AWS Security vs. Azure Security


· · · ·

AWS and Azure are the top two cloud vendors. While AWS has a larger market share, Azure boasts of a larger customer base among the top Fortune companies. While AWS had the first mover advantage, Azure was quick to catch up. With every new update, they keep up with each other, and there’s little that separates these two leading cloud service providers.

However, AWS and Azure are not identical. They take somewhat different approaches to the cloud in certain key respects. One of them is security. Let’s look at the various security services offered by each of these platforms and see how they stack up against each other.

Security Services Feature AWS Azure
Identity and Access Management  IAM Active Directory
Key Management KMS Key Vault
Network VPC Virtual NetworkExpressRoute
Security Check Trusted AdvisorAWS Inspector Security Center
Storage Security Data Encryption for S3 Storage Service Encryption (SSE)
Monitoring CloudWatch Azure MonitorApplication Insights
Logging CloudWatch LogsCloudTrail Log AnalyticsSecurity Event Logs
Compliance CloudHSM TrustCenter

You can find a more extensive table here, although some of the items listed may be outdated.

Identity and access management

Identity and access management is the most important part of cloud security from a customer’s point of view. And there are differences in how AWS and Azure approach this aspect of security.

Active directory is the legacy identity manager for Windows that Microsoft has extended to work with Azure as well. It has a free tier which has data limits, and three different paid tiers with advanced features like the ability to manage hybrid environments.
AD also has different versions, like B2B, B2C and more.

On AWS, IAM is exclusively cloud-centric, and doesn’t incur additional charges. It can manage hybrid environments, but only by integrating with other on-premises tools like Active Directory.

Key-based encryption of data

Both KMS and Key Vault provide encryption of data in transit and at rest. The easiest way is to let Amazon or Microsoft manage the keys for you, but for compliance purposes, you may want full control over the encryption and management of your keys. In that case, a HSM (hardware security module) is the way to go. While Azure’s hardware security module service is part of Key Vault, Amazon has separated its CloudHSM service from the KMS service. Pricing is almost identical on both platforms.

Virtual private network

A virtual network gives you a private network to transfer data between your data center and a public cloud. It is extremely secure because it encrypts data as it is routed over the Internet.

AWS VPC and Direct Connect are two services that enable a virtual private network. However, it uses layer 2, and not layer 3 routing. ExpressRoute, and Virtual Network, two similar services from Azure, use layer 3 routing.

Storage data encryption

Encryption of object data is an important part of cloud security. AWS’ storage service is S3, while Azure’s is Blob. Both support data encryption using keys. However, only AWS gives you the option to allow AWS to manage your keys for you, or you can choose to manage your own keys. Azure doesn’t support customer-managed keys, but this feature is on its roadmap.


Monitoring is a separate topic on its own, but it is essential to enforcing security in the cloud. The two key components to be monitored in the cloud are the cloud services, and the applications they support.

AWS CloudWatch integrates both services and application monitoring into a single service, whereas in Azure, each of these is broken into a separate service. Azure Monitor tracks all Azure services, and Azure Application Insights monitors running applications. The features they offer are identical—It’s just the organization of these features that differs.

Microsoft shops go with Azure

Though AWS has more customers, and larger revenue, Azure has a bigger footprint in Fortune 1000 companies. This is because of Microsoft’s long history of selling enterprise software like Windows Service, which it has used as a platform to grow Azure’s customer base.

As a result of this, Azure is more enterprise-focused. Loyal Microsoft shops buy into the full suite of Microsoft products like Visual Studio, TFS, Active Directory, PowerBI, and Windows Server. They’ve been using these tools for over a decade, and Azure is only happy to ease these customers into the cloud with little hassle, and robust backward compatibility.

Aware of their customers’ needs, Azure is big on hybrid infrastructure. For example, the cloud-based Active Directory can be integrated with the on-premises Windows Server in just four clicks. This sort of integration with legacy toolsets is prominent across Azure. Integrations with Visual Studio, PowerBI, and more, enable organizations to gain more mileage out of their big investment in these tools.

AWS for control and innovation

AWS is the single biggest success story of cloud computing to-date, and that’s because of the powerful features it provides, granular control over billing (hourly), and staying ahead of competitors with unique products like SnowMobile, Aurora Database, Lambda, and more.

AWS has a steep learning curve when setting it up, but it potentially can deliver more control and customization, which are both essential to cloud security. The ability to integrate with Lambda for custom checks, and exporting of security data is unique to AWS.

Whichever you choose, you can be assured that you’re getting the very best in cloud security by default. It’s just a matter of which flavor you prefer.

Chris Riley is a technologist and DevOps advocate for @Splunk who has spent 12 years helping organizations transition from traditional development practices to a modern set of culture, processes and tooling.


Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published.

Skip to toolbar