Multi-Cloud Identity Reference Architecture: AWS and Azure

ArchIAMReference Architecture

1. Introduction

This reference architecture provides formal guidance for establishing a secure, centralized identity management framework across Amazon Web Services (AWS) and Microsoft Azure environments. It is grounded in Zero Trust security principles, emphasizing identity as the primary control plane, least privilege access, temporary credentials, and contextual policy enforcement.
The recommended pattern leverages a centralized external Identity Provider (IdP) — such as Microsoft Entra ID, Okta, or Ping Identity — to federate authentication and authorization to both cloud platforms. This approach delivers unified single sign-on (SSO), consistent security controls, and streamlined governance in hybrid or multi-cloud deployments.
Key benefits include:
  • Centralized user lifecycle and group management.
  • Uniform enforcement of multi-factor authentication (MFA) and conditional access.
  • Elimination of long-lived credentials through short-lived federated tokens.
  • Enhanced auditability via consolidated identity logs.

2. Core Identity Principles

The architecture adheres to the following foundational principles, which are essential for a modern cloud identity stack:
  • Identity-Centric Security: All access decisions are driven by verified user identity, group membership, and contextual attributes.
  • Least Privilege: Permissions are scoped narrowly via roles or permission sets and assigned to groups rather than individuals.
  • Temporary Credentials: Access is granted using short-lived tokens (e.g., AWS STS AssumeRole, Azure on-behalf-of flow).
  • Multi-Factor Authentication (MFA): Mandated for all interactive access, preferably enforced at the IdP layer.
  • Conditional and Risk-Based Access: Policies evaluate device state, location, user behavior, and risk signals.
  • Just-in-Time (JIT) Elevation: Privileged actions require explicit, time-bound activation.
  • Automation and Infrastructure as Code (IaC): Identity configurations, role assignments, permission sets, and policies are managed declaratively through tools like Terraform, AWS CloudFormation, or Azure Bicep to ensure consistency, repeatability, and version control.
  • Global Governance and Preventive Guardrails: Enforce organization-wide boundaries and compliance standards using native governance mechanisms (e.g., AWS Service Control Policies and Azure Policy) to prevent misconfigurations and restrict actions that violate security baselines.
  • Comprehensive Auditing and Monitoring: All authentication and authorization events are logged and forwarded to a unified SIEM.

3. High-Level Multi-Cloud Identity and Architecture

View of the multi-cloud flows for both AWS and Azure integrated for one ecosystem:
notion image
AWS: Multi-Cloud Identity & Access Architecture
Created with Eraser
AWS: Multi-Cloud Identity & Access Architecture
https://app.eraser.io/workspace/igOJb1oLH8BJHs6Ikmob?origin=share
AWS: Multi-Cloud Identity & Access Architecture

4. Component Mapping

Functional Area
AWS Implementation
Azure Implementation
Recommended Practice
Multi-Account/Subscription Management
AWS Organizations (with Organizational Units - OUs)
Azure Management Groups
Organize workloads hierarchically for separation of duties and billing
Global Guardrails & Policies
Service Control Policies (SCPs)
Azure Policy
Use deny/preventive controls; Azure Policy offers proactive remediation
Landing Zone / Governance Automation
AWS Control Tower
Azure Landing Zones (Cloud Adoption Framework)
Automate baseline setup, account/subscription provisioning, and guardrails
Identity Provider
External IdP federated to IAM Identity Center
Microsoft Entra ID (native or federated)
Use Entra ID as primary IdP for seamless Azure integration and strong AWS federation support
Role/Permission Management
Permission Sets in IAM Identity Center
Azure RBAC (built-in and custom roles)
Assign to groups, not individuals
Privileged Access Management
Elevated Permission Sets
Privileged Identity Management (PIM)
Enable JIT activation with approval workflows
Conditional Controls
IAM policy conditions (e.g., source IP, MFA)
Conditional Access policies
Enforce at IdP layer where possible for consistency
Auditing & Logging
AWS CloudTrail + Identity Center logs
Entra ID sign-in logs, Azure Monitor
Centralize logs in a SIEM (e.g., Microsoft Sentinel)

5. Implementation Considerations

  • Deploy AWS IAM Identity Center at the AWS Organizations level for multi-account consistency, leveraging Service Control Policies (SCPs) for global guardrails and AWS Control Tower for automated landing zone setup and ongoing governance.
  • In Azure, structure subscriptions under Management Groups and apply Azure Policy for preventive and remediative controls; implement Azure Landing Zones via the Cloud Adoption Framework for standardized, automated environments.
  • Manage all identity and governance configurations (permission sets, role assignments, SCPs, Azure Policies) as code using IaC tools to enable automation, peer review, and drift detection.
  • Establish trust relationships using SAML 2.0 or OIDC between the IdP and AWS/Azure.
  • Synchronize on-premises directories (if applicable) via Entra Connect or SCIM provisioning.
  • Enforce MFA and high-risk Conditional Access policies at the IdP to ensure cross-cloud coverage.
  • Regularly review assignments and implement access recertification processes.
  • Integrate identity logs with enterprise monitoring and incident response tools.

Appendix A: Ready-to-Run Terraform Examples

These configurations are provided as minimal, functional starting points. Customize variables and extend with modules for production use.

A.1 AWS: IAM Identity Center Permission Set and Assignment

 
 

A.2 Azure: RBAC Role Assignment and Conditional Access Policy