| Azure | AWS | GCP |
| Azure Policy | Guardrails (via the ControlTower Service) | Organization Policy Service |
| – | Organization Service (optional) | Organization Node |
| Root | Root Account | – |
| Management Group (optional) | Organization Unit (optional) (via the Organization Service) | Folder (optional) |
| Subscription | Account (via the Organization Service) | – |
| Resource Group | – | Project |
| Resources | Resources | Resources |
Azure Policy
The following types are available:
Apply a policy to a management group.
A policy can be applied to the management group. This policy is inherited with the management group’s management groups and subscriptions.
Apply a policy to a subscription.
AWS Guardrail
The following types are available:
Apply an AWS Config to an Organization Unit via the Guardrail Service.
Apply an AWS Config to an Account via the Guardrail Service.
GCP Organization Policy
See resource hierarchy: https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy
| Inheritance When a policy is set on an organization/ top node all descendants of that node inherit this policy by default. If you set a policy at the root organization node/ root account, then the configuration of restrictions defined by that policy will be passed down through all descendant folders, projects, services, and resources. |
My opinion
AWS Advantage: In some scenarios is necessary to have only one VPC for the whole organization and the projects must use this VPC but from different Accounts. It’s possible in AWS because we have cross-account shared services.
In Azure and GCP we cannot share a VPC or a VNet between two Subscriptions or Projects.
Multi Cloud Solutions 