Security Controls Comparison Matrix
Intermediate11 min readUpdated 2026-03-15
Side-by-side comparison of AWS, Azure, and GCP AI security controls: IAM patterns, content filtering, guardrails, network isolation, logging, and threat detection across cloud providers.
Security Controls Comparison Matrix
This section provides a structured, side-by-side comparison of AI security controls across AWS, Azure, and GCP. For red teamers, understanding the differences in security controls across providers enables targeted assessment: if a control is strong on one provider but weak (or absent) on another, the weak provider becomes the focus. For organizations operating in multi-cloud environments, this comparison highlights where their security posture is inconsistent across providers.
Identity and Access Management
Authentication Models
| Aspect | AWS | Azure | GCP |
|---|---|---|---|
| Primary AI auth | IAM roles with SigV4 signing | Entra ID tokens or API keys | Service account OAuth tokens |
| Instance credentials | Instance metadata (IMDSv2) | Managed identity (IMDS) | Metadata server |
| Static credentials | IAM access key/secret key | API keys, SP client secrets | SA key files (JSON) |
| Federation | IAM identity providers (OIDC, SAML) | Federated identity credentials | Workload identity federation |
| Credential rotation | Manual for access keys, automatic for roles | Automatic for managed identity, manual for keys | Automatic for metadata tokens, manual for key files |
Authorization Models
| Aspect | AWS | Azure | GCP |
|---|---|---|---|
| Authorization model | IAM policies (identity + resource + SCP) | RBAC roles at scope hierarchy | IAM policy bindings at resource hierarchy |
| AI-specific roles | No built-in AI roles (use managed policies) | Cognitive Services OpenAI User/Contributor | Vertex AI User/Admin, predefined roles |
| Resource-level policies | Supported on some resources (S3, SageMaker endpoints) | Not on Cognitive Services directly | Not on Vertex AI resources directly |
| Condition keys | aws:SourceVpc, aws:PrincipalOrgID, etc. | Scope-based (subscription/RG/resource) | IAM conditions (resource attributes) |
| Organization-level controls | SCPs (Service Control Policies) | Azure Policy | Organization policies |
Red Team IAM Comparison
| Attack | AWS | Azure | GCP |
|---|---|---|---|
| Privilege escalation via compute | SageMaker notebook + PassRole | ML compute instance + managed identity | Workbench notebook + SA impersonation |
| Cross-account/subscription | Cross-account IAM roles | Cross-subscription RBAC | Cross-project SA bindings |
| Credential theft | Instance metadata (IMDSv2 mitigates) | IMDS (non-restrictable for MI) | Metadata server + SA key files |
| Most common overprivilege | bedrock:* or sagemaker:* on * | Contributor on AI resource group | Default Compute Engine SA with Editor |
Content Filtering and Guardrails
Capabilities
| Capability | AWS Bedrock Guardrails | Azure Content Safety | GCP Vertex AI Safety |
|---|---|---|---|
| Input filtering | Yes (content filters, word filters, topic denial) | Yes (severity-based classification) | Yes (safety settings per category) |
| Output filtering | Yes (same as input) | Yes (same as input) | Yes (same as input) |
| PII detection | Yes (configurable PII types and actions) | Yes (through Content Safety API) | Yes (through DLP API integration) |
| Custom topics | Yes (denied topics with sample phrases) | Limited (through custom classifiers) | Limited (through custom safety settings) |
| Word/phrase filtering | Yes (exact and pattern matching) | Yes (blocklists) | Limited |
| Grounding check | Yes (contextual grounding) | Yes (groundedness detection) | Yes (through model grounding) |
| Filter customization | Configurable thresholds per category | Configurable severity thresholds | Configurable per-category settings |
| Filter bypass potential | Medium (encoding, language switching) | Medium (similar techniques) | Medium-High (less mature filtering) |
Bypass Comparison
| Bypass Technique | AWS Bedrock | Azure OpenAI | GCP Vertex AI |
|---|---|---|---|
| Base64 encoding | Bypasses word filter, may bypass content filter | May bypass content filter depending on version | Model-dependent |
| Language switching | Effective for topic denial | Effective for content filter | Effective for safety settings |
| Multi-turn escalation | Partially effective (per-turn filtering) | Partially effective | Partially effective |
| Model switching | Very effective (different models, different safety) | Limited (fewer model choices) | Effective (diverse Model Garden) |
| Unicode substitution | Effective for word filter | Effective for blocklists | Model-dependent |
| Academic framing | Effective for content filter | Effective for content filter | Effective for safety settings |
Network Isolation
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Private endpoints | VPC endpoints (PrivateLink) | Private endpoints | Private Service Connect |
| Network ACLs | Security groups, NACLs | NSGs, Azure Firewall | VPC firewall rules |
| Service-level network controls | VPC endpoint policies | Network ACLs on Cognitive Services | VPC Service Controls |
| Data exfiltration prevention | VPC endpoint policies + S3 bucket policies | Private endpoints + service tags | VPC Service Controls perimeters |
| DNS-based controls | Route 53 Resolver rules | Azure Private DNS zones | Cloud DNS policies |
| Most effective control | VPC endpoint policies scoped to specific resources | Private endpoints with NSG rules | VPC Service Controls (most comprehensive) |
Network Isolation Assessment
| Assessment | AWS | Azure | GCP |
|---|---|---|---|
| Check public access | aws ec2 describe-vpc-endpoints | az network private-endpoint list | gcloud access-context-manager perimeters list |
| Test isolation | Invoke from outside VPC | Invoke from public internet | Invoke from outside perimeter |
| Common gap | Missing VPC endpoint policies | Public network access enabled | Services not in VPC SC perimeter |
Logging and Monitoring
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Control plane logging | CloudTrail (always on) | Activity Log (always on) | Admin Activity logs (always on) |
| Data plane logging | CloudTrail data events (optional, costly) | Diagnostic Settings (optional) | Data Access logs (optional) |
| Prompt/response logging | CloudTrail data events for Bedrock | Diagnostic Settings for request/response | Data Access logs for Vertex AI |
| Content filter logs | Included in Bedrock data events | Diagnostic Settings (content filter results) | Limited native support |
| Default logging state | Control plane only | Control plane only | Admin activity only |
| Log retention | 90 days (CloudTrail), custom (S3) | 90 days (Activity Log), custom (Log Analytics) | 400 days (Admin), 30 days (Data Access) |
Monitoring and Detection
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| AI threat detection | GuardDuty (limited AI coverage) | Defender for AI (dedicated) | Security Command Center (limited) |
| Jailbreak detection | Not built-in (use guardrails) | Defender for AI jailbreak alerts | Not built-in |
| Anomaly detection | CloudWatch anomaly detection (custom) | Defender behavioral analytics | SCC custom detections |
| Cost anomaly detection | AWS Cost Anomaly Detection | Azure Cost Management alerts | GCP billing alerts |
Model Management
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Model registry | SageMaker Model Registry | Azure ML Model Registry | Vertex AI Model Registry |
| Model versioning | Yes (version groups) | Yes (versioned models) | Yes (version management) |
| Approval workflows | Yes (manual approval status) | Yes (through ML pipelines) | Yes (through Vertex pipelines) |
| Model artifact storage | S3 | Azure Blob Storage | GCS |
| Container registry | ECR | ACR | Artifact Registry |
| Model integrity | No built-in verification | No built-in verification | No built-in verification |
Model Supply Chain Assessment
| Assessment | AWS | Azure | GCP |
|---|---|---|---|
| Artifact access control | S3 bucket policies + IAM | Blob Storage RBAC | GCS IAM |
| Registry access | ECR repository policies | ACR RBAC | Artifact Registry IAM |
| Common weakness | S3 bucket with overpermissive ACLs | Storage account with shared keys | GCS with default SA access |
Cost Controls
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Billing alerts | CloudWatch Billing alarms | Azure Cost Management alerts | GCP billing budgets |
| Spending limits | No hard limits on AI services | Spending limits on some services | Budget alerts (no hard limits) |
| Quota management | Service quotas (soft limits) | Quota management | Quota management |
| Per-user cost attribution | Tags (manual) | Cost Management scopes | Labels (manual) |
| Auto-scaling limits | Configurable max instances | Configurable scaling | Configurable max replicas |
Summary Matrix
| Category | Strongest Provider | Weakest Provider | Red Team Focus |
|---|---|---|---|
| IAM granularity | AWS (fine-grained condition keys) | GCP (default SA overprivilege) | GCP default SA |
| Content filtering | AWS (most configurable) | GCP (least mature for self-hosted) | GCP self-hosted models |
| Network isolation | GCP (VPC Service Controls) | Azure (public access defaults) | Azure public endpoints |
| AI threat detection | Azure (Defender for AI) | GCP (no dedicated AI detection) | AWS and GCP detection gaps |
| Logging completeness | AWS (CloudTrail data events) | Azure (diagnostic settings optional) | Azure logging gaps |
| Model supply chain | Comparable across providers | Comparable across providers | All providers lack model integrity verification |
Related Topics
- Multi-Cloud AI Overview -- Multi-cloud risk landscape
- Cross-Cloud Attacks -- Attack scenarios leveraging control gaps
- AWS AI Services -- AWS-specific controls in depth
- Azure AI Services -- Azure-specific controls in depth
- GCP AI Services -- GCP-specific controls in depth
Knowledge Check
An organization uses AWS Bedrock and GCP Vertex AI. Their security team monitors CloudTrail for AWS and has Defender for AI enabled on Azure (but does not use Azure AI). Which AI-specific detection gap exists?
Knowledge Check
Which cloud provider's network isolation mechanism is most effective at preventing data exfiltration from AI services?
References
- AWS Security Reference Architecture -- AWS security baseline
- Azure Security Benchmark -- Azure security baseline
- Google Cloud Security Foundations -- GCP security baseline