Q: What is the minimum SAS policy permissions required when exporting data to Azure Event Hubs?

Send is the minimum SAS policy permissions required. For step-by-step instructions, see Step 1: Create an Event Hubs namespace and event hub with send permissions in this article .

Question 1

How do permissions work in Microsoft Defender for Cloud?

Accepted Answer

Microsoft Defender for Cloud uses Azure role-based access control (Azure RBAC), which provides built-in roles that can be assigned to users, groups, and services in Azure.

Defender for Cloud assesses the configuration of your resources to identify security issues and vulnerabilities. In Defender for Cloud, you only see information related to a resource when you're assigned the role of Owner, Contributor, or Reader for the subscription or resource group that a resource belongs to.

See Permissions in Microsoft Defender for Cloud to learn more about roles and allowed actions in Defender for Cloud.

Question 2

Who can modify a security policy?

Accepted Answer

To modify a security policy, you must be a Security Admin or an Owner or Contributor of that subscription.

To learn how to configure a security policy, see Setting security policies in Microsoft Defender for Cloud.

Question 3

Which permissions are used by agentless scanning?

Accepted Answer

The roles and permissions used by Defender for Cloud to perform agentless scanning on your Azure, AWS, and GCP environments are listed here. In Azure, these permissions are automatically added to your subscriptions when you enable agentless scanning. In AWS, these permissions are added to the CloudFormation stack in your AWS connector and in GCP permissions are added to the onboarding script in your GCP connector.

Azure permissions - The built-in role “VM scanner operator” has read-only permissions for VM disks that are required for the snapshot process. The detailed list of permissions is:
- Microsoft.Compute/disks/read
- Microsoft.Compute/disks/beginGetAccess/action
- Microsoft.Compute/disks/diskEncryptionSets/read
- Microsoft.Compute/virtualMachines/instanceView/read
- Microsoft.Compute/virtualMachines/read
- Microsoft.Compute/virtualMachineScaleSets/instanceView/read
- Microsoft.Compute/virtualMachineScaleSets/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
When coverage for CMK encrypted disks is enabled, these additional permissions are used:
- Microsoft.KeyVault/vaults/keys/read
- Microsoft.KeyVault/vaults/keys/wrap/action
- Microsoft.KeyVault/vaults/keys/unwrap/action

AWS permissions - The role “VmScanner” is assigned to the scanner when you enable agentless scanning. This role has the minimal permission set to create and clean up snapshots (scoped by tag) and to verify the current state of the VM. The detailed permissions are:

Attribute	Value
SID	VmScannerDeleteSnapshotAccess
Actions	ec2:DeleteSnapshot
Conditions	"StringEquals":{"ec2:ResourceTag/CreatedBy”: "Microsoft Defender for Cloud"}
Resources	arn:aws:ec2:::snapshot/
Effect	Allow

Attribute	Value
SID	VmScannerAccess
Actions	ec2:ModifySnapshotAttribute ec2:DeleteTags ec2:CreateTags ec2:CreateSnapshots ec2:CopySnapshots ec2:CreateSnapshot
Conditions	None
Resources	arn:aws:ec2:::instance/ arn:aws:ec2:::snapshot/ arn:aws:ec2:::volume/
Effect	Allow

Attribute	Value
SID	VmScannerVerificationAccess
Actions	ec2:DescribeSnapshots ec2:DescribeInstanceStatus
Conditions	None
Resources	*
Effect	Allow

Attribute	Value
SID	VmScannerEncryptionKeyCreation
Actions	kms:CreateKey
Conditions	None
Resources	*
Effect	Allow

Attribute	Value
SID	VmScannerEncryptionKeyManagement
Actions	kms:TagResource kms:GetKeyRotationStatus kms:PutKeyPolicy kms:GetKeyPolicy kms:CreateAlias kms:ListResourceTags
Conditions	None
Resources	arn:aws:kms::${AWS::AccountId}:key/ arn:aws:kms:*:${AWS::AccountId}:alias/DefenderForCloudKey
Effect	Allow

Attribute	Value
SID	VmScannerEncryptionKeyUsage
Actions	kms:GenerateDataKeyWithoutPlaintext kms:DescribeKey kms:RetireGrant kms:CreateGrant kms:ReEncryptFrom
Conditions	None
Resources	arn:aws:kms::${AWS::AccountId}:key/
Effect	Allow

GCP permissions: during onboarding - a new custom role is created with minimal permissions required to get instances status and create snapshots. On top of that permissions to an existing GCP KMS role are granted to support scanning disks that are encrypted with CMEK. The roles are:
- roles/MDCAgentlessScanningRole granted to Defender for Cloud’s service account with permissions: compute.disks.createSnapshot, compute.instances.get
- roles/cloudkms.cryptoKeyEncrypterDecrypter granted to Defender for Cloud’s compute engine service agent

Question 4

What is the minimum SAS policy permissions required when exporting data to Azure Event Hubs?

Accepted Answer

Send is the minimum SAS policy permissions required. For step-by-step instructions, see Step 1: Create an Event Hubs namespace and event hub with send permissions in this article.

Common questions about permissions in Defender for Cloud

How do permissions work in Microsoft Defender for Cloud?

Who can modify a security policy?

Which permissions are used by agentless scanning?

What is the minimum SAS policy permissions required when exporting data to Azure Event Hubs?

Feedback

Additional resources