure Bot Manager ruleset | OCI WAF bot mitigation rules | Cloud Armor bot management (reCAPTCHA integration) |
| Rate limiting | Rate-based rules per 5-minute window | Rate limiting rules (preview / GA by tier) | Rate limiting rules | Rate limiting policies |
| Geo-blocking | Geographic match conditions | Geographic filtering | Geographic-based access control | Geographic restrictions |
| PCI compliance | Supports PCI DSS compliance | Supports PCI DSS | PCI-compliant service | Supports PCI DSS |
| CAPTCHA challenge | AWS WAF CAPTCHA (WCAG accessible) | Not native; use third-party | Supported via JS challenge rules | reCAPTCHA integration |
Notable distinctions:
- OCI WAF has two distinct deployment models: WAF Edge Policy (global edge enforcement, legacy CDN integration) and WAF Firewall Policy (regional, attached to OCI load balancers). The two have different feature sets.
- Google Cloud Armor doubles as both WAF and DDoS protection in a single service, unlike AWS which separates WAF and Shield.
- Azure WAF is not a standalone service; it is a feature of Application Gateway and Azure Front Door.
DDoS Protection
DDoS protection services absorb or mitigate volumetric network attacks (Layer 3/4) and application-layer attacks (Layer 7).
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| Basic / always-on protection | AWS Shield Standard (free; automatic for all AWS resources) | Azure DDoS Infrastructure Protection (free; basic mitigation) | OCI L3/L4 DDoS Protection (included; no configuration needed) | Google Cloud Armor Standard (basic DDoS built into infrastructure) |
| Advanced / paid protection | AWS Shield Advanced ($3,000/month + data transfer fees) | Azure DDoS Network Protection (~$2,944/month per VNet); Azure DDoS IP Protection (per-IP billing) | OCI WAF (Layer 7 DDoS mitigation add-on) | Google Cloud Armor Managed Protection Plus |
| L3/L4 volumetric protection | Shield Standard (SYN flood, UDP reflection, etc.) | DDoS Network Protection (volumetric, protocol attacks) | Included with all accounts automatically | Included in Google's global network |
| L7 application protection | Shield Advanced + AWS WAF | Azure WAF + DDoS Network Protection | OCI WAF Layer 7 DDoS mitigation | Cloud Armor (WAF + DDoS in one service) |
| Attack visibility and telemetry | Shield Advanced: real-time metrics, DDoS Response Team (DRT) | DDoS Network Protection: attack analytics, flow monitoring, alerts | OCI WAF access logs; monitoring metrics | Cloud Armor security policy logs; Attack visibility dashboard |
| Automatic traffic scrubbing | Shield Advanced scrubbing centers | Azure scrubbing centers (automatically engaged) | Automatic at OCI edge | Google's global Anycast network absorbs traffic |
| Cost protection / SLA credits | Shield Advanced: cost protection for scaling charges during attacks | DDoS Network Protection: includes cost protection guarantee | Not separately called out | Not separately called out |
| 24/7 response team | Shield Advanced: AWS DDoS Response Team (DRT) | DDoS Network Protection: Azure DDoS Rapid Response (DRR) | Oracle Support | Google Cloud support channels |
Notable distinctions:
- Google Cloud Armor is a single service providing both WAF and DDoS functionality, making it architecturally simpler.
- OCI includes L3/L4 DDoS protection for free on all tenancies with no configuration; Layer 7 protection requires WAF.
- AWS Shield Advanced provides the strongest financial protection, including cost reimbursement for auto-scaling charges during attacks.
Security Posture Management (CSPM)
Cloud Security Posture Management services continuously assess cloud configurations, detect misconfigurations, and provide remediation guidance against security benchmarks and compliance frameworks.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| CSPM service | AWS Security Hub | Microsoft Defender for Cloud | OCI Cloud Guard | Security Command Center (SCC) |
| Findings aggregation | Aggregates from GuardDuty, Inspector, Macie, IAM AA, partner tools | Aggregates from Defender plans, Azure Policy, partner connectors | Aggregates from Cloud Guard detectors, Vulnerability Scanning | Aggregates from all GCP security services and detectors |
| Compliance frameworks | CIS, PCI DSS, NIST, SOC 2, AWS Foundational Security Best Practices | CIS, PCI DSS, NIST, SOC 2, ISO 27001, Azure Security Benchmark | CIS OCI Foundations Benchmark; Oracle-defined security recipes | CIS, PCI DSS, NIST, ISO 27001, GCP Security Benchmark |
| Auto-remediation | Security Hub + EventBridge + Lambda (custom) | Defender for Cloud workflow automation; Azure Policy remediation tasks | Cloud Guard Responder Recipes (built-in auto-remediation) | SCC + Cloud Functions (custom); SCC automated response |
| Security score | Security Hub consolidated security score | Defender for Cloud Secure Score | Cloud Guard Risk Score | Security Command Center risk scoring |
| Multi-cloud support | AWS-only natively; partner integrations for multi-cloud | Defender for Cloud supports AWS and GCP natively | OCI-only natively | GCP-focused; supports AWS and Azure via agent |
| Attack path analysis | Security Hub findings correlation (limited) | Defender CSPM Attack Path Analysis (Premium) | Cloud Guard threat detector with Threat Intelligence | SCC Enterprise: Attack path analysis (2024) |
Notable distinctions:
- OCI Cloud Guard includes built-in Responder Recipes for automatic remediation — a differentiator from AWS Security Hub, which requires custom automation.
- Azure Defender for Cloud natively ingests findings from AWS and GCP resources when those accounts are onboarded, making it a genuine multi-cloud CSPM.
- OCI Security Zones complement Cloud Guard by enforcing preventative controls — certain operations are blocked outright in Security Zones, not just detected after the fact.
Compliance & Audit Logging
Audit logging services record API calls, resource changes, administrative actions, and user activity for forensic, compliance, and operational purposes.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| Cloud API audit log | AWS CloudTrail | Azure Activity Log (control plane); Azure Resource Logs (data plane) | OCI Audit service | Cloud Audit Logs (Admin Activity; Data Access; System Event) |
| Log retention | CloudTrail: 90 days in console; indefinite in S3 | Activity Log: 90 days retention; archive to Storage Account | OCI Audit: 90 days in-service; archive to Object Storage | Cloud Audit Logs: 400-day Admin Activity; 30-day Data Access default |
| Log centralization | CloudTrail Lake; S3 + Athena; Security Lake (OCSF) | Log Analytics Workspace; Microsoft Sentinel; Azure Monitor | OCI Logging service; Logging Analytics | Cloud Logging; Chronicle ingestion |
| Compliance frameworks automation | AWS Audit Manager (automated evidence collection; CIS, PCI, GDPR, HIPAA) | Microsoft Purview Compliance Manager (automated assessments) | OCI Security Advisor (configuration compliance guidance) | Assured Workloads (regulatory control enforcement) |
| Resource config history | AWS Config (resource configuration timeline and compliance rules) | Azure Policy + Azure Resource Graph | OCI Config (limited; use Cloud Guard detectors) | Cloud Asset Inventory + Organization Policy |
| Log integrity | CloudTrail log file validation (SHA-256 hash chain) | Log Analytics workspace immutability; Event Hub | OCI Audit log immutability (cannot be deleted/modified) | Cloud Logging: log bucket with locked retention |
| User activity monitoring | CloudTrail + GuardDuty IAM anomaly detection | Entra ID sign-in logs; Entra ID Audit logs | OCI IAM audit events + Cloud Guard User Activity Detector | Cloud Audit Logs + Security Command Center |
Notable distinctions:
- AWS Audit Manager provides the most structured automated evidence collection framework, mapping directly to named compliance frameworks with pre-built assessment templates.
- OCI Audit logs are immutable by design — users cannot delete or modify audit records, which is a hard compliance guarantee.
- Google Assured Workloads goes beyond logging by enforcing data residency, personnel controls, and key management requirements for regulated workloads (FedRAMP, IL2/IL4, HIPAA, EU Sovereignty).
Data Loss Prevention (DLP)
DLP services discover, classify, and protect sensitive data across cloud storage, databases, and data pipelines to prevent unauthorized exposure.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| DLP service | Amazon Macie | Microsoft Purview (Data Loss Prevention) | Oracle Data Safe | Google Cloud Sensitive Data Protection (formerly Cloud DLP) |
| Data discovery scope | Amazon S3 buckets | Microsoft 365 services, SharePoint, OneDrive, Teams, Exchange, endpoints, Azure Storage, Azure SQL | Oracle databases (Autonomous, Exadata, RDS for Oracle, on-prem) | Google Cloud Storage, BigQuery, Datastore, AlloyDB, Vertex AI |
| Sensitive data types | 200+ managed data identifiers (PII, PHI, financial) | Trainable classifiers; sensitive information types (PII, PHI, financial, custom) | Oracle-defined sensitive types (PII, PHI, financial, custom); 140+ built-in types | 200+ built-in infoTypes (PII, PHI, financial, custom); 50+ languages |
| Data masking | Not built-in; mask using Lambda transforms | Purview does not mask natively; use Azure Synapse/SQL masking | Data Safe Data Masking (de-identify for non-prod use) | De-identification transformations (redact, pseudonymize, tokenize) |
| Real-time prevention | Macie is discovery-focused; prevention via S3 bucket policies + GuardDuty | Real-time DLP endpoint policies; Teams/Exchange policy enforcement | SQL Firewall (real-time SQL monitoring and blocking) | DLP API for real-time inspection in applications |
| Compliance reporting | Macie findings in Security Hub; S3 inventory reports | Purview Compliance Manager regulatory reports | Data Safe compliance reports (GDPR, CCPA, HIPAA, PCI DSS) | SCC integration; compliance posture reporting |
| Activity auditing | CloudTrail S3 data events + Macie findings | Purview Audit log (unified audit log) | Data Safe Activity Auditing (database-level audit policies) | Cloud Audit Logs; Sensitive Data Protection audit logs |
Notable distinctions:
- Amazon Macie is focused exclusively on S3 — it does not scan databases, endpoints, or other storage types natively.
- Microsoft Purview provides the broadest coverage, extending DLP to endpoints (Windows devices), Microsoft 365 collaboration tools, and cloud storage in a single policy framework.
- Oracle Data Safe is database-specific and uniquely covers Oracle database workloads across multi-cloud and on-premises deployments, including OCI, Azure, AWS, and on-prem Oracle databases.
- Google Sensitive Data Protection provides an API-first approach that can be embedded in custom applications for real-time inspection and de-identification.
Threat Detection
Threat detection services analyze telemetry, logs, network traffic, and behavior patterns to identify active threats, anomalies, and security incidents.
| Capability | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| Core threat detection | Amazon GuardDuty | Microsoft Defender for Cloud (workload protection plans) | OCI Cloud Guard (Threat Detector recipe) | Security Command Center (Event Threat Detection) |
| SIEM / SecOps platform | Amazon Security Lake + partner SIEMs; AWS Security Hub | Microsoft Sentinel (cloud-native SIEM + SOAR) | OCI Logging Analytics (log analysis); not a full SIEM | Google Security Operations (formerly Chronicle) SIEM + SOAR |
| Threat intelligence feeds | GuardDuty built-in threat intel; custom threat intel lists | Defender Threat Intelligence (MDTI); Microsoft global threat signals | OCI Threat Intelligence service (aggregated threat feeds) | Google Safe Browsing; VirusTotal; Chronicle threat intelligence |
| Network anomaly detection | GuardDuty VPC Flow Logs analysis; Network Firewall alert logs | Defender for Cloud network recommendations; Azure Network Watcher | OCI Cloud Guard Network Detector recipe; VCN Flow Logs | Cloud Armor; VPC Flow Logs in Chronicle |
| DNS threat detection | GuardDuty DNS logs analysis (Route 53 Resolver query logs) | Defender for DNS | Cloud Guard DNS-based detection | DNS threat detection via Security Command Center |
| Container / Kubernetes threat detection | GuardDuty EKS Protection; GuardDuty ECS Runtime Monitoring | Defender for Containers | OCI Cloud Guard (Container Image Scanning via Vulnerability Scanning) | Security Command Center Container Threat Detection |
| User behavior analytics (UEBA) | GuardDuty IAM anomaly detection; Detective for investigation | Microsoft Sentinel UEBA; Entra ID Identity Protection | Cloud Guard User Activity Detector | Chronicle UEBA; Vertex AI Security analytics |
| Incident investigation | Amazon Detective (graph-based investigation) | Microsoft Sentinel investigation graph | Cloud Guard Problems view; OCI Security Advisor | Chronicle investigation workbench; SCC findings |
| Extended detection & response (XDR) | AWS Security Hub (limited XDR); partner tools | Microsoft Defender XDR (unified portal: Sentinel + Defender suite) | Not offered natively | Google Security Operations (SIEM + SOAR) |
Notable distinctions:
- Amazon GuardDuty requires zero configuration and zero agents — it analyzes CloudTrail, VPC Flow Logs, and DNS logs automatically. GuardDuty Extended Threat Detection (2024/2025) adds multi-stage attack sequence detection.
- Microsoft Sentinel is the most feature-complete cloud-native SIEM/SOAR in this comparison, with 300+ data connectors, UEBA, ML-based threat detection, and native integration with Microsoft Defender XDR.
- Google Security Operations (Chronicle) is built on Google's internal infrastructure, offering petabyte-scale log ingestion, 12+ months of hot retention, and Gemini AI-assisted threat hunting. It was named a Leader in the 2025 Gartner Magic Quadrant for SIEM.
- OCI Cloud Guard is primarily a CSPM/configuration-focused tool; for full SIEM capability, OCI customers typically integrate with partner tools or use OCI Logging Analytics.
Summary Matrix
Quick reference table mapping each capability category to the corresponding service on each cloud.
| Security Domain | AWS | Azure | OCI | Google Cloud |
|---|---|---|---|---|
| IAM | AWS IAM | Azure RBAC / Entra ID | OCI IAM | Cloud IAM |
| Directory | AWS Directory Service / IAM Identity Center | Microsoft Entra ID | OCI Identity Domains | Cloud Identity |
| SSO / Federation | AWS IAM Identity Center | Microsoft Entra ID SSO | OCI Identity Domains | Cloud Identity / Identity Platform |
| Key Management | AWS KMS | Azure Key Vault (Keys) | OCI Vault | Cloud KMS |
| Secrets Management | AWS Secrets Manager | Azure Key Vault (Secrets) | OCI Vault Secrets | Google Secret Manager |
| Certificate Management | AWS Certificate Manager (ACM) | Azure Key Vault (Certs) / App Service Certs | OCI Certificates | Google Certificate Manager / CA Service |
| WAF | AWS WAF | Azure WAF (App Gateway / Front Door) | OCI WAF | Google Cloud Armor |
| DDoS Protection | AWS Shield | Azure DDoS Protection | OCI DDoS Protection (built-in) + WAF | Google Cloud Armor |
| CSPM | AWS Security Hub | Microsoft Defender for Cloud | OCI Cloud Guard | Security Command Center |
| Audit Logging | AWS CloudTrail | Azure Activity Log / Azure Monitor | OCI Audit | Cloud Audit Logs |
| Compliance Automation | AWS Audit Manager | Microsoft Purview Compliance Manager | OCI Security Advisor | Google Assured Workloads |
| DLP | Amazon Macie | Microsoft Purview DLP | Oracle Data Safe | Google Sensitive Data Protection |
| Threat Detection | Amazon GuardDuty | Microsoft Defender for Cloud | OCI Cloud Guard | Security Command Center |
| SIEM / SecOps | Amazon Security Lake (+ partners) | Microsoft Sentinel | OCI Logging Analytics (+ partners) | Google Security Operations (Chronicle) |
| Threat Intelligence | GuardDuty threat feeds | Microsoft Defender Threat Intelligence | OCI Threat Intelligence | Google Threat Intelligence (VirusTotal) |
References
- AWS Security, Identity, and Compliance Services Overview
- Choosing AWS Security Services — Decision Guide
- AWS IAM Identity Center
- Amazon GuardDuty
- AWS Security Hub
- AWS CloudTrail
- Amazon Macie
- AWS Certificate Manager
- Azure Security Fundamentals Overview
- Microsoft Entra ID
- Azure Key Vault Security Overview
- Microsoft Defender for Cloud
- Microsoft Sentinel Overview
- Azure Web Application Firewall
- Azure DDoS Protection
- Microsoft Purview DLP
- OCI Security Services Documentation
- OCI Identity Domains Overview
- OCI Cloud Guard
- OCI Vault
- OCI WAF
- Oracle Data Safe
- OCI Certificates
- Google Cloud Security Products
- Google Cloud IAM
- Google Cloud KMS
- Google Secret Manager
- Google Cloud Armor
- Security Command Center
- Google Security Operations (Chronicle)
- Google Sensitive Data Protection
- Google Certificate Authority Service
- Google Assured Workloads