Defender for Cloud - AWS onboarding

Paweł Haubus 20

I am currently playing with DfC and decided to onboard single AWS account. My Azure subscription is set to forward DfC logs to custom LAW insted of using DfC default.

Now, when i onboard AWS account, all the logs, alerts, sec scores etc, are also forwarded to the custom LAW. I assume this is based on the fact that DfC AWS connector is located in my subscription and AWS config will follow residing subscription setup.

My question is, can i somehow change this behaviour and set indyvidual LAW only for AWS DfC logs? If lets say i need to take consideration for data residency or data segregation, how would i do that in DfC? so far i can't find the option to do it...

Marilee Turscak-MSFT 36,861 Reputation points Microsoft Employee

2024-08-06T23:16:18.1+00:00

Hi @Paweł Haubus ,

If you need to set up data segregation, you need to use only one Log Analytics Workspace for each owner. I believe you can apply permissions based on resource groups to isolate the data to AWS only, or create an incident creation rule to only generate incidents based on Defender for Cloud AWS logos.

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/frequently-asked-questions-about-the-unified-security-operations/ba-p/4212048

https://learn.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud

I'm discussing your question with a colleague though and will update this as I confirm.
Paweł Haubus 20 Reputation points

2024-08-07T04:28:39.39+00:00
Hi Marilee,
Thanks a lot for your answer much appriciated. To make the question a bit more clear maybe

On Azure Subscription there are options for continuous export (per sub), this includes sec recomendations, sec score , alerts etc

same options are not available for connected AWS accounts/organizations

i can segregate access to DfC itself based on permissions applied to RG where aws connector is locat, this is fine

main question is about the LAW, and data stored in the LAW. if i have sensitive AWS account which i want to isolate, i can of course do it on DfC level, but people with access to LAW where DfC data is send from all subscriptions and accounts, will have access to LAW data for all subs / accounts connected to DfC and that includes my 'sensitive' AWS account which i would like to prevent

so what i missing is continuous export configuration of data from DfC for AWS (or GCP)

Thanks, and hope this clears is a bit more

P
Marilee Turscak-MSFT 36,861 Reputation points Microsoft Employee

2024-08-09T00:12:01.2866667+00:00

Hi @Paweł Haubus , this might be a limitation of the product but I'm trying to confirm with my colleague on the LAW team.
Paweł Haubus 20 Reputation points

2024-08-09T06:38:34.29+00:00
Thanks Marilee, just to give you another update, i had some discussions with my colegues and we came to the conclusion that the best approach would be the following

for AWS onboarding to DfC, create dedicated subscription specifically for AWS connectors only, and configure custom LAW for DfC logs if needed, this way we can segregate AWS data from Azure

for sensitive AWS accounts we can also go with the approach to create one Azure subscription per AWS account connected to DfC, so the only resource in the Az subscription would be AWS connector and LAW with data from DfC

I think we have workable solution for now but if you guys do have any other sugestions i will be interested to see them :)

Once again thanks for your help,
P
Ryan Hill 28,631 Reputation points Microsoft Employee

2024-08-09T14:43:00.1566667+00:00

Hi @Paweł Haubus, just to confirm, in short you like to obfuscate sensitive information that DfC is receiving from your AWS into your log analytics workspace? Is the data being collected into one single table or multiple tables?

Accepted answer

Ryan Hill 28,631 Reputation points Microsoft Employee

2024-08-12T14:48:19.03+00:00
Hi @Paweł Haubus,

I've reached out to the product team for additional insights. Accordingly, there are several solutions which are dictated by the boundaries of your workstream.

If you just removing sensitive data, you can create an ingestion transformation rule that remove the fields/values.

If you want to allow access to some users and not others, you can split the incoming data into two workspaces. Similar to what you've done thus far but you don't need to create two separate subscriptions to achieve this. You would essentially filter the data on one and leave as-is on the other.

If the non-sensitive data consumers are looking for less granular data, you can use a summary rule to create clean and aggregated summaries of the original data assign different RBAC roles to uses for the results.
Please sign in to rate this answer.
Paweł Haubus 20 Reputation points

2024-08-12T20:06:23.7933333+00:00

Hi Ryan, Thanks for your help here!
Thats great feedback.

About point 2. do you mean i would forward AWS data from one workspace to another within one subscription to split it the final destination for it?

Once again thanks! much appriaicted!

Ryan Hill 28,631 Reputation points Microsoft Employee

2024-08-13T15:30:25.81+00:00

@Paweł Haubus no, that isn't what I meant, albeit it is something that you can do. You can create two separate DCRs, one sanitized and the other intact and configure their endpoints to two separate log analytics workspaces and control the access.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Defender for Cloud - AWS onboarding

0 additional answers

Your answer