安全 Controls Comparison Matrix
中級11 分鐘閱讀更新於 2026-03-15
Side-by-side comparison of AWS, Azure, and GCP AI security controls: IAM patterns, content filtering, guardrails, network isolation, logging, and threat detection across cloud providers.
安全 Controls Comparison Matrix
This section provides a structured, side-by-side comparison of AI 安全 controls across AWS, Azure, and GCP. For red teamers, 理解 the differences in 安全 controls across providers enables targeted 評估: if a control is strong on one provider but weak (or absent) on another, the weak provider becomes the focus. For organizations operating in multi-雲端 environments, this comparison highlights where their 安全 posture is inconsistent across providers.
Identity and Access Management
Authentication Models
| Aspect | AWS | Azure | GCP |
|---|---|---|---|
| Primary AI auth | IAM roles with SigV4 signing | Entra ID 符元 or API keys | Service account OAuth 符元 |
| Instance credentials | Instance metadata (IMDSv2) | Managed identity (IMDS) | Metadata server |
| Static credentials | IAM access key/secret key | API keys, SP client secrets | SA key files (JSON) |
| Federation | IAM identity providers (OIDC, SAML) | Federated identity credentials | Workload identity federation |
| Credential rotation | Manual for access keys, automatic for roles | Automatic for managed identity, manual for keys | Automatic for metadata 符元, manual for key files |
Authorization Models
| Aspect | AWS | Azure | GCP |
|---|---|---|---|
| Authorization model | IAM policies (identity + resource + SCP) | RBAC roles at scope hierarchy | IAM policy bindings at resource hierarchy |
| AI-specific roles | No built-in AI roles (use managed policies) | Cognitive Services OpenAI User/Contributor | Vertex AI User/Admin, predefined roles |
| Resource-level policies | Supported on some resources (S3, SageMaker endpoints) | Not on Cognitive Services directly | Not on Vertex AI resources directly |
| Condition keys | aws:SourceVpc, aws:PrincipalOrgID, etc. | Scope-based (subscription/RG/resource) | IAM conditions (resource attributes) |
| Organization-level controls | SCPs (Service Control Policies) | Azure Policy | Organization policies |
紅隊 IAM Comparison
| 攻擊 | AWS | Azure | GCP |
|---|---|---|---|
| Privilege escalation via compute | SageMaker notebook + PassRole | ML compute instance + managed identity | Workbench notebook + SA impersonation |
| Cross-account/subscription | Cross-account IAM roles | Cross-subscription RBAC | Cross-project SA bindings |
| Credential theft | Instance metadata (IMDSv2 mitigates) | IMDS (non-restrictable for MI) | Metadata server + SA key files |
| Most common overprivilege | bedrock:* or sagemaker:* on * | Contributor on AI resource group | Default Compute Engine SA with Editor |
Content Filtering and 護欄
Capabilities
| Capability | AWS Bedrock 護欄 | Azure Content 安全 | GCP Vertex AI 安全 |
|---|---|---|---|
| 輸入 filtering | Yes (content filters, word filters, topic denial) | Yes (severity-based classification) | Yes (安全 settings per category) |
| 輸出 filtering | Yes (same as 輸入) | Yes (same as 輸入) | Yes (same as 輸入) |
| PII 偵測 | Yes (configurable PII types and actions) | Yes (through Content 安全 API) | Yes (through DLP API integration) |
| Custom topics | Yes (denied topics with sample phrases) | Limited (through custom classifiers) | Limited (through custom 安全 settings) |
| Word/phrase filtering | Yes (exact and pattern matching) | Yes (blocklists) | Limited |
| Grounding check | Yes (contextual grounding) | Yes (groundedness 偵測) | Yes (through model grounding) |
| Filter customization | Configurable thresholds per category | Configurable severity thresholds | Configurable per-category settings |
| Filter bypass potential | Medium (encoding, language switching) | Medium (similar techniques) | Medium-High (less mature filtering) |
Bypass Comparison
| Bypass Technique | AWS Bedrock | Azure OpenAI | GCP Vertex AI |
|---|---|---|---|
| Base64 encoding | Bypasses word filter, may bypass content filter | May bypass content filter depending on version | Model-dependent |
| Language switching | Effective for topic denial | Effective for content filter | Effective for 安全 settings |
| Multi-turn escalation | Partially effective (per-turn filtering) | Partially effective | Partially effective |
| Model switching | Very effective (different models, different 安全) | Limited (fewer model choices) | Effective (diverse Model Garden) |
| Unicode substitution | Effective for word filter | Effective for blocklists | Model-dependent |
| Academic framing | Effective for content filter | Effective for content filter | Effective for 安全 settings |
Network Isolation
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Private endpoints | VPC endpoints (PrivateLink) | Private endpoints | Private Service Connect |
| Network ACLs | 安全 groups, NACLs | NSGs, Azure Firewall | VPC firewall rules |
| Service-level network controls | VPC endpoint policies | Network ACLs on Cognitive Services | VPC Service Controls |
| Data exfiltration prevention | VPC endpoint policies + S3 bucket policies | Private endpoints + service tags | VPC Service Controls perimeters |
| DNS-based controls | Route 53 Resolver rules | Azure Private DNS zones | 雲端 DNS policies |
| Most effective control | VPC endpoint policies scoped to specific resources | Private endpoints with NSG rules | VPC Service Controls (most comprehensive) |
Network Isolation 評估
| 評估 | AWS | Azure | GCP |
|---|---|---|---|
| Check public access | aws ec2 describe-vpc-endpoints | az network private-endpoint list | gcloud access-context-manager perimeters list |
| 測試 isolation | Invoke from outside VPC | Invoke from public internet | Invoke from outside perimeter |
| Common gap | Missing VPC endpoint policies | Public network access enabled | Services not in VPC SC perimeter |
Logging and 監控
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Control plane logging | CloudTrail (always on) | Activity Log (always on) | Admin Activity logs (always on) |
| Data plane logging | CloudTrail data events (optional, costly) | Diagnostic Settings (optional) | Data Access logs (optional) |
| Prompt/response logging | CloudTrail data events for Bedrock | Diagnostic Settings for request/response | Data Access logs for Vertex AI |
| Content filter logs | Included in Bedrock data events | Diagnostic Settings (content filter results) | Limited native support |
| Default logging state | Control plane only | Control plane only | Admin activity only |
| Log retention | 90 days (CloudTrail), custom (S3) | 90 days (Activity Log), custom (Log Analytics) | 400 days (Admin), 30 days (Data Access) |
監控 and 偵測
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| AI threat 偵測 | GuardDuty (limited AI coverage) | Defender for AI (dedicated) | 安全 Command Center (limited) |
| 越獄 偵測 | Not built-in (use 護欄) | Defender for AI 越獄 alerts | Not built-in |
| Anomaly 偵測 | CloudWatch anomaly 偵測 (custom) | Defender behavioral analytics | SCC custom detections |
| Cost anomaly 偵測 | AWS Cost Anomaly 偵測 | Azure Cost Management alerts | GCP billing alerts |
Model Management
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Model registry | SageMaker Model Registry | Azure ML Model Registry | Vertex AI Model Registry |
| Model versioning | Yes (version groups) | Yes (versioned models) | Yes (version management) |
| Approval workflows | Yes (manual approval status) | Yes (through ML pipelines) | Yes (through Vertex pipelines) |
| Model artifact storage | S3 | Azure Blob Storage | GCS |
| Container registry | ECR | ACR | Artifact Registry |
| Model integrity | No built-in verification | No built-in verification | No built-in verification |
Model Supply Chain 評估
| 評估 | AWS | Azure | GCP |
|---|---|---|---|
| Artifact access control | S3 bucket policies + IAM | Blob Storage RBAC | GCS IAM |
| Registry access | ECR repository policies | ACR RBAC | Artifact Registry IAM |
| Common weakness | S3 bucket with overpermissive ACLs | Storage account with shared keys | GCS with default SA access |
Cost Controls
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Billing alerts | CloudWatch Billing alarms | Azure Cost Management alerts | GCP billing budgets |
| Spending limits | No hard limits on AI services | Spending limits on some services | Budget alerts (no hard limits) |
| Quota management | Service quotas (soft limits) | Quota management | Quota management |
| Per-user cost attribution | Tags (manual) | Cost Management scopes | Labels (manual) |
| Auto-scaling limits | Configurable max instances | Configurable scaling | Configurable max replicas |
總結 Matrix
| Category | Strongest Provider | Weakest Provider | 紅隊 Focus |
|---|---|---|---|
| IAM granularity | AWS (fine-grained condition keys) | GCP (default SA overprivilege) | GCP default SA |
| Content filtering | AWS (most configurable) | GCP (least mature for self-hosted) | GCP self-hosted models |
| Network isolation | GCP (VPC Service Controls) | Azure (public access defaults) | Azure public endpoints |
| AI threat 偵測 | Azure (Defender for AI) | GCP (no dedicated AI 偵測) | AWS and GCP 偵測 gaps |
| Logging completeness | AWS (CloudTrail data events) | Azure (diagnostic settings optional) | Azure logging gaps |
| Model 供應鏈 | Comparable across providers | Comparable across providers | All providers lack model integrity verification |
相關主題
- Multi-雲端 AI 概覽 -- Multi-雲端 risk landscape
- Cross-雲端 攻擊 -- 攻擊 scenarios leveraging control gaps
- AWS AI Services -- AWS-specific controls in depth
- Azure AI Services -- Azure-specific controls in depth
- GCP AI Services -- GCP-specific controls in depth
Knowledge Check
An organization uses AWS Bedrock and GCP Vertex AI. Their 安全 team monitors CloudTrail for AWS and has Defender for AI enabled on Azure (but does not use Azure AI). Which AI-specific 偵測 gap exists?
Knowledge Check
Which 雲端 provider's network isolation mechanism is most effective at preventing data exfiltration from AI services?
參考文獻
- AWS 安全 Reference Architecture -- AWS 安全 baseline
- Azure 安全 Benchmark -- Azure 安全 baseline
- Google 雲端 安全 Foundations -- GCP 安全 baseline