Connect your AWS accounts to Microsoft Defender for Cloud

Note

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage. Learn more about the recent renaming of Microsoft security services.

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.

Microsoft Defender for Cloud protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

To protect your AWS-based resources, you can connect an account with one of two mechanisms:

  • Classic cloud connectors experience - As part of the initial multi-cloud offering, we introduced these cloud connectors as a way to connect your AWS and GCP accounts. If you've already configured an AWS connector through the classic cloud connectors experience, we recommend deleting these connectors (as explained in Remove classic connectors), and connecting the account again using the newer mechanism. If you don't do this before creating the new connector through the environment settings page, do so afterwards to avoid seeing duplicate recommendations.

  • Environment settings page (in preview) (recommended) - This preview page provides a greatly improved, simpler, onboarding experience (including auto provisioning). This mechanism also extends Defender for Cloud's enhanced security features to your AWS resources:

    • Defender for Cloud's CSPM features extend to your AWS resources. This agentless plan assesses your AWS resources according to AWS-specific security recommendations and these are included in your secure score. The resources will also be assessed for compliance with built-in standards specific to AWS (AWS CIS, AWS PCI DSS, and AWS Foundational Security Best Practices). Defender for Cloud's asset inventory page is a multi-cloud enabled feature helping you manage your AWS resources alongside your Azure resources.
    • Microsoft Defender for Containers extends Defender for Cloud's container threat detection and advanced defenses to your Amazon EKS clusters.
    • Microsoft Defender for servers brings threat detection and advanced defenses to your Windows and Linux EC2 instances. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more.

For a reference list of all the recommendations Defender for Cloud can provide for AWS resources, see Security recommendations for AWS resources - a reference guide.

This screenshot shows AWS accounts displayed in Defender for Cloud's overview dashboard.

Four AWS projects listed on Defender for Cloud's overview dashboard

Availability

Aspect Details
Release state: Preview.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing: The CSPM plan is free.
The Defender for Containers plan is free during the preview. After which, it will be billed for AWS at the same price as for Azure resources.
For every AWS machine connected to Azure with Azure Arc-enabled servers, the Defender for servers plan is billed at the same price as the Microsoft Defender for servers plan for Azure machines. If an AWS EC2 doesn't have the Azure Arc agent deployed, you won't be charged for that machine.
Required roles and permissions: Owner on the relevant Azure subscription
Contributor can also connect an AWS account if an owner provides the service principal details (required for the Defender for servers plan)
Clouds: Commercial clouds
National (Azure Government, Azure China 21Vianet)

Prerequisites

Connect your AWS account

Follow the steps below to create your AWS cloud connector.

Remove 'classic' connectors

If you have any existing connectors created with the classic cloud connectors experience, remove them first:

  1. From Defender for Cloud's menu, open Environment settings and select the option to switch back to the classic connectors experience.

    Switching back to the classic cloud connectors experience in Defender for Cloud. From Defender for Cloud's menu, open Environment settings.

  2. For each connector, select the “…” at the end of the row, and select Delete.

  3. On AWS, delete the role ARN or the credentials created for the integration.

Create a new connector

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select Add environment > Amazon Web Services.

    Connecting an AWS account to an Azure subscription.

  3. Enter the details of the AWS account, including the location where you'll store the connector resource, and select Next: Select plans.

    Step 1 of the add AWS account wizard: Enter the account details.

  4. The select plans tab is where you choose which Defender for Cloud capabilities to enable for this AWS account.

    Note

    Each capability has its own requirements for permissions and might incur charges.

    The select plans tab is where you choose which Defender for Cloud capabilities to enable for this AWS account.

