Overview of Microsoft Defender for Containers
Note
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
Learn more about the recent renaming of Microsoft security services.
Microsoft Defender for Containers is the cloud-native solution for securing your containers.
This plan merges the capabilities of two existing Microsoft Defender plans, "Defender for Kubernetes" and "Defender for Container registries", and provides new and improved features without deprecating any of the functionality from those plans.
This page describes how you can use Defender for Containers to improve, monitor, and maintain the security of your clusters, containers, and their applications.
You'll learn how Defender for Cloud helps with the core aspects of container security.
Availability
| Aspect | Details |
|---|---|
| Release state: | General availability (GA) Where indicated, specific features are in preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |
| Pricing: | Microsoft Defender for Containers is free for the month of December 2021. After that, it will be billed as shown on the pricing page (which will be updated at the end of December 2021) |
| Registries and images: | Supported • Linux images in Azure Container Registry (ACR) registries accessible from the public internet with shell access • Private registries with access granted to Trusted Services • ACR registries protected with Azure Private Link Unsupported • Windows images • Super-minimalist images such as Docker scratch images • "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS • Images with Open Container Initiative (OCI) Image Format Specification |
| Kubernetes distributions: | Supported • Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters Tested (for Azure Arc protections) • Azure Kubernetes Service • Azure Kubernetes Service on Azure Stack HCI • Kubernetes • AKS Engine • Azure Red Hat OpenShift • Red Hat OpenShift (version 4.6 or newer) • VMware Tanzu Kubernetes Grid • Rancher Kubernetes Engine |
| Required roles and permissions: | • To auto provision the required components, Contributor, Log Analytics Contributor, or Azure Kubernetes Service Contributor Role • Security admin can dismiss alerts • Security reader can view vulnerability assessment findings See also Azure Container Registry roles and permissions |
| Clouds: | 
Commercial clouds
National (Azure Government, Azure China 21Vianet)
Connected AWS accounts (Preview) |
What are the benefits of Microsoft Defender for Containers?
Defender for Containers helps with the core aspects of container security:
Environment hardening - Defender for Containers protects your Kubernetes clusters whether they're running on Azure Kubernetes Service, Kubernetes on-prem / IaaS, or Amazon EKS. By continuously assessing clusters, Defender for Containers provides visibility into misconfigurations and guidelines to help mitigate identified threats. Learn more in Environment hardening through security recommendations.
Vulnerability assessment scanning - Vulnerability assessment and management tools for images stored in ACR registries and running in Azure Kubernetes Service. Learn more in Vulnerability assessment.
Run-time threat protection for nodes and clusters - Threat protection for clusters and Linux nodes generates security alerts for suspicious activities. Learn more in Run-time protection for Kubernetes nodes and clusters.
Architecture overview
The architecture of the various elements involved in the full range of protections provided by Defender for Containers varies depending on where your Kubernetes clusters are hosted.
Defender for Containers protects your clusters whether they're running in:
Azure Kubernetes Service (AKS) - Microsoft's managed service for developing, deploying, and managing containerized applications.
Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services (AWS) account - Amazon's managed service for running Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
An unmanaged Kubernetes distribution (using Azure Arc-enabled Kubernetes) - Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on-premises or on IaaS.
Note
Defender for Containers' support for Arc-enabled Kubernetes clusters (and therefore AWS EKS too) is a preview feature.
For high-level diagrams of each scenario, see the relevant tabs below.
In the diagrams you'll see that the items received and analyzed by Defender for Cloud include:
- Audit logs and security events from the API server
- Cluster configuration information from the control plane
- Workload configuration from Azure Policy
Architecture diagram of Defender for Cloud and AKS clusters
When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, the deployment is agentless and frictionless.
Environment hardening through security recommendations
Continuous monitoring of your Kubernetes clusters - wherever they're hosted
Defender for Cloud continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations. Use Defender for Cloud's recommendations page to view recommendations and remediate issues. For details of the relevant Defender for Cloud recommendations that might appear for this feature, see the compute section of the recommendations reference table.
For Kubernetes clusters on EKS, you'll need to connect your AWS account to Microsoft Defender for Cloud via the environment settings page as described in Connect your AWS accounts to Microsoft Defender for Cloud. Then ensure you've enabled the CSPM plan.
For details of the relevant Defender for Cloud recommendations that might appear for this feature, see the compute section of the recommendations reference table.
When reviewing the outstanding recommendations for your container-related resources, whether in asset inventory or the recommendations page, you can use the resource filter:
Workload protection best-practices using Kubernetes admission control
For a bundle of recommendations to protect the workloads of your Kubernetes containers, install the Azure Policy for Kubernetes. You can also auto deploy this component as explained in enable auto provisioning of agents and extensions. By default, auto provisioning is enabled when you enable Defender for Containers.
With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure to enforce the best practices and mandate them for future workloads.
For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so will be blocked.
Learn more in Protect your Kubernetes workloads.
Vulnerability assessment
Scanning images in ACR registries
Defender for Containers includes an integrated vulnerability scanner for scanning images in Azure Container Registry registries.
There are three triggers for an image scan:
On push - Whenever an image is pushed to your registry, Defender for container registries automatically scans that image. To trigger the scan of an image, push it to your repository.
Recently pulled - Since new vulnerabilities are discovered every day, Microsoft Defender for container registries also scans, on a weekly basis, any image that has been pulled within the last 30 days. There's no extra charge for these rescans; as mentioned above, you're billed once per image.
On import - Azure Container Registry has import tools to bring images to your registry from Docker Hub, Microsoft Container Registry, or another Azure container registry. Microsoft Defender for container registries scans any supported images you import. Learn more in Import container images to a container registry.
The scan typically completes within 2 minutes, but it might take up to 40 minutes. For every vulnerability identified, Defender for Cloud provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue.
Defender for Cloud filters and classifies findings from the scanner. When an image is healthy, Defender for Cloud marks it as such. Defender for Cloud generates security recommendations only for images that have issues to be resolved. By only notifying when there are problems, Defender for Cloud reduces the potential for unwanted informational alerts.
Scanning images at runtime
Defender for Containers expands on the registry scanning features of the Defender for container registries plan by introducing the preview feature of run-time visibility of vulnerabilities.
The new recommendation, Vulnerabilities in running images should be remediated (powered by Qualys) groups running images that have vulnerabilities and provides details about the issues discovered and how to remediate them.
Run-time protection for Kubernetes nodes and clusters
Defender for Cloud provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.
Threat protection at the cluster level is achieved by analyzing the Kubernetes audit logs. Examples of events at this level include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts. For a list of the cluster level alerts, see the Reference table of alerts.
Our global team of security researchers constantly monitor the threat landscape. They add container-specific alerts and vulnerabilities as they're discovered.
FAQ - Defender for Containers
- What happens to subscriptions with Microsoft Defender for Kubernetes or Microsoft Defender for container registries enabled?
- Is Defender for Containers a mandatory upgrade?
- Does the new plan reflect a price increase?
- What are the options to enable the new plan at scale?
What happens to subscriptions with Microsoft Defender for Kubernetes or Microsoft Defender for container registries enabled?
Subscriptions that already have one of these plans enabled can continue to benefit from it.
If you haven't enabled them yet, or create a new subscription, these plans can no longer be enabled.
Is Defender for Containers a mandatory upgrade?
No. Subscriptions that have either Microsoft Defender for Kubernetes or Microsoft Defender for container registries enabled don't need to be upgraded to the new Microsoft Defender for Containers plan. However, they won't benefit from the new and improved capabilities and they will have an upgrade icon shown alongside them in the Azure portal.
Does the new plan reflect a price increase?
No. There is no direct price increase. The new comprehensive Container security plan combines Kubernetes protection and container registry image scanning, and removes the previous dependency on the (paid) Defender for Servers plan.
What are the options to enable the new plan at scale?
We’ve rolled out a new policy in Azure Policy, Configure Microsoft Defender for Containers to be enabled, to make it easier to enable the new plan at scale.
Next steps
In this overview, you learned about the core elements of container security in Microsoft Defender for Cloud. To enable the plan, see: