Connect your AWS accounts to Azure Security Center
With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.
Azure Security Center protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
Onboarding your AWS account into Security Center, integrates AWS Security Hub and Azure Security Center. Security Center thus provides visibility and protection across both of these cloud environments to provide:
- Automatic agent provisioning (Security Center uses Azure Arc to deploy the Log Analytics agent to your AWS instances)
- Policy management
- Vulnerability management
- Embedded Endpoint Detection and Response (EDR)
- Detection of security misconfigurations
- A single view showing Security Center recommendations and AWS Security Hub findings
- Incorporation of your AWS resources into Security Center's secure score calculations
- Regulatory compliance assessments of your AWS resources
In the screenshot below you can see AWS accounts displayed in Security Center's overview dashboard.
|Release state:||General availability (GA)|
|Pricing:||Requires Azure Defender for servers|
|Required roles and permissions:||Owner on the relevant Azure subscription
Contributor can also connect an AWS account if an owner provides the service principal details
National/Sovereign (Azure Government, Azure China 21Vianet)
Connect your AWS account
Follow the steps below to create your AWS cloud connector.
Step 1. Set up AWS Security Hub:
To view security recommendations for multiple regions, repeat the following steps for each relevant region.
If you're using an AWS master account, repeat the following three steps to configure the master account and all connected member accounts across all relevant regions
Step 2. Set up authentication for Security Center in AWS
There are two ways to allow Security Center to authenticate to AWS:
- Create an IAM role for Security Center - This is the most secure method and is recommended
- AWS user for Security Center - A less secure option if you don't have IAM enabled
Create an IAM role for Security Center
From your Amazon Web Services console, under Security, Identity & Compliance, select IAM.
Select Roles and Create role.
Select Another AWS account.
Enter the following details:
- Account ID - enter the Microsoft Account ID (158177204117) as shown in the AWS connector page in Security Center.
- Require External ID - should be selected
- External ID - enter the subscription ID as shown in the AWS connector page in Security Center
In the Attach permission policies section, select the following AWS managed policies:
- SecurityAudit (
- AmazonSSMAutomationRole (
- AWSSecurityHubReadOnlyAccess (
- SecurityAudit (
Optionally add tags. Adding Tags to the user doesn't affect the connection.
In The Roles list, choose the role you created
Save the Amazon Resource Name (ARN) for later.
Create an AWS user for Security Center
Open the Users tab and select Add user.
In the Details step, enter a username for Security Center and ensure that you select Programmatic access for the AWS Access Type.
Select Next Permissions.
Select Attach existing policies directly and apply the following policies:
Select Next: Tags. Optionally add tags. Adding Tags to the user doesn't affect the connection.
Save the automatically generated Access key ID and Secret access key CSV file for later.
Review the summary and click Create user.
Step 3. Configure the SSM Agent
AWS Systems Manager is required for automating tasks across your AWS resources. If your EC2 instances don't have the SSM Agent, follow the relevant instructions from Amazon:
- Installing and Configuring SSM Agent on Windows Instances
- Installing and Configuring SSM Agent on Amazon EC2 Linux Instances
Step 4. Complete Azure Arc prerequisites
Make sure the appropriate Azure resources providers are registered:
Create a Service Principal for onboarding at scale. As an Owner on the subscription you want to use for the onboarding, create a service principal for Azure Arc onboarding as described in Create a Service Principal for onboarding at scale.
Step 5. Connect AWS to Security Center
From Security Center's menu, select Multi cloud connectors.
Select Add AWS account.
Configure the options in the AWS authentication tab:
- Enter a Display name for the connector.
- Confirm that the subscription is correct. It is the subscription that will include the connector and AWS Security Hub recommendations.
- Depending on the authentication option, you chose in Step 2. Set up authentication for Security Center in AWS:
Configure the options in the Azure Arc Configuration tab:
Security Center discovers the EC2 instances in the connected AWS account and uses SSM to onboard them to Azure Arc.
For the list of supported operating systems, see What operating systems for my EC2 instances are supported? in the FAQ.
Select the Resource Group and Azure Region that the discovered AWS EC2s will be onboarded to in the selected subscription.
Enter the Service Principal ID and Service Principal Client Secret for Azure Arc as described here Create a Service Principal for onboarding at scale
If the machine is connecting to the internet via a proxy server, specify the proxy server IP address or the name and port number that the machine uses to communicate with the proxy server. Enter the value in the format
Select Review + create.
Review the summary information
The Tags sections will list all Azure Tags that will be automatically created for each onboarded EC2 with its own relevant details to easily recognize it in Azure.
Learn more about Azure Tags in Use tags to organize your Azure resources and management hierarchy.
Step 6. Confirmation
When the connector is successfully created, and AWS Security Hub has been configured properly:
- Security Center scans the environment for AWS EC2 instances, onboarding them to Azure Arc, enabling to install the Log Analytics agent and providing threat protection and security recommendations.
- The ASC service scans for new AWS EC2 instances every 6 hours and onboards them according to the configuration.
- The AWS CIS standard will be shown in the Security Center's regulatory compliance dashboard.
- If Security Hub policy is enabled, recommendations will appear in the Security Center portal and the regulatory compliance dashboard 5-10 minutes after onboard completes.
Monitoring your AWS resources
As shown above, Azure Security Center's security recommendations page displays your AWS resources together with your Azure and GCP resources for a true multi-cloud view.
To view all the active recommendations for your resources by resource type, use Security Center's asset inventory page and filter to the AWS resource type in which you're interested:
FAQ - AWS in Security Center
What operating systems for my EC2 instances are supported?
Supported OS for automatic onboarding to Azure Arc for AWS Machines
- Ubuntu 16.04 - SSM Agent is preinstalled, by default
- Ubuntu 18.04 - SSM Agent is preinstalled, by default
- Windows server - SSM Agent is preinstalled, by default
- CentOS Linux 7 – SSM should be installed manually or onboard separately
- SUSE Linux Enterprise Server (SLES) 15 (x64) -SSM should be installed manually or onboarded separately
- Red Hat Enterprise Linux (RHEL) 7 (x64) - SSM should be installed manually or onboarded separately
Connecting your AWS account is part of the multi-cloud experience available in Azure Security Center. For related information, see the following page: