Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Cloud Security Posture Management (CSPM) is a core feature of Microsoft Defender for Cloud. CSPM provides continuous visibility into the security state of your cloud assets and workloads, offering actionable guidance to improve your security posture across Azure, AWS, and GCP.
Defender for Cloud continually assesses your cloud infrastructure against security standards defined for your Azure subscriptions, Amazon Web Service (AWS) accounts, and Google Cloud Platform (GCP) projects. Defender for Cloud issues security recommendations to help you identify and reduce cloud misconfigurations and security risks.
By default, when you enable Defender for Cloud on an Azure subscription, the Microsoft Cloud Security Benchmark (MCSB) standard is enabled and provides recommendations to secure your multicloud environment. The secure score based on some of the MCSB recommendations helps you monitor cloud compliance. A higher score indicates a lower identified risk level.
CSPM Plans
Defender for Cloud offers two CSPM plans:
- Foundational CSPM (free): Enabled by default for all onboarded subscriptions and accounts.
- Defender CSPM (paid): Provides extra capabilities beyond the foundational CSPM plan, including advanced CSPM tools for cloud visibility and compliance monitoring. This version of the plan offers more advanced security posture features such as AI security posture, attack path analysis, risk prioritization, and more.
Plan availability
Defender CSPM is available across multiple deployment models and cloud environments:
- Commercial clouds: Available in all Azure commercial regions
- Government clouds: Available in Azure Government and Azure Government Secret
- Multi-cloud: Support for Azure, AWS, and GCP environments
- Hybrid: On-premises resources through Azure Arc
- DevOps: GitHub and Azure DevOps integration
For specific regional availability and government cloud support details, see the support matrix for cloud environments.
| Feature | Foundational CSPM | Defender CSPM | Cloud availability |
|---|---|---|---|
| Asset inventory | 
|
|
Azure, AWS, GCP, on-premises, Docker Hub, JFrog Artifactory |
| Data exporting |
|
|
Azure, AWS, GCP, on-premises |
| Data visualization and reporting with Azure Workbooks |
|
|
Azure, AWS, GCP, on-premises |
| Microsoft Cloud Security Benchmark |
|
|
Azure, AWS, GCP |
| Secure score |
|
|
Azure, AWS, GCP, on-premises , Docker Hub, JFrog Artifactory |
| Security recommendations |
|
|
Azure, AWS, GCP, on-premises , Docker Hub, JFrog Artifactory |
| Tools for remediation |
|
|
Azure, AWS, GCP, on-premises, Docker Hub, JFrog Artifactory |
| Workflow automation |
|
|
Azure, AWS, GCP, on-premises |
| Agentless code-to-cloud containers vulnerability assessment | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| Agentless discovery for Kubernetes | - |
|
Azure, AWS, GCP |
| Agentless VM secrets scanning | - |
|
Azure, AWS, GCP |
| Agentless VM vulnerability scanning | - |
|
Azure, AWS, GCP |
| AI security posture management | - |
|
Azure, AWS |
| API security posture management | - |
|
Azure |
| Attack path analysis | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| Azure Kubernetes Service security dashboard (Preview) | - |
|
Azure |
| Code-to-cloud mapping for containers | - |
|
GitHub, Azure DevOps2 , Docker Hub, JFrog Artifactory |
| Code-to-cloud mapping for IaC | - |
|
Azure DevOps2, , Docker Hub, JFrog Artifactory |
| Critical assets protection | - |
|
Azure, AWS, GCP |
| Custom Recommendations | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| Data security posture management (DSPM), Sensitive data scanning | - |
|
Azure, AWS, GCP1 |
| External attack surface management | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| Governance to drive remediation at-scale | - |
|
Azure, AWS, GCP , Docker Hub, JFrog Artifactory |
| Internet exposure analysis | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| PR annotations | - |
|
GitHub, Azure DevOps2 |
| Regulatory compliance assessments | - |
|
Azure, AWS, GCP, , Docker Hub, JFrog Artifactory |
| Risk hunting with security explorer | - |
|
Azure, AWS, GCP , Docker Hub, JFrog Artifactory |
| Risk prioritization | - |
|
Azure, AWS, GCP , Docker Hub, JFrog Artifactory |
| Serverless protection | - |
|
Azure, AWS |
| ServiceNow Integration | - |
|
Azure, AWS, GCP |
1: GCP sensitive data discovery only supports Cloud Storage. 2: DevOps security capabilities, such as code-to-cloud contextualization powering security explorer, attack paths, and pull request annotations for Infrastructure-as-Code security findings, are only available when you enable the paid Defender CSPM plan. Learn more about DevOps security support and prerequisites.
For specific regional availability and government cloud support details, see the support matrix for cloud environments.
Plan Pricing
- See Defender for Cloud pricing and use the cost calculator to estimate costs.
- Advanced DevOps security posture features (pull request annotations, code-to-cloud mapping, attack path analysis, security explorer) require the paid Defender CSPM plan. The free plan provides basic Azure DevOps recommendations. See DevOps security features.
- Defender CSPM billing is based on specific resources. See the pricing page for details on billable resources for Azure, AWS, and GCP.
Integrations
Defender for Cloud supports integrations with partner systems for incident management and ticketing. Currently, ServiceNow integration is available (preview). For setup, see Integrate ServiceNow with Microsoft Defender for Cloud.
Supported Clouds and Resources
- DevOps security posture capabilities such as pull request annotations, code to cloud mapping, attack path analysis, and cloud security explorer are only available through the paid Defender CSPM plan. The free foundational security posture management plan provides Azure DevOps recommendations. Learn more about the features provided by Azure DevOps security features.
Azure
- Defender CSPM protects all multicloud workloads, but billing applies only on specific resources. The following tables list the billable resources when you enable Defender CSPM on Azure subscriptions, AWS accounts, or GCP projects.
AWS
| Service | Resource Types | Exclusions |
|---|---|---|
| Compute | EC2 instances | Deallocated VMs |
| Storage | S3 buckets | – |
| Databases | RDS instances | – |
GCP
| Service | Resource Types | Exclusions |
|---|---|---|
| Compute | Compute instances, Instance Groups | Nonrunning instances |
| Storage | Storage buckets | Nearline/coldline/archive classes, unsupported regions |
| Databases | Cloud SQL instances | – |
Azure Cloud Support
For commercial and national cloud coverage, see Azure cloud environment support matrix.
Next Steps
- Watch Cloud Security Posture Management with Microsoft Defender
- Learn about security standards and recommendations
- Learn about secure score