Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When you enable Defender for Containers capabilities that use automatic provisioning, or use recommendations to manually deploy container capabilities on specific resources, Defender components and extensions are installed in your environment. To help you keep track of these components, we provide tables in the subsequent sections of this article. These tables show the Defender for Clouds feature and its installed Defender for Container components, extensions, and roles.
If you decide to stop using those capabilities, you might also want to remove such components from your environment. This article assists you in understanding the actions that can be taken to remove them.
The components and roles fall under two removal-type categories:
- Safe to remove - Resources and settings exclusively used by Defender for Containers, and can be safely removed if you're no longer using the associated capability.
- Shared component - Resources might be used by non-Defender for Cloud solutions or by other Defender for Cloud solutions in the target cloud environment. If a shared resource is disabled, the other solutions might be negatively affected. Before removing, you should review if other solutions in that cloud environment need the resource before removing it.
Azure scenarios for resources created automatically after enabling Defender for Containers on the subscription
| Offering | Resource | Manual offboarding | Removal information |
|---|---|---|---|
| Workload runtime threat protection | Defender sensor (per cluster inside project) + Arc for Kubernetes | Defender sensor removal | Safe to remove |
| Kubernetes data plane hardening | Azure Policy for Kubernetes | Delete Arc-enabled resources | Safe to remove |
AWS scenarios
Resources created via CloudFormation script
| Offering | Resource | Manual offboarding | Removal information |
|---|---|---|---|
| Agentless Container Vulnerability Assessment | MDCContainersImageAssessmentRole | Deleting roles or instance profiles - AWS Identity and Access Management (amazon.com) | Safe to remove |
| Shared between three containers offerings: Container runtime threat protection Auto provision Defender's sensor for Azure Arc Auto provision Azure Policy extension for Azure Arc |
MDCContainersK8sRole | Deleting roles or instance profiles - AWS Identity and Access Management (amazon.com) | Safe to remove |
| Container runtime threat protection | MDCContainersK8sDataCollectionRole | Deleting roles or instance profiles - AWS Identity and Access Management (amazon.com) | Safe to remove |
| Container runtime threat protection | MDCContainersK8sCloudWatchToKinesisRole | Deleting roles or instance profiles - AWS Identity and Access Management (amazon.com) | Safe to remove |
| Container runtime threat protection | MDCContainersK8sKinesisToS3RoleName | Deleting roles or instance profiles - AWS Identity and Access Management (amazon.com) | Safe to remove |
| Agentless discovery for Kubernetes | MDCContainersAgentlessDiscoveryK8sRole | Deleting roles or instance profiles - AWS Identity and Access Management (amazon.com) | Safe to remove |
| Identity provider required for all Defender for Cloud components | ASCDefendersOIDCIdentityProvider | Delete only if removing all Defender for Cloud components. Retrieve a list the provider clients, using the AWS IAM API. Use the AWS IAM console or CLI to delete the provider. | Shared component |
Resources created automatically after connector creation - AWS
| Offering | Resource | Manual offboarding | Removal information |
|---|---|---|---|
| Container runtime threat protection | S3 | Deleting a bucket - Amazon Simple Storage Service This is created per cluster. Naming convention: azuredefender-<Region Name>-<AWS Account Id>-<Cluster Name> |
Safe to remove |
| Container runtime threat protection | SQS | Deleting an Amazon SQS queue - Amazon Simple Queue Service This is created per cluster. Naming convention: azuredefender-<Region Name>-<AWS Account Id>-<Cluster Name> |
Safe to remove |
| Container runtime threat protection | Kinesis Data firehose (Amazon Kinesis Data Streams) | For each cluster, delete the Amazon Kinesis Delivery stream This is created per cluster. Naming convention: arn:aws:firehose:< AWS Region>:< AWS Account Id>:deliverystream/azuredefender-< Cluster Name> |
Safe to remove |
| Workload runtime threat protection Kubernetes data plane hardening |
Azure Arc enabled Kubernetes (Connects your EKS clusters to Azure) | Remove Azure Arc-enabled Kubernetes per cluster via the Azure CLI or Azure PowerShell Running this command deletes all Arc related resources including extensions | Safe to remove |
| Workload runtime threat protection | Defender sensor | Remove the Defender sensor per cluster using the Azure portal, Azure CLI, or REST API | Safe to remove |
| Kubernetes data plane hardening | Azure Policy extension | Remove Defender extensions per cluster using the Azure portal, Azure CLI, or REST API | Safe to remove |
GCP scenarios
Resource created via script
| Offering | Resource | Manual offboarding | Removal information |
|---|---|---|---|
| Workload runtime threat protection | logging.googleapis.com API | The GCP Logging API might be used by non-Defender for Cloud clients in your project. Use the GCP Logging API to see if it is in use by other clients. Use the GCP Logging API to disable it. | Shared component |
| Workload runtime threat protection | Data Access audit logs configuration | Disable data access audit logs for the Kubernetes Engine API | Shared component |
| Workload runtime threat protection Kubernetes data plane hardening |
ms-defender-containers (Service Account) | Delete gcloud IAM service-accounts | Safe to remove |
| Workload runtime threat protection | ms-defender-containers-stream (Service Account) | Delete gcloud IAM service-accounts | Safe to remove |
| Agentless discovery for Kubernetes | mdc-containers-k8s-operator stream (Service Account) | Delete gcloud IAM service-accounts | Safe to remove |
| Agentless Container Vulnerability Assessment | mdc-containers-artifact-assess stream (Service Account) | Delete gcloud IAM service-accounts | Safe to remove |
| Container runtime threat protection | MicrosoftDefenderContainersDataCollectionRole | gcloud iam roles delete | Google Cloud CLI Documentation | Safe to remove |
| Container runtime threat protection | MicrosoftDefenderContainersRole | gcloud iam roles delete | Google Cloud CLI Documentation | Safe to remove |
| Agentless discovery for Kubernetes | MDCGkeClusterWriteRole | gcloud iam roles delete | Google Cloud CLI Documentation | Safe to remove |
| Shared between all five Containers offerings | containers OIDC workload identity pool provider | Manage workload identity pools and providers | Safe to remove |
| Workload runtime threat protection | containers-streams OIDC workload identity pool provider | Manage workload identity pools and providers | Safe to remove |
Resources created automatically after connector creation - GCP
| Offering | Resource | Manual offboarding | Removal information |
|---|---|---|---|
| Workload runtime threat protection | Pub/Sub Topic | gcloud pubsub articles delete - Each cluster in a project has a topic with the prefix: MicrosoftDefender- |
Safe to remove |
| Workload runtime threat protection | Pub/sub Subscription | gcloud pubsub subscription delete Each cluster in a project has a subscription with the prefix: MicrosoftDefender- |
Safe to remove |
| Workload runtime threat protection | SINK | gcloud logging sinks delete | Google Cloud CLI Documentation | Safe to remove |
| Workload runtime threat protection | Defender sensor (per cluster in a project) + Arc for Kubernetes | Defender sensor removal | Safe to remove |
| Workload runtime threat protection Kubernetes data plane hardening |
Azure Arc enabled Kubernetes (Connects your GKE clusters to Azure) | Remove Azure Arc-enabled Kubernetes per cluster via Azure CLI or Azure PowerShell. Running this command deletes all arc related resources including extensions | Safe to remove |
| Workload runtime threat protection Kubernetes data plane hardening |
Azure Policy extension | Remove Defender extensions per cluster using the Azure portal, Azure CLI, or REST API | Safe to remove |
Related content
- Learn how to enable Defender for Containers.
- View the Containers support matrix in Defender for Cloud