[arccy]

GCP's resource based hierarchy means it's much easier to locate where a permission comes from, it's either global, or attached to the resource in question. Most people probably shouldn't ever need to know about VPC-SC.

AWS IAM is a ball of mud, attach any policy at any one of the possible attachment points, good luck figuring out where you managed to gain permission to do X. And the constant emails for "ACTION REQUIRED: we changed some managed IAM permission and your workflows will break", whether you actually use that role, they can't even tell, so all you can do is complain to your emotional support TAM in the weekly call.

AWS's IAM conditions are also annoying dynamically typed, sure it's more powerful, but imo that's just more string to hang yourself with. the use of "*" in so many rules is just a recipe for disaster.