Policy Analyzer & Audit

Audit IAM, detect over-privileged access — Azure · AWS · GCP

Concept

Policy analysis tools help you audit who has access to what, detect over-privileged principals, and ensure compliance. All three clouds provide analysis tooling.

Audit Tool
Azure Policy Compliance + Access Reviews
IAM Access Analyzer
Policy Analyzer + Policy Troubleshooter
What it finds
Non-compliant resources, risky role assignments
External access, unused roles, cross-account access
Who has what permissions, why a request was denied
Unused Permissions
Defender for Cloud (CSPM)
IAM Access Analyzer (unused access)
Recommender (IAM insights)
Audit Logs
Azure Activity Log
CloudTrail
Cloud Audit Logs (Admin + Data Access)

Analyze Access

○ Azure — Access Reviews

Entra ID Access Reviews: Periodic review of group memberships and role assignments. Managers certify or revoke access.

CLI:
az role assignment list --assignee user@domain.com

○ AWS — IAM Access Analyzer

External Access Finder: Identifies S3 buckets, IAM roles, KMS keys shared externally. Generates findings with risk levels.

CLI:
aws accessanalyzer list-findings --analyzer-arn arn:aws:access-analyzer:...

○ GCP — Policy Analyzer

Query-based: "Who can delete this bucket?" or "What can this user do?" Shows grant chain — direct roles + inherited + group membership.

CLI:
gcloud policy-intelligence query-activity --project=PROJECT_ID

Audit Logging Comparison

FeatureAzureAWSGCP
Admin ActivityAzure Activity Log (free, 90d)CloudTrail (free mgmt events, 90d)Cloud Audit Logs Admin (free)
Data AccessDiagnostic Settings (paid, to Log Analytics)CloudTrail (paid for data events)Cloud Audit Logs Data Access (free for own project)
Retention90d default; custom with Log Analytics90d default; custom with S3 lifecycle10d default; custom with log sinks
Export ToLog Analytics / Event Hub / StorageS3 bucket (single/multi-account)Log Sink (BigQuery / GCS / Pub/Sub)
ImmutableImmutable (cannot be deleted)CloudTrail Lake (immutable option)Immutable (cannot be disabled above project level if org policy set)