    Important

    To present the current status of your recommendations, the CSPM plan queries the AWS resource APIs several times a day. These read-only API calls incur no charges, but they are registered in CloudTrail if you've enabled a trail for read events. As explained in the AWS documentation, there are no additional charges for keeping one trail. If you're exporting the data out of AWS (for example, to an external SIEM), this increased volume of calls might also increase ingestion costs. In such cases, We recommend filtering out the read-only calls from the Defender for Cloud user or role ARN: arn:aws:iam::[accountId]:role/CspmMonitorAws (this is the default role name, confirm the role name configured on your account).

    • To extend Defender for Servers coverage to your AWS EC2, set the Servers plan to On and edit the configuration as required.

    • For Defender for Kubernetes to protect your AWS EKS clusters, Azure Arc-enabled Kubernetes and the Defender extension should be installed. Set the Containers plan to On, and use the dedicated Defender for Cloud recommendation to deploy the extension (and Arc, if necessary) as explained in Protect Amazon Elastic Kubernetes Service clusters.

  5. Complete the setup:

    1. Select Next: Configure access.
    2. Download the CloudFormation template.
    3. Using the downloaded CloudFormation template, create the stack in AWS as instructed on screen.
    4. Select Next: Review and generate.
    5. Select Create.

Defender for Cloud will immediately start scanning your AWS resources and you'll see security recommendations within a few hours. For a reference list of all the recommendations Defender for Cloud can provide for AWS resources, see Security recommendations for AWS resources - a reference guide.

Availability

Aspect Details
Release state: General availability (GA)
Pricing: Requires Microsoft Defender for servers
Required roles and permissions: Owner on the relevant Azure subscription
Contributor can also connect an AWS account if an owner provides the service principal details
Clouds: Commercial clouds
National (Azure Government, Azure China 21Vianet)

Connect your AWS account

Follow the steps below to create your AWS cloud connector.

Step 1. Set up AWS Security Hub:

  1. To view security recommendations for multiple regions, repeat the following steps for each relevant region.

    Important

    If you're using an AWS management account, repeat the following three steps to configure the management account and all connected member accounts across all relevant regions

    1. Enable AWS Config.
    2. Enable AWS Security Hub.
    3. Verify that data is flowing to the Security Hub. When you first enable Security Hub, it might take several hours for data to be available.

Step 2. Set up authentication for Defender for Cloud in AWS

There are two ways to allow Defender for Cloud to authenticate to AWS:

  • Create an IAM role for Defender for Cloud (Recommended) - The most secure method
  • AWS user for Defender for Cloud - A less secure option if you don't have IAM enabled

Create an IAM role for Defender for Cloud

  1. From your Amazon Web Services console, under Security, Identity & Compliance, select IAM. AWS services.

  2. Select Roles and Create role.

  3. Select Another AWS account.

  4. Enter the following details:

    • Account ID - enter the Microsoft Account ID (158177204117) as shown in the AWS connector page in Defender for Cloud.
    • Require External ID - should be selected
    • External ID - enter the subscription ID as shown in the AWS connector page in Defender for Cloud
  5. Select Next.

  6. In the Attach permission policies section, select the following AWS managed policies:

    • SecurityAudit (arn:aws:iam::aws:policy/SecurityAudit)
    • AmazonSSMAutomationRole (arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole)
    • AWSSecurityHubReadOnlyAccess (arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess)
  7. Optionally add tags. Adding Tags to the user doesn't affect the connection.

  8. Select Next.

  9. In The Roles list, choose the role you created

  10. Save the Amazon Resource Name (ARN) for later.

Create an AWS user for Defender for Cloud

  1. Open the Users tab and select Add user.

  2. In the Details step, enter a username for Defender for Cloud and ensure that you select Programmatic access for the AWS Access Type.

  3. Select Next Permissions.

  4. Select Attach existing policies directly and apply the following policies:

    • SecurityAudit
    • AmazonSSMAutomationRole
    • AWSSecurityHubReadOnlyAccess
  5. Select Next: Tags. Optionally add tags. Adding Tags to the user doesn't affect the connection.

  6. Select Review.

  7. Save the automatically generated Access key ID and Secret access key CSV file for later.

  8. Review the summary and select Create user.

Step 3. Configure the SSM Agent

AWS Systems Manager is required for automating tasks across your AWS resources. If your EC2 instances don't have the SSM Agent, follow the relevant instructions from Amazon:

Step 4. Complete Azure Arc prerequisites

  1. Make sure the appropriate Azure resources providers are registered:

    • Microsoft.HybridCompute
    • Microsoft.GuestConfiguration
  2. Create a Service Principal for onboarding at scale. As an Owner on the subscription you want to use for the onboarding, create a service principal for Azure Arc onboarding as described in Create a Service Principal for onboarding at scale.

Step 5. Connect AWS to Defender for Cloud

  1. From Defender for Cloud's menu, open Environment settings and select the option to switch back to the classic connectors experience.

    Switching back to the classic cloud connectors experience in Defender for Cloud.

  2. Select Add AWS account. Add AWS account button on Defender for Cloud's multi-cloud connectors page

  3. Configure the options in the AWS authentication tab:

    1. Enter a Display name for the connector.
    2. Confirm that the subscription is correct. It's the subscription that will include the connector and AWS Security Hub recommendations.
    3. Depending on the authentication option, you chose in Step 2. Set up authentication for Defender for Cloud in AWS:
  4. Select Next.

  5. Configure the options in the Azure Arc Configuration tab:

    Defender for Cloud discovers the EC2 instances in the connected AWS account and uses SSM to onboard them to Azure Arc.

    Tip

    For the list of supported operating systems, see What operating systems for my EC2 instances are supported? in the FAQ.

    1. Select the Resource Group and Azure Region that the discovered AWS EC2s will be onboarded to in the selected subscription.

    2. Enter the Service Principal ID and Service Principal Client Secret for Azure Arc as described here Create a Service Principal for onboarding at scale

    3. If the machine is connecting to the internet via a proxy server, specify the proxy server IP address or the name and port number that the machine uses to communicate with the proxy server. Enter the value in the format http://<proxyURL>:<proxyport>

    4. Select Review + create.

      Review the summary information

      The Tags sections will list all Azure Tags that will be automatically created for each onboarded EC2 with its own relevant details to easily recognize it in Azure.

      Learn more about Azure Tags in Use tags to organize your Azure resources and management hierarchy.

Step 6. Confirmation

When the connector is successfully created, and AWS Security Hub has been configured properly:

  • Defender for Cloud scans the environment for AWS EC2 instances, onboarding them to Azure Arc, enabling to install the Log Analytics agent and providing threat protection and security recommendations.
  • The Defender for Cloud service scans for new AWS EC2 instances every 6 hours and onboards them according to the configuration.
  • The AWS CIS standard will be shown in the Defender for Cloud's regulatory compliance dashboard.
  • If Security Hub policy is enabled, recommendations will appear in the Defender for Cloud portal and the regulatory compliance dashboard 5-10 minutes after onboard completes.

AWS resources and recommendations in Defender for Cloud's recommendations page

Monitoring your AWS resources

As you can see in the previous screenshot, Defender for Cloud's security recommendations page displays your AWS resources. You can use the environments filter to enjoy Defender for Cloud's multi-cloud capabilities: view the recommendations for Azure, AWS, and GCP resources together.

To view all the active recommendations for your resources by resource type, use Defender for Cloud's asset inventory page and filter to the AWS resource type in which you're interested:

Asset inventory page's resource type filter showing the AWS options

FAQ - AWS in Defender for Cloud

What operating systems for my EC2 instances are supported?

For a list of the AMIs with the SSM Agent preinstalled see this page in the AWS docs.

For other operating systems, the SSM Agent should be installed manually using the following instructions:

Next steps

Connecting your AWS account is part of the multi-cloud experience available in Microsoft Defender for Cloud. For related information, see the following page: