Cloud security posture management (CSPM)

One of Microsoft Defender for Cloud's main pillars is cloud security posture management (CSPM). CSPM provides detailed visibility into the security state of your assets and workloads, and provides hardening guidance to help you efficiently and effectively improve your security posture.

Defender for Cloud continually assesses your resources against security standards that are defined for your Azure subscriptions, AWS accounts, and GCP projects. Defender for Cloud issues security recommendations based on these assessments.

By default, when you enable Defender for Cloud on an Azure subscription, the Microsoft Cloud Security Benchmark (MCSB) compliance standard is turned on. It provides recommendations. Defender for Cloud provides an aggregated secure score based on some of the MCSB recommendations. The higher the score, the lower the identified risk level.

CSPM features

Defender for Cloud provides the following CSPM offerings:

  • Foundational CSPM - Defender for Cloud offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default for subscriptions and accounts that onboard to Defender for Cloud.

  • Defender Cloud Security Posture Management (CSPM) plan - The optional, paid Defender for Cloud Secure Posture Management plan provides more, advanced security posture features.

Plan availability

Learn more about Defender CSPM pricing.

The following table summarizes each plan and their cloud availability.

Feature Foundational CSPM Defender CSPM Cloud availability
Security recommendations Azure, AWS, GCP, on-premises
Asset inventory Azure, AWS, GCP, on-premises
Secure score Azure, AWS, GCP, on-premises
Data visualization and reporting with Azure Workbooks Azure, AWS, GCP, on-premises
Data exporting Azure, AWS, GCP, on-premises
Workflow automation Azure, AWS, GCP, on-premises
Tools for remediation Azure, AWS, GCP, on-premises
Microsoft Cloud Security Benchmark Azure, AWS, GCP
Security governance - Azure, AWS, GCP, on-premises
Regulatory compliance standards - Azure, AWS, GCP, on-premises
Cloud security explorer - Azure, AWS, GCP
Attack path analysis - Azure, AWS, GCP
Agentless scanning for machines - Azure, AWS, GCP
Agentless container security posture - Azure, AWS, GCP
Container registries vulnerability assessment, including registry scanning - Azure, AWS, GCP
Data aware security posture - Azure, AWS, GCP
EASM insights in network exposure - Azure, AWS, GCP
Permissions management (Preview) - Azure, AWS, GCP

Note

Starting March 7, 2024, Defender CSPM must be enabled to have premium DevOps security capabilities that include code-to-cloud contextualization powering security explorer and attack paths and pull request annotations for Infrastructure-as-Code security findings. See DevOps security support and prerequisites to learn more.

Integrations (preview)

Microsoft Defender for Cloud now has built-in integrations to help you use third-party systems to seamlessly manage and track tickets, events, and customer interactions. You can push recommendations to a third-party ticketing tool, and assign responsibility to a team for remediation.

Integration streamlines your incident response process, and improves your ability to manage security incidents. You can track, prioritize, and resolve security incidents more effectively.

You can choose which ticketing system to integrate. For preview, only ServiceNow integration is supported. For more information about how to configure ServiceNow integration, see Integrate ServiceNow with Microsoft Defender for Cloud (preview).

Plan pricing

  • Review the Defender for Cloud pricing page to learn about Defender CSPM pricing.

  • From March 7, 2024, advanced DevOps security posture capabilities will only be available through the paid Defender CSPM plan. Free foundational security posture management in Defender for Cloud will continue providing a number of Azure DevOps recommendations. Learn more about DevOps security features.

  • For subscriptions that use both Defender CSPM and Defender for Containers plans, free vulnerability assessment is calculated based on free image scans provided via the Defender for Containers plan, as summarized in the Microsoft Defender for Cloud pricing page.

  • Defender CSPM protects all multicloud workloads, but billing is applied only on specific resources. The following tables list the billable resources when Defender CSPM is enabled on Azure subscriptions, AWS accounts, or GCP projects.

    Azure Service Resource types Exclusions
    Compute Microsoft.Compute/virtualMachines
    Microsoft.Compute/virtualMachineScaleSets/virtualMachines
    Microsoft.ClassicCompute/virtualMachines
    - Deallocated VMs
    - Databricks VMs
    Storage Microsoft.Storage/storageAccounts Storage accounts without blob containers or file shares
    DBs Microsoft.Sql/servers
    Microsoft.DBforPostgreSQL/servers
    Microsoft.DBforMySQL/servers
    Microsoft.Sql/managedInstances
    Microsoft.DBforMariaDB/servers
    Microsoft.Synapse/workspaces
    ---
    AWS Service Resource types Exclusions
    Compute EC2 instances Deallocated VMs
    Storage S3 Buckets ---
    DBs RDS instances ---
    GCP Service Resource types Exclusions
    Compute 1. Google Compute instances
    2. Google Instance Group
    Instances with non-running states
    Storage Storage buckets - Buckets from classes: ‘nearline’, ‘coldline’, ‘archive’
    - Buckets from regions other than: europe-west1, us-east1, us-west1, us-central1, us-east4, asia-south1, northamerica-northeast1
    DBs Cloud SQL Instances ---

Azure cloud support

For commercial and national cloud coverage, review the features supported in Azure cloud environments.

Next steps