1. Azure Subscriptions contain all your resources (all your VMs, storage accounts etc.)
  2. An account  (sometimes called a ‘user account’) in Azure is primarily a billing construct that can hold one or more subscriptions. (i.e. Multiple subscriptions can exist in a single Azure account – e.g Production Subscription, Billing Subscription, Staging subscription…)
  3. Azure is centered around a directory in the public cloud (Azure AD). Each subscription comes with it’s own AAD instance (whether you want one or not).  This AAD construct is central to Azure, and AWS has nothing similar although there is a native directory (Simple AD) that you can construct within an AWS account.  In AWS, AWS IAM would be the closest you would get to an azure AD –  in the sense that a brand new account comes built in with AWS IAM.  However, AWS IAM is NOT a directory, and does not compare to Azure AD. It is entirely possible to bring your own AD to AWS or to set up a native directory structure within AWS (Simple AD – a standalone directory)
  4.  Subscriptions and accounts are decoupled in Azure. If you need to move a subscription with all it’s resources under another account, in Azure, this is trivial. This is in contrast to AWS, where accounts and resources are tied – and it is not possible to move resources to another account, by simply changing ownership.

Summary

The only DIRECT parallel between an azure subscription and an aws account is that they both hold resources. And that they both come with a built in user management structure (AAD on Azure and IAM on AWS).

There are reasons why Azure is centered around an AD in the public cloud. It is a strength to bring the industry standard directory service – with all of it’s threat analysis – from day one to your cloud environment.  Azure also provides an easy stepping stone for on premises directories – although it is fairly straightforward to do the same in AWS using AWS managed directory services.

   The primary difference is that of an azure account being loosely coupled to subscriptions (holders of resources). In AWS, the coupling is tight. It is not possible to move resources from one account to another. To understand multi account structures in AWS, read this post.

The best you can do in AWS is

a) Centrally manage more than one account (using AWS organizations)

b) Share CERTAIN AWS resources (e.g. golden images – aka AMIs ) between accounts.

In GCP, the actual holder of resources is a ‘Project’ within an Organization. To move a project from one org to another, try this post.

Thoughts? Comments? Are you trying to move resources between AWS accounts or azure subscriptions or GCP orgs? 

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin