Audit IAM, detect over-privileged access — Azure · AWS · GCP
Policy analysis tools help you audit who has access to what, detect over-privileged principals, and ensure compliance. All three clouds provide analysis tooling.
Entra ID Access Reviews: Periodic review of group memberships and role assignments. Managers certify or revoke access.
CLI:az role assignment list --assignee user@domain.com
External Access Finder: Identifies S3 buckets, IAM roles, KMS keys shared externally. Generates findings with risk levels.
CLI:aws accessanalyzer list-findings --analyzer-arn arn:aws:access-analyzer:...
Query-based: "Who can delete this bucket?" or "What can this user do?" Shows grant chain — direct roles + inherited + group membership.
CLI:gcloud policy-intelligence query-activity --project=PROJECT_ID
| Feature | Azure | AWS | GCP |
|---|---|---|---|
| Admin Activity | Azure Activity Log (free, 90d) | CloudTrail (free mgmt events, 90d) | Cloud Audit Logs Admin (free) |
| Data Access | Diagnostic Settings (paid, to Log Analytics) | CloudTrail (paid for data events) | Cloud Audit Logs Data Access (free for own project) |
| Retention | 90d default; custom with Log Analytics | 90d default; custom with S3 lifecycle | 10d default; custom with log sinks |
| Export To | Log Analytics / Event Hub / Storage | S3 bucket (single/multi-account) | Log Sink (BigQuery / GCS / Pub/Sub) |
| Immutable | Immutable (cannot be deleted) | CloudTrail Lake (immutable option) | Immutable (cannot be disabled above project level if org policy set) |