(no title)
qxmat
|
3 years ago
I've found that AWS IAM is amazing compared to Azure AD. With AWS you can do per-workload account vending and grant account owners full "AdministratorAccess", because IAM resources are tied to the account. In Azure it's batshit crazy: almost all IAM resources - roles, groups, principals etc - are tied to the overarching AD tenant and not to the AWS Account equivilent, a subscription. In short this means that I, the owner of a subscription (broad powers), cannot add a new IAM role or associate it with a resource for user assignment. It gets worse... Azure AD limits are tenant wide leading to big orgs refusing to add IAM primatives because they might hit a service limit. And the lack of ABAC makes KeyVault almost unusable compared to AWS Secrets Manager. But hey, at least I have system assigned managed identities for SQL logins, that was kinda cool until AWS introduced IAM auth for RDS.
No comments yet.