Enable Microsoft Defender for Containers

Microsoft Defender for Containers is the cloud-native solution for securing your containers.

Defender for Containers protects your clusters whether they're running in:

  • Azure Kubernetes Service (AKS) - Microsoft's managed service for developing, deploying, and managing containerized applications.

  • Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services (AWS) account - Amazon's managed service for running Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

  • An unmanaged Kubernetes distribution (using Azure Arc-enabled Kubernetes) - Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on-premises or on IaaS.

Learn about this plan in Overview of Microsoft Defender for Containers.

Note

Defender for Containers' support for Arc-enabled Kubernetes clusters (and therefore AWS EKS too) is a preview feature.

The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

Validate the following endpoints are configured for outbound access so that the Defender profile can connect to Microsoft Defender for Cloud to send security data and events:

See the required FQDN/application rules for Microsoft Defender for Containers.

By default, AKS clusters have unrestricted outbound (egress) internet access.

Prerequisites

Validate the following endpoints are configured for outbound access so that the Defender extension can connect to Microsoft Defender for Cloud to send security data and events:

For Azure public cloud deployments:

Domain Port
*.ods.opinsights.azure.com 443
*.oms.opinsights.azure.com 443
login.microsoftonline.com 443

Enable the plan

  1. From Defender for Cloud's menu, open the Environment settings page and select the relevant subscription.

  2. In the Defender plans page, enable Defender for Containers

    Tip

    If the subscription already has Defender for Kubernetes and/or Defender for container registries enabled, an update notice is shown. Otherwise, the only option will be Defender for Containers.

    Defender for container registries and Defender for Kubernetes plans showing 'Deprecated' and upgrade information.

  3. By default, the plan is configured to automatically defend any supported Kubernetes cluster that is attached to this subscription. To optionally modify the configuration, select configure* from the configuration column.

    Viewing the configuration for Defender for Containers.

    You can also modify this configuration from the Auto provisioning page on the Microsoft Defender for Containers components (preview) row:

    Screenshot of the auto provisioning options for Microsoft Defender for Containers.

    Note

    If you choose to disable the plan at any time after enabling if through the portal as shown above, you'll need to manually disable auto provisioning of the Defender for Containers components. This will not remove the components from machines on which they've already been deployed.

  4. If you disable the auto provisioning of any component, you can easily deploy the component to one or more clusters using the appropriate recommendation:

Deploy the Defender profile

You can enable the Defender for Containers plan and deploy all of the relevant components from the Azure portal, the REST API, or with a Resource Manager template. For detailed steps, select the relevant tab.

The Defender security profile is a preview feature. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Use the fix button from the Defender for Cloud recommendation

A streamlined, frictionless, process lets you use the Azure portal pages to enable the Defender for Cloud plan and setup auto provisioning of all the necessary components for defending your Kubernetes clusters at scale.

A dedicated Defender for Cloud recommendation provides:

  • Visibility about which of your clusters has the Defender profile deployed
  • Fix button to deploy it to those clusters without the extension
  1. From Microsoft Defender for Cloud's recommendations page, open the Enable enhanced security security control.

  2. Use the filter to find the recommendation named Azure Kubernetes Service clusters should have Defender profile enabled.

    Tip

    Notice the Fix icon in the actions column

  3. Select the clusters to see the details of the healthy and unhealthy resources - clusters with and without the profile.

  4. From the unhealthy resources list, select a cluster and select Remediate to open the pane with the remediation confirmation.

  5. Select Fix [x] resources.

Enable the plan

  1. From Defender for Cloud's menu, open the Environment settings page and select the relevant subscription.

  2. In the Defender plans page, enable Defender for Containers

    Tip

    If the subscription already has Defender for Kubernetes and/or Defender for container registries enabled, an update notice is shown. Otherwise, the only option will be Defender for Containers.

    Defender for container registries and Defender for Kubernetes plans showing 'Deprecated' and upgrade information.

  3. By default, the plan is configured to automatically defend any supported Kubernetes cluster that is attached to this subscription. To optionally modify the configuration, select configure* from the configuration column.

    Viewing the configuration for Defender for Containers.

    You can also modify this configuration from the Auto provisioning page on the Microsoft Defender for Containers components (preview) row:

    Screenshot of the auto provisioning options for Microsoft Defender for Containers.

    Note

    If you choose to disable the plan at any time after enabling if through the portal as shown above, you'll need to manually disable auto provisioning of the Defender for Containers components. This will not remove the components from machines on which they've already been deployed.

  4. If you disable the auto provisioning of any component, you can easily deploy the component to one or more clusters using the appropriate recommendation:

Additional Prerequisites

Before deploying the extension, ensure you:

Deploy the Defender extension

You can deploy the Defender extension using a range of methods. For detailed steps, select the relevant tab.

Use the fix button from the Defender for Cloud recommendation

A dedicated Defender for Cloud recommendation provides:

  • Visibility about which of your clusters has the Defender for Kubernetes extension deployed
  • Fix button to deploy it to those clusters without the extension
  1. From Microsoft Defender for Cloud's recommendations page, open the Enable enhanced security security control.

  2. Use the filter to find the recommendation named Azure Arc-enabled Kubernetes clusters should have Defender for Cloud's extension installed.

    Microsoft Defender for Cloud's recommendation for deploying the Defender extension for Azure Arc-enabled Kubernetes clusters.

    Tip

    Notice the Fix icon in the actions column

  3. Select the extension to see the details of the healthy and unhealthy resources - clusters with and without the extension.

  4. From the unhealthy resources list, select a cluster and select Remediate to open the pane with the remediation options.

  5. Select the relevant Log Analytics workspace and select Remediate x resource.

    Deploy Defender extension for Azure Arc with Defender for Cloud's 'fix' option.

Verify the deployment

To verify that your cluster has the Defender extension installed on it, follow the steps in one of the tabs below:

Use Defender for Cloud recommendation to verify the status of your extension

  1. From Microsoft Defender for Cloud's recommendations page, open the Enable Microsoft Defender for Cloud security control.

  2. Select the recommendation named Azure Arc-enabled Kubernetes clusters should have Microsoft Defender for Cloud's extension installed.

    Microsoft Defender for Cloud's recommendation for deploying the Defender extension for Azure Arc-enabled Kubernetes clusters.

  3. Check that the cluster on which you deployed the extension is listed as Healthy.

Protect Amazon Elastic Kubernetes Service clusters

Important

If you haven't already connected an AWS account, do so now using the instructions in Connect your AWS accounts to Microsoft Defender for Cloud and skip to step 3 below.

To protect your EKS clusters, enable the Containers plan on the relevant account connector:

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select the AWS connector.

    Screenshot of Defender for Cloud's environment settings page showing an AWS connector.

  3. Set the toggle for the Containers plan to On.

    Screenshot of enabling Defender for Containers for an AWS connector.

  4. Optionally, to change the retention period for your audit logs, select Configure, enter the required timeframe, and select Save.

    Screenshot of adjusting the retention period for EKS control pane logs.

  5. Continue through the remaining pages of the connector wizard.

  6. Azure Arc-enabled Kubernetes and the Defender extension should be installed and running on your EKS clusters. A dedicated Defender for Cloud recommendation deploys the extension (and Arc if necessary):

    1. From Defender for Cloud's Recommendations page, search for EKS clusters should have Azure Defender's extension for Azure Arc installed.

    2. Select an unhealthy cluster.

      Important

      You must select the clusters one at a time.

      Don't select the clusters by their hyperlinked names: select anywhere else in the relevant row.

    3. Select Fix.

    4. Defender for Cloud generates a script in the language of your choice: select Bash (for Linux) or PowerShell (for Windows).

    5. Select Download remediation logic.

    6. Run the generated script on your cluster.

    Video of how to use the Defender for Cloud recommendation to generate a script for your EKS clusters that enables the Azure Arc extension.

View recommendations and alerts for your EKS clusters

Tip

You can simulate container alerts by following the instructions in this blog post.

To view the alerts and recommendations for your EKS clusters, use the filters on the alerts, recommendations, and inventory pages to filter by resource type AWS EKS cluster.

Screenshot of how to use filters on Microsoft Defender for Cloud's alerts page to view alerts related to AWS EKS clusters.

Simulate security alerts from Microsoft Defender for Containers

A full list of supported alerts is available in the reference table of all Defender for Cloud security alerts.

  1. To simulate a security alert, run the following command from the cluster:

    kubectl get pods --namespace=asc-alerttest-662jfi039n
    

    The expected response is "No resource found".

    Within 30 minutes, Defender for Cloud will detect this activity and trigger a security alert.

  2. In the Azure portal, open Microsoft Defender for Cloud's security alerts page and look for the alert on the relevant resource:

    Sample alert from Microsoft Defender for Kubernetes.

Remove the Defender extension

To remove this - or any - Defender for Cloud extension, it's not enough to turn off auto provisioning:

  • Enabling auto provisioning, potentially impacts existing and future machines.
  • Disabling auto provisioning for an extension, only affects the future machines - nothing is uninstalled by disabling auto provisioning.

Nevertheless, to ensure the Defender for Containers components aren't automatically provisioned to your resources from now on, disable auto provisioning of the extensions as explained in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud.

You can remove the extension using Azure portal, Azure CLI, or REST API as explained in the tabs below.

Use Azure portal to remove the extension

  1. From the Azure portal, open Azure Arc.

  2. From the infrastructure list, select Kubernetes clusters and then select the specific cluster.

  3. Open the extensions page. The extensions on the cluster are listed.

  4. Select the cluster and select Uninstall.

    Removing an extension from your Arc-enabled Kubernetes cluster.

Remove the Defender profile

To remove this - or any - Defender for Cloud extension, it's not enough to turn off auto provisioning:

  • Enabling auto provisioning, potentially impacts existing and future machines.
  • Disabling auto provisioning for an extension, only affects the future machines - nothing is uninstalled by disabling auto provisioning.

Nevertheless, to ensure the Defender for Containers components aren't automatically provisioned to your resources from now on, disable auto provisioning of the extensions as explained in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud.

You can remove the profile using the REST API or a Resource Manager template as explained in the tabs below.

Use REST API to remove the Defender profile from AKS

To remove the profile using the REST API, run the following PUT command:

https://management.azure.com/subscriptions/{{SubscriptionId}}/resourcegroups/{{ResourceGroup}}/providers/Microsoft.ContainerService/managedClusters/{{ClusterName}}?api-version={{ApiVersion}}
Name Description Mandatory
SubscriptionId Cluster's subscription ID Yes
ResourceGroup Cluster's resource group Yes
ClusterName Cluster's name Yes
ApiVersion API version, must be >= 2021-07-01 Yes

Request body:

{
  "location": "{{Location}}",
  "properties": {
    "securityProfile": {
            "azureDefender": {
                "enabled": false
            }
        }
    }
}

Request body parameters:

Name Description Mandatory
location Cluster's location Yes
properties.securityProfile.azureDefender.enabled Determines whether to enable or disable Microsoft Defender for Containers on the cluster Yes