Quickstart: Connect your AWS accounts to Microsoft Defender for Cloud

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same. Microsoft Defender for Cloud protects workloads in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), GitHub and Azure DevOps (ADO).

To protect your AWS-based resources, you can connect an AWS account with either:

  • Native cloud connector (recommended) - Provides an agentless connection to your AWS account that you can extend with Defender for Cloud's Defender plans to secure your AWS resources:

  • Classic cloud connector - Requires configuration in your AWS account to create a user that Defender for Cloud can use to connect to your AWS environment. If you have classic cloud connectors, we recommend that you delete these connectors, and use the native connector to reconnect to the account. Using both the classic and native connectors can produce duplicate recommendations.

For a reference list of all the recommendations Defender for Cloud can provide for AWS resources, see Security recommendations for AWS resources - a reference guide.

This screenshot shows AWS accounts displayed in Defender for Cloud's overview dashboard.

Four AWS projects listed on Defender for Cloud's overview dashboard

You can learn more by watching this video from the Defender for Cloud in the Field video series:

Availability

Aspect Details
Release state: General Availability (GA)
Pricing: The Defender for SQL plan is billed at the same price as Azure resources.
The Defender for Containers plan is free during the preview. After which, it will be billed for AWS at the same price as for Azure resources.
For every AWS machine connected to Azure, the Defender for Servers plan is billed at the same price as the Microsoft Defender for Servers plan for Azure machines.
Learn more about Defender plan pricing and billing
Required roles and permissions: Contributor permission for the relevant Azure subscription.
Administrator on the AWS account.
Clouds: Commercial clouds
National (Azure Government, Azure China 21Vianet)

Prerequisites

The native cloud connector requires:

  • Access to an AWS account.

  • To enable the Defender for Containers plan, you'll need:

    • At least one Amazon EKS cluster with permission to access to the EKS K8s API server. If you need to create a new EKS cluster, follow the instructions in Getting started with Amazon EKS – eksctl.
    • The resource capacity to create a new SQS queue, Kinesis Fire Hose delivery stream, and S3 bucket in the cluster's region.
  • To enable the Defender for SQL plan, you'll need:

    • Microsoft Defender for SQL enabled on your subscription. Learn how to enable protection on all of your databases.

    • An active AWS account, with EC2 instances running SQL server or RDS Custom for SQL Server.

    • Azure Arc for servers installed on your EC2 instances/RDS Custom for SQL Server.

      • (Recommended) Use the auto provisioning process to install Azure Arc on all of your existing and future EC2 instances.

        Auto provisioning is managed by AWS Systems Manager (SSM) using the SSM agent. Some Amazon Machine Images (AMIs) already have the SSM agent pre-installed. If you already have the SSM agent pre-installed, the AMIs are listed in AMIs with SSM Agent preinstalled. If your EC2 instances don't have the SSM Agent, you'll need to install it using either of the following relevant instructions from Amazon:

      Note

      To enable the Azure Arc auto-provisioning, you'll need Owner permission on the relevant Azure subscription.

    • Other extensions should be enabled on the Arc-connected machines:

      • Microsoft Defender for Endpoint

      • VA solution (TVM/Qualys)

      • Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA)

        Make sure the selected LA workspace has security solution installed. The LA agent and AMA are currently configured in the subscription level. All of your AWS accounts and GCP projects under the same subscription will inherit the subscription settings for the LA agent and AMA.

      Learn more about monitoring components for Defender for Cloud.

  • To enable the Defender for Servers plan, you'll need:

    • Microsoft Defender for Servers enabled on your subscription. Learn how to enable plans in Enable enhanced security features.

    • An active AWS account, with EC2 instances.

    • Azure Arc for servers installed on your EC2 instances.

      Note

      To enable the Azure Arc auto-provisioning, you'll need an Owner permission on the relevant Azure subscription.

    • Other extensions should be enabled on the Arc-connected machines:

      • Microsoft Defender for Endpoint

      • VA solution (TVM/Qualys)

      • Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA)

        Make sure the selected LA workspace has security solution installed. The LA agent and AMA are currently configured in the subscription level. All of your AWS accounts and GCP projects under the same subscription will inherit the subscription settings for the LA agent and AMA.

      Learn more about monitoring components for Defender for Cloud.

      Note

      Defender for Servers assigns tags to your AWS resources to manage the auto-provisioning process. You must have these tags properly assigned to your resources so that Defender for Cloud can manage your resources: AccountId, Cloud, InstanceId, MDFCSecurityConnector

Connect your AWS account

To connect your AWS account to Defender for Cloud with a native connector:

  1. If you have any classic connectors, remove them.

    Using both the classic and native connectors can produce duplicate recommendations.

  2. Sign in to the Azure portal.

  3. Navigate to Defender for Cloud > Environment settings.

  4. Select Add environment > Amazon Web Services.

    Connecting an AWS account to an Azure subscription.

  5. Enter the details of the AWS account, including the location where you'll store the connector resource.

    Step 1 of the add AWS account wizard: Enter the account details.

    (Optional) Select Management account to create a connector to a management account. Connectors will be created for each member account discovered under the provided management account. Auto-provisioning will be enabled for all of the newly onboarded accounts.

  6. Select Next: Select plans.

    Note

    Each plan has its own requirements for permissions, and might incur charges.

    The select plans tab is where you choose which Defender for Cloud capabilities to enable for this AWS account.

    Important

    To present the current status of your recommendations, the CSPM plan queries the AWS resource APIs several times a day. These read-only API calls incur no charges, but they are registered in CloudTrail if you've enabled a trail for read events. As explained in the AWS documentation, there are no additional charges for keeping one trail. If you're exporting the data out of AWS (for example, to an external SIEM), this increased volume of calls might also increase ingestion costs. In such cases, We recommend filtering out the read-only calls from the Defender for Cloud user or role ARN: arn:aws:iam::[accountId]:role/CspmMonitorAws (this is the default role name, confirm the role name configured on your account).

  7. By default the Servers plan is set to On. This is necessary to extend Defender for server's coverage to your AWS EC2. Ensure you've fulfilled the network requirements for Azure Arc.

    • (Optional) Select Configure, to edit the configuration as required.
  8. By default the Containers plan is set to On. This is necessary to have Defender for Containers protect your AWS EKS clusters. Ensure you've fulfilled the network requirements for the Defender for Containers plan.

    Note

    Azure Arc-enabled Kubernetes, the Defender Arc extension, and the Azure Policy Arc extension should be installed. Use the dedicated Defender for Cloud recommendations to deploy the extensions (and Arc, if necessary) as explained in Protect Amazon Elastic Kubernetes Service clusters.

    • (Optional) Select Configure, to edit the configuration as required. If you choose to disable this configuration, the Threat detection (control plane) feature will be disabled. Learn more about the feature availability.
  9. By default the Databases plan is set to On. This is necessary to extend Defender for SQL's coverage to your AWS EC2 and RDS Custom for SQL Server.

    • (Optional) Select Configure, to edit the configuration as required. We recommend you leave it set to the default configuration.
  10. Select Next: Configure access.

  11. Download the CloudFormation template.

  12. Using the downloaded CloudFormation template, create the stack in AWS as instructed on screen. If you're onboarding a management account, you'll need to run the CloudFormation template both as Stack and as StackSet. Connectors will be created for the member accounts up to 24 hours after the onboarding.

  13. Select Next: Review and generate.

  14. Select Create.

Defender for Cloud will immediately start scanning your AWS resources and you'll see security recommendations within a few hours. For a reference list of all the recommendations Defender for Cloud can provide for AWS resources, see Security recommendations for AWS resources - a reference guide.

AWS authentication process

Federated authentication is used between Microsoft Defender for Cloud and AWS. All of the resources related to the authentication are created as a part of the CloudFormation template deployment, including:

  • An identity provider (OpenID connect)
  • Identity and Access Management (IAM) roles with a federated principal (connected to the identity providers).

The architecture of the authentication process across clouds is as follows:

diagram showing architecture of authentication process across clouds.

  1. Microsoft Defender for Cloud CSPM service acquires an Azure AD token with a validity life time of 1 hour that is signed by the Azure AD using the RS256 algorithm.

  2. The Azure AD token is exchanged with AWS short living credentials and Defender for Cloud's CPSM service assumes the CSPM IAM role (assumed with web identity).

  3. Since the principle of the role is a federated identity as defined in a trust relationship policy, the AWS identity provider validates the Azure AD token against the Azure AD through a process that includes:

    • audience validation
    • signing of the token
    • certificate thumbprint
  4. The Microsoft Defender for Cloud CSPM role is assumed only after the validation conditions defined at the trust relationship have been met. The conditions defined for the role level are used for validation within AWS and allows only the Microsoft Defender for Cloud CSPM application (validated audience) access to the specific role (and not any other Microsoft token).

  5. After the Azure AD token is validated by the AWS identity provider, the AWS STS exchanges the token with AWS short-living credentials which CSPM service uses to scan the AWS account.

CloudFormation deployment source

As part of connecting an AWS account to Microsoft Defender for Cloud, a CloudFormation template should be deployed to the AWS account. This CloudFormation template creates all of the required resources necessary for Microsoft Defender for Cloud to connect to the AWS account.

The CloudFormation template should be deployed using Stack (or StackSet if you have a management account).

When deploying the CloudFormation template, the Stack creation wizard offers the following options:

Screenshot showing stack creation wizard.

  1. Amazon S3 URL – upload the downloaded CloudFormation template to your own S3 bucket with your own security configurations. Enter the URL to the S3 bucket in the AWS deployment wizard.

  2. Upload a template file – AWS will automatically create an S3 bucket that the CloudFormation template will be saved to. The automation for the S3 bucket will have a security misconfiguration that will cause the S3 buckets should require requests to use Secure Socket Layer recommendation to appear. You can remediate this recommendation by applying the following policy:

    {  
      "Id": "ExamplePolicy",  
      "Version": "2012-10-17",  
      "Statement": [  
        {  
          "Sid": "AllowSSLRequestsOnly",  
          "Action": "s3:*",  
          "Effect": "Deny",  
          "Resource": [  
            "<S3_Bucket ARN>",  
            "<S3_Bucket ARN>/*"  
          ],  
          "Condition": {  
            "Bool": {  
              "aws:SecureTransport": "false"  
            }  
          },  
          "Principal": "*"  
        }  
      ]  
    }  
    

Remove 'classic' connectors

If you have any existing connectors created with the classic cloud connectors experience, remove them first:

  1. Sign in to the Azure portal.

  2. Navigate to Defender for Cloud > Environment settings.

  3. Select the option to switch back to the classic connectors experience.

    Switching back to the classic cloud connectors experience in Defender for Cloud.

  4. For each connector, select the three dot button at the end of the row, and select Delete.

  5. On AWS, delete the role ARN, or the credentials created for the integration.

Availability

Aspect Details
Release state: General availability (GA)
Pricing: Requires Microsoft Defender for Servers Plan 2
Required roles and permissions: Owner on the relevant Azure subscription
Contributor can also connect an AWS account if an owner provides the service principal details
Clouds: Commercial clouds
National (Azure Government, Azure China 21Vianet)

Connect your AWS account

Follow the steps below to create your AWS cloud connector.

Step 1. Set up AWS Security Hub:

  1. To view security recommendations for multiple regions, repeat the following steps for each relevant region.

    Important

    If you're using an AWS management account, repeat the following three steps to configure the management account and all connected member accounts across all relevant regions

    1. Enable AWS Config.
    2. Enable AWS Security Hub.
    3. Verify that data is flowing to the Security Hub. When you first enable Security Hub, it might take several hours for data to be available.

Step 2. Set up authentication for Defender for Cloud in AWS

There are two ways to allow Defender for Cloud to authenticate to AWS:

  • Create an IAM role for Defender for Cloud (Recommended) - The most secure method
  • AWS user for Defender for Cloud - A less secure option if you don't have IAM enabled

Create an IAM role for Defender for Cloud

  1. From your Amazon Web Services console, under Security, Identity & Compliance, select IAM. AWS services.

  2. Select Roles and Create role.

  3. Select Another AWS account.

  4. Enter the following details:

    • Account ID - enter the Microsoft Account ID (158177204117) as shown in the AWS connector page in Defender for Cloud.
    • Require External ID - should be selected
    • External ID - enter the subscription ID as shown in the AWS connector page in Defