Connect AWS to Microsoft Defender for Cloud Apps

Note

We've renamed Microsoft Cloud App Security. It's now called Microsoft Defender for Cloud Apps. In the coming weeks, we'll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.

This article provides instructions for connecting your existing Amazon Web Services (AWS) account to Microsoft Defender for Cloud Apps using the connector APIs. For information about how Defender for Cloud Apps protects AWS, see Protect AWS.

You can connect one or both of the following AWS to Defender for Cloud Apps connections:

  • Security auditing: This connection gives you visibility into and control over AWS app use.
  • Security configuration: This connection gives you fundamental security recommendations based on the Center for Internet Security (CIS) benchmark for AWS.

Since you can add either or both of the connections, the steps in this article are written as independent instructions. If you've already added one of the connections, where relevant edit the existing configurations.

How to connect AWS Security auditing to Defender for Cloud Apps

Use the following steps to configure your AWS auditing and then connect it to Defender for Cloud Apps.

Step 1: Configure Amazon Web Services auditing

  1. In your Amazon Web Services console, under Security, Identity & Compliance, select IAM.

    AWS identity and access.

  2. Select Users and then select Add user.

    AWS users.

  3. In the Details step, provide a new user name for Defender for Cloud Apps. Make sure that under Access type you select Programmatic access and select Next Permissions.

    Create user in AWS.

  4. Select Attach existing policies directly, and then Create policy.

    Attach existing policies.

  5. Select the JSON tab:

    AWS JSON tab.

  6. Paste the following script into the provided area:

    {
      "Version" : "2012-10-17",
      "Statement" : [{
          "Action" : [
            "cloudtrail:DescribeTrails",
            "cloudtrail:LookupEvents",
            "cloudtrail:GetTrailStatus",
            "cloudwatch:Describe*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "iam:List*",
            "iam:Get*",
            "s3:ListAllMyBuckets",
            "s3:PutBucketAcl",
            "s3:GetBucketAcl",
            "s3:GetBucketLocation"
          ],
          "Effect" : "Allow",
          "Resource" : "*"
        }
      ]
     }
    
  7. Select Next: Tags

    AWS code.

  8. Select Next: Review.

    Add tags (optional).

  9. Provide a Name and select Create policy.

    Provide AWS policy name.

  10. Back in the Add user screen, refresh the list if necessary, and select the user you created, and select Next: Tags.

    Attach existing policy in AWS.

  11. Select Next: Review.

  12. If all the details are correct, select Create user.

    User permissions in AWS.

  13. When you get the success message, select Download .csv to save a copy of the new user's credentials. You'll need these later.

    Download csv in AWS.

    Note

    After connecting AWS, you'll receive events for seven days prior to connection. If you just enabled CloudTrail, you'll receive events from the time you enabled CloudTrail.

Step 2: Connect Amazon Web Services auditing to Defender for Cloud Apps

  1. In the Defender for Cloud Apps portal, select Investigate and then Connected apps.

  2. In the App connectors page, to provide the AWS connector credentials, do one of the following:

    For a new connector

    1. Select the plus sign (+) followed by Amazon Web Services.

      connect AWS auditing.

    2. In the pop-up, provide a name for the connector, and then select Connect Amazon Web Services.

      AWS auditing connector name.

    3. On the Connect Amazon Web services page, select Security auditing, paste the Access key and Secret key from the .csv file into the relevant fields, and select Connect.

      Connect AWS app security auditing for new connector.

    For an existing connector

    1. In the list of connectors, on the row in which the AWS connector appears, select Connect security auditing.

      Screenshot of the Connected Apps page, showing edit Security Auditing link.

    2. On the Connect Amazon Web Services page, paste the Access key and Secret key from the .csv file into the relevant fields, and select Connect.

      Connect AWS app security auditing for existing connector.

  3. Select Test API to make sure the connection succeeded.

    Testing may take a couple of minutes. When it's finished, you get a success or failure notification. After receiving a success notice, select Done.

How to connect AWS security configuration to Defender for Cloud Apps

Connecting AWS security configuration gives you insights into fundamental security recommendations based on the Center for Internet Security (CIS) benchmark for AWS.

Follow these steps to connect AWS security configuration to Defender for Cloud Apps.

Set up AWS Security Hub

To view security recommendations for multiple regions, repeat the following steps for each relevant region.

Note

If you are using a master account, repeat these steps to configure the master account and all connected member accounts across all relevant regions.

  1. Enable AWS Config.

  2. Enable AWS Security Hub.

  3. Verify that there is data flowing to the Security Hub.

    Note

    When you first enable Security Hub, it may take several hours for data to be available.

Connect AWS Security configuration to Defender for Cloud Apps

Before you can connect AWS security configuration, make sure that you have set up your AWS environment to collect fundamental security and compliance recommendations.

Note

If you are using an AWS master account, use the following steps to connect the master account. Connecting your master account allows you to receive recommendations for all member accounts across all regions.

Step 1: Configure Amazon Web Services security configuration

  1. Follow the How to connect AWS Security auditing steps to get to the permissions page.

  2. On the permissions page, select Attach existing policies directly, apply the AWSSecurityHubReadOnlyAccess and SecurityAudit policies, and then select Next Tags.

    Attach existing policy in AWS.

  3. Optional: Add tags to the user.

    Add tags to user in AWS.

    Note

    Adding tags to the user won't affect the connection.

  4. Select Next Review.

  5. If all the details are correct, select Create user.

    User permissions in AWS.

  6. When you get the success message, select Download .csv to save a copy of the Access key ID and the Secret access key. You'll need these later.

    Download csv in AWS.

Step 2: Connect Amazon Web Services security configuration to Defender for Cloud Apps

  1. In Defender for Cloud Apps, select Investigate, and then select Connected apps.

  2. In the Security configuration apps tab, select the plus button, and then select Amazon Web Services.

    connect AWS security configuration.

  3. In the Instance name page, choose the instance type, and then select Next.

    • For an existing connector, choose the relevant instance.

      AWS instance selection.

    • For a new connector, provide a name for the instance.

      AWS security configuration connector name.

  4. In the Account details page, paste the Access key and Secret key from the .csv file into the relevant fields, and then select Next.

    Connect AWS account details.

  5. In the Finished page, make sure the connection succeeded, and then select Finished.

If you have any problems connecting the app, see Troubleshooting App Connectors.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.