Container security in Microsoft Defender for Cloud
Note
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
Learn more about the recent renaming of Microsoft security services.
Microsoft Defender for Cloud is the cloud-native solution for securing your containers.
Defender for Cloud can protect the following container resource types:
| Resource type | Protections offered by Defender for Cloud |
|---|---|
 Kubernetes clusters |
Continuous assessment of your clusters to provide visibility into misconfigurations and guidelines to help you mitigate identified threats. Learn more about environment hardening through security recommendations. Threat protection for clusters and Linux nodes. Alerts for suspicious activities are provided by Microsoft Defender for Kubernetes. This plan defends your Kubernetes clusters whether they're hosted in Azure Kubernetes Service (AKS), on-premises, or on other cloud providers. clusters. Learn more about run-time protection for Kubernetes nodes and clusters. |
 Container hosts (VMs running Docker) |
Continuous assessment of your Docker environments to provide visibility into misconfigurations and guidelines to help you mitigate threats identified by the optional Microsoft Defender for servers. Learn more about environment hardening through security recommendations. |
 Azure Container Registry (ACR) registries |
Vulnerability assessment and management tools for the images in your Azure Resource Manager-based ACR registries with the optional Microsoft Defender for container registries. Learn more about scanning your container images for vulnerabilities. |
This article describes how you can use Defender for Cloud, together with the optional enhanced protections for container registries, severs, and Kubernetes, to improve, monitor, and maintain the security of your containers and their apps.
You'll learn how Defender for Cloud helps with these core aspects of container security:
- Vulnerability management - scanning container images
- Environment hardening
- Run-time protection for Kubernetes nodes and clusters
The following screenshot shows the asset inventory page and the various container resource types protected by Defender for Cloud.
Vulnerability management - scanning container images
To monitor images in your Azure Resource Manager-based Azure container registries, enable Microsoft Defender for container registries. Defender for Cloud scans any images pulled within the last 30 days, pushed to your registry, or imported. The integrated scanner is provided by the industry-leading vulnerability scanning vendor, Qualys.
When issues are found – by Qualys or Defender for Cloud – you'll get notified in the Workload protections dashboard. For every vulnerability, Defender for Cloud provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue. For details of Defender for Cloud's recommendations for containers, see the reference list of recommendations.
Defender for Cloud filters and classifies findings from the scanner. When an image is healthy, Defender for Cloud marks it as such. Defender for Cloud generates security recommendations only for images that have issues to be resolved. By only notifying when there are problems, Defender for Cloud reduces the potential for unwanted informational alerts.
Environment hardening
Continuous monitoring of your Docker configuration
Microsoft Defender for Cloud identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. Defender for Cloud continuously assesses the configurations of these containers. It then compares them with the Center for Internet Security (CIS) Docker Benchmark.
Defender for Cloud includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. When it finds misconfigurations, Defender for Cloud generates security recommendations. Use Defender for Cloud's recommendations page to view recommendations and remediate issues. The CIS benchmark checks don't run on AKS-managed instances or Databricks-managed VMs.
For details of the relevant Defender for Cloud recommendations that might appear for this feature, see the compute section of the recommendations reference table.
When you're exploring the security issues of a VM, Defender for Cloud provides additional information about the containers on the machine. Such information includes the Docker version and the number of images running on the host.
To monitor unmanaged containers hosted on IaaS Linux VMs, enable the optional Microsoft Defender for servers.
Continuous monitoring of your Kubernetes clusters
Defender for Cloud works together with Azure Kubernetes Service (AKS), Microsoft's managed container orchestration service for developing, deploying, and managing containerized applications.
AKS provides security controls and visibility into the security posture of your clusters. Defender for Cloud uses these features to constantly monitor the configuration of your AKS clusters and generate security recommendations aligned with industry standards.
This is a high-level diagram of the interaction between Microsoft Defender for Cloud, Azure Kubernetes Service, and Azure Policy:
You can see that the items received and analyzed by Defender for Cloud include:
audit logs from the API server
raw security events from the Log Analytics agent
Note
We don't currently support installation of the Log Analytics agent on Azure Kubernetes Service clusters that are running on virtual machine scale sets.
cluster configuration information from the AKS cluster
workload configuration from Azure Policy (via the Azure Policy add-on for Kubernetes)
For details of the relevant Defender for Cloud recommendations that might appear for this feature, see the compute section of the recommendations reference table.
Workload protection best-practices using Kubernetes admission control
For a bundle of recommendations to protect the workloads of your Kubernetes containers, install the Azure Policy add-on for Kubernetes. You can also auto deploy this add-on as explained in Enable auto provisioning of the Log Analytics agent and extensions. When auto provisioning for the add-on is set to "on", the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).
As explained in this Azure Policy for Kubernetes page, the add-on extends the open-source Gatekeeper v3 admission controller webhook for Open Policy Agent. Kubernetes admission controllers are plugins that enforce how your clusters are used. The add-on registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure to enforce the best practices and mandate them for future workloads.
For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so will be blocked.
Learn more in Protect your Kubernetes workloads.
Run-time protection for Kubernetes nodes and clusters
Defender for Cloud provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.
Defender for Cloud provides threat protection at different levels:
Host level (provided by Microsoft Defender for servers) - Using the same Log Analytics agent that Defender for Cloud uses on other VMs, Microsoft Defender for servers monitors your Linux Kubernetes nodes for suspicious activities such as web shell detection and connection with known suspicious IP addresses. The agent also monitors for container-specific analytics such as privileged container creation, suspicious access to API servers, and Secure Shell (SSH) servers running inside a Docker container.
If you choose not to install the agents on your hosts, you will only receive a subset of the threat protection benefits and security alerts. You'll still receive alerts related to network analysis and communications with malicious servers.
Important
We don't currently support installation of the Log Analytics agent on Azure Kubernetes Service clusters that are running on virtual machine scale sets.
For a list of the host level alerts, see the Reference table of alerts.
Cluster level (provided by Microsoft Defender for Kubernetes) - At the cluster level, the threat protection is based on analyzing the Kubernetes audit logs. To enable this agentless monitoring, enable enhanced security features. If your cluster is on-premises or on another cloud provider, enable Azure Arc-enabled Kubernetes and the Defender extension.
To generate alerts at this level, Defender for Cloud monitors your clusters' logs. Examples of events at this level include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts.
Note
Defender for Cloud generates security alerts for actions and deployments that occur after you've enabled the Defender for Kubernetes plan on your subscription.
For a list of the cluster level alerts, see the Reference table of alerts.
Also, our global team of security researchers constantly monitor the threat landscape. They add container-specific alerts and vulnerabilities as they're discovered.
Tip
You can simulate container alerts by following the instructions in this blog post.
Next steps
In this overview, you learned about the core elements of container security in Microsoft Defender for Cloud. For related material see: