Security architects working across more than one cloud constantly hit the same problem: each provider names equivalent capabilities completely differently, and the equivalences are rarely exact. AWS Security Hub, Microsoft Defender for Cloud and Google Security Command Center occupy roughly the same space, but they differ in scope, pricing model and how much they overlap with neighbouring services.
This guide maps the security services of all three major providers — AWS, Microsoft Azure and Google Cloud (GCP) — organised by security domain. Each section gives a comparison table followed by a technical breakdown of what the services actually do and, crucially, where the mappings are loose rather than one-to-one.
A note on equivalence before we start: treat every row in these tables as “closest equivalent”, not “identical”. Cloud providers draw their product boundaries differently. AWS tends to ship many small, focused services; Microsoft bundles broad capability under the Defender brand; Google centralises heavily around Security Command Center. Keep that structural difference in mind throughout.
Cloud Security Posture Management (CSPM)
Posture management continuously evaluates your environment against security best practices and compliance benchmarks, flagging misconfigurations — still the leading cause of cloud breaches.
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Native CSPM | AWS Security Hub CSPM | Microsoft Defender for Cloud (CSPM) | Security Command Center |
| Compliance benchmarks | Security Hub standards (CIS, NIST, PCI DSS) | Microsoft Cloud Security Benchmark | SCC compliance dashboards |
| Config tracking | AWS Config | Azure Policy / Azure Resource Graph | Cloud Asset Inventory |
AWS splits this into two layers. AWS Config records the configuration state of every resource and evaluates it against rules; Security Hub CSPM (recently rebranded from plain “Security Hub”) sits on top, aggregating findings and running benchmark checks such as the CIS AWS Foundations Benchmark, NIST CSF and PCI DSS. In its 2026 form, Security Hub has become a broader unified solution that correlates posture findings with vulnerability, threat and sensitive-data signals.
Azure folds posture management directly into Microsoft Defender for Cloud. Its free tier provides the secure score and basic recommendations against the Microsoft Cloud Security Benchmark; paid Defender plans add deeper, workload-specific posture checks. Azure Policy is the enforcement engine underneath, comparable in role to AWS Config rules.
GCP centralises posture in Security Command Center (SCC), offered in Standard, Premium and Enterprise tiers. SCC’s Security Health Analytics performs the misconfiguration scanning, while Cloud Asset Inventory provides the underlying resource-state tracking.
The caveat: AWS requires you to understand the Config/Security Hub split, whereas Azure and GCP present posture as a single pane. If you are mapping an AWS-centric design onto Azure, expect one Defender for Cloud to replace what felt like two or three AWS services.
Threat Detection
Threat detection analyses logs, network flow and behavioural signals to surface active threats — compromised credentials, crypto-mining, data exfiltration and the like.
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Cloud-native threat detection | Amazon GuardDuty | Microsoft Defender for Cloud (Defender plans) | Security Command Center (Event Threat Detection) |
| Investigation / forensics | Amazon Detective | Microsoft Defender XDR | SCC + Chronicle (Google SecOps) |
| Workload threat protection | GuardDuty + Inspector | Defender for Servers / Containers / etc. | SCC threat detectors |
AWS GuardDuty is a managed threat-detection service that continuously analyses CloudTrail, VPC Flow Logs and DNS logs using machine learning and threat intelligence. It needs no agents and produces findings such as reconnaissance, instance compromise and credential exfiltration. Amazon Detective then helps you investigate a finding by building a behavioural graph from the same log sources.
Azure delivers threat detection through the various Defender for Cloud plans — Defender for Servers, for Containers, for Key Vault, for Storage and so on — each adding behavioural threat detection for that resource type. For investigation and cross-domain correlation, Microsoft Defender XDR unifies signals across identity, endpoint, email and cloud.
GCP builds threat detection into Security Command Center via detectors such as Event Threat Detection, Container Threat Detection and Virtual Machine Threat Detection, running natively in Google’s infrastructure across Compute Engine, GKE, BigQuery and Cloud Run. Deeper investigation and threat hunting moves into Google SecOps (formerly Chronicle).
The caveat: GuardDuty is a single discrete service; on Azure the equivalent is spread across many individually-priced Defender plans; on GCP it is a capability tier within SCC. Cost comparison is genuinely hard here because the packaging is so different.
SIEM and Security Operations
When you need centralised log aggregation, correlation rules and a SOC workflow, you move from detection services into SIEM/SOAR territory.
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| SIEM | Amazon Security Lake + partner SIEM | Microsoft Sentinel | Google SecOps (Chronicle) |
| Security data lake | Amazon Security Lake (OCSF) | Sentinel data lake | SecOps / BigQuery |
| SOAR / automation | EventBridge + Lambda | Sentinel playbooks (Logic Apps) | SecOps SOAR |
This is where AWS is structurally different from the other two. AWS does not ship a first-party SIEM. Instead, Amazon Security Lake centralises security data in the Open Cybersecurity Schema Framework (OCSF) format, and you bring your own SIEM (Splunk, an OCSF-aware partner, or a self-built solution) on top. Automation is assembled from EventBridge and Lambda.
Microsoft Sentinel is a full cloud-native SIEM/SOAR with built-in analytics rules, threat intelligence and Logic Apps-based playbooks. Note an important 2026 change: Sentinel is being migrated into the unified Microsoft Defender portal, with organisations required to complete that move by 31 March 2027.
Google SecOps (the rebranded Chronicle) is Google’s SIEM, built on the same infrastructure that powers Google’s own security operations, with petabyte-scale telemetry retention and SOAR capabilities.
The caveat: if your reference architecture assumes a native SIEM (as Azure and GCP designs often do), there is no drop-in AWS equivalent — you architect around Security Lake plus a third party. This is one of the largest genuine gaps between the providers.
Identity and Access Management (IAM)
Identity is now the primary security perimeter, making this the most important domain to map correctly.
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Core IAM | AWS IAM | Microsoft Entra ID | Google Cloud IAM |
| Workforce SSO | AWS IAM Identity Center | Microsoft Entra ID | Cloud Identity / Workforce Identity Federation |
| Permission analysis | IAM Access Analyzer | Entra Permissions Management | IAM Recommender / Policy Analyzer |
| Customer/consumer identity | Amazon Cognito | Microsoft Entra External ID | Identity Platform |
| AI agent identity | IAM roles for workloads | Microsoft Entra Agent ID | Workload Identity / service accounts |
The conceptual model differs sharply. AWS IAM binds policies to users, groups and roles within an account, with multi-account governance layered on through AWS Organizations and Service Control Policies (SCPs). IAM Identity Center handles workforce SSO; IAM Access Analyzer identifies resources shared externally and over-broad permissions.
Microsoft Entra ID (formerly Azure Active Directory) is a directory-centric identity platform — fundamentally different from AWS’s account-scoped model. It governs access to Azure, Microsoft 365 and thousands of SaaS apps, with Conditional Access policies and Identity Protection for risk-based authentication. Entra Permissions Management provides CIEM-style entitlement analysis.
Google Cloud IAM uses a resource-hierarchy model (organisation → folder → project → resource) with inherited policies, which many architects find cleaner for large estates. Workforce and Workload Identity Federation handle external and machine identities.
A notable 2026 development across all three: dedicated identities for AI agents. Azure introduced Microsoft Entra Agent ID to assign traceable identities to AI workloads, and the guidance across providers now strongly discourages hard-coded credentials for autonomous agents in favour of dynamic secret retrieval.
The caveat: do not map AWS IAM to Entra ID as if they were the same shape. AWS is account-and-policy centric; Entra is directory-and-app centric; GCP is hierarchy-centric. The mapping is functional, not structural.
Secrets and Key Management
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Secrets management | AWS Secrets Manager | Azure Key Vault (secrets) | Secret Manager |
| Key management (KMS) | AWS KMS | Azure Key Vault (keys) | Cloud KMS |
| Hardware security module | AWS CloudHSM | Azure Managed HSM / Dedicated HSM | Cloud HSM |
| Certificate management | AWS Certificate Manager | Azure Key Vault (certificates) | Certificate Manager / CAS |
The biggest structural difference here is that Azure Key Vault is one service covering three jobs — secrets, keys and certificates — whereas AWS splits them into three distinct services: Secrets Manager (with automatic rotation for database credentials), KMS (encryption keys) and Certificate Manager (TLS certificates). GCP sits in between, with a separate Secret Manager and Cloud KMS but unified key-ring concepts.
On the 2026 front, all three are responding to post-quantum cryptography and AI-secret risks. Google announced KMS Quantum Safe Key Imports (preview) for bringing your own quantum-safe keys, and a native Secret Manager integration with its Agent Development Kit to mitigate prompt-injection-driven secret leakage. Azure guidance now pushes Key Vault automated rotation and dynamic secret retrieval specifically for AI workflows.
The caveat: when mapping an Azure design that uses “Key Vault” everywhere, be careful to identify whether each usage is a secret, a key or a certificate — because on AWS and GCP those become different services with different IAM and pricing.
Network Security
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Web application firewall | AWS WAF | Azure WAF (on App Gateway / Front Door) | Cloud Armor |
| Managed firewall | AWS Network Firewall | Azure Firewall | Cloud NGFW (Next Generation Firewall) |
| DDoS protection | AWS Shield / Shield Advanced | Azure DDoS Protection | Cloud Armor (with Google front-end) |
| Central firewall policy | AWS Firewall Manager | Azure Firewall Manager | Hierarchical firewall policies |
| Network segmentation / data boundary | VPC + Security Groups | NSGs + Azure Virtual Network | VPC + VPC Service Controls |
AWS offers AWS WAF for layer-7 protection, AWS Network Firewall for stateful network filtering, and AWS Shield (with Shield Advanced) for DDoS. Firewall Manager centralises policy across accounts.
Azure provides Azure WAF (deployed on Application Gateway or Front Door), Azure Firewall as a stateful network firewall with deep packet inspection, and Azure DDoS Protection. Network Security Groups (NSGs) handle subnet/NIC-level segmentation.
GCP consolidates much of this around Cloud Armor, which delivers both WAF and DDoS protection at Google’s edge — in 2026 adding managed rules powered by Thales Imperva for layer-7 and zero-day CVE detection, plus an advanced malware sandbox for Cloud NGFW. GCP’s distinctive capability is VPC Service Controls, which create a data-exfiltration boundary around services like BigQuery and Cloud Storage — there is no exact AWS or Azure equivalent, though AWS resource policies and Azure Private Link address parts of the same problem.
The caveat: VPC Service Controls is genuinely unique to GCP and frequently catches out architects migrating designs. Budget extra design time for the data-perimeter concept if you are moving to or from Google Cloud.
Data Protection and Sensitive Data Discovery
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Sensitive data discovery (DSPM) | Amazon Macie | Microsoft Purview / Defender for Cloud DSPM | Sensitive Data Protection (DLP) |
| Data governance | AWS Lake Formation + Macie | Microsoft Purview | Dataplex + Sensitive Data Protection |
| Encryption at rest | KMS-integrated (per service) | Key Vault-integrated (per service) | CMEK with Cloud KMS |
Amazon Macie uses machine learning to discover and classify sensitive data (PII, credentials) in S3. Microsoft Purview is a broader data governance and compliance platform that includes sensitive-data classification, with DSPM capabilities also surfacing in Defender for Cloud. GCP Sensitive Data Protection (formerly Cloud DLP) handles discovery, classification and de-identification across storage and databases.
The caveat: Macie is S3-focused, whereas Purview and Sensitive Data Protection are broader. If your design relies on Macie for “all data discovery”, you will find the Azure and GCP equivalents cast a wider net but require more configuration.
Vulnerability and Workload Protection
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Vulnerability scanning | Amazon Inspector | Defender for Cloud (vulnerability assessment) | SCC + Web Security Scanner |
| Container image scanning | Inspector (ECR) | Defender for Containers | Artifact Analysis |
| Container runtime security | GuardDuty (EKS/ECS) | Defender for Containers | Container Threat Detection (SCC) |
Amazon Inspector continuously scans EC2, container images in ECR and Lambda functions for known CVEs. Azure delivers this through Defender for Cloud’s vulnerability assessment and Defender for Containers. GCP uses Artifact Analysis for image scanning and SCC’s Container Threat Detection for runtime.
AI and Agentic Workload Security (2026)
This domain barely existed two years ago and is now a first-class concern as organisations deploy AI agents with access to production infrastructure.
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| AI model / prompt protection | Bedrock Guardrails | Defender for Cloud (AI workloads) + Purview | Model Armor |
| AI asset discovery | (emerging) | Defender for Cloud AI posture | SCC AI agent / MCP discovery |
| AI agent identity | IAM roles | Microsoft Entra Agent ID | Workload Identity |
GCP is currently the most explicit here: Model Armor protects model and agent interactions against prompt injection, sensitive-data leakage and harmful content, and Security Command Center is gaining continuous discovery and risk analysis for AI agents, models and MCP servers — including automatic discovery of unmanaged agentic workloads on Cloud Run and GKE. Azure addresses AI workload security through Defender for Cloud combined with Purview and the new Entra Agent ID. AWS approaches model-level safety through Bedrock Guardrails, with broader agentic posture tooling still emerging.
The caveat: this is the fastest-moving area in cloud security and the mappings will shift within months. Verify current capabilities directly with each provider before committing to an AI security architecture.
Compliance and Governance
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Compliance reporting | AWS Audit Manager | Microsoft Purview Compliance Manager | SCC compliance dashboards |
| Audit evidence / artifacts | AWS Artifact | Service Trust Portal | Compliance Reports Manager |
| Governance guardrails | AWS Control Tower + SCPs | Azure Policy + Management Groups | Organization Policy Service |
AWS uses Audit Manager to collect evidence against frameworks, Artifact for compliance reports, and Control Tower with SCPs for multi-account guardrails. Azure maps these to Purview Compliance Manager, the Service Trust Portal and Azure Policy with Management Groups. GCP uses SCC compliance dashboards and the Organization Policy Service for hierarchy-wide guardrails.
Key Takeaways
- Treat all mappings as “closest equivalent”, not identical. Provider product boundaries differ structurally: AWS ships many focused services, Azure bundles under Defender and Entra, GCP centralises around Security Command Center.
- The biggest genuine gaps: AWS has no first-party SIEM (you use Security Lake plus a partner), and GCP’s VPC Service Controls data perimeter has no exact equivalent elsewhere.
- Watch the rebrands: Azure Active Directory is now Microsoft Entra ID; Chronicle is now Google SecOps; AWS Security Hub is now Security Hub CSPM within a broader unified solution; Sentinel is migrating into the Defender portal by March 2027.
- Identity models are not interchangeable: AWS is account-and-policy centric, Entra is directory-and-app centric, GCP is hierarchy-centric. Redesign rather than translate.
- AI security is the new frontier: Model Armor (GCP), Entra Agent ID (Azure) and Bedrock Guardrails (AWS) are all young and evolving fast — verify current state before designing.
For practical, daily intelligence on vulnerabilities and advisories affecting these services across all three clouds, the ZX Cloud Security homepage tracks them continuously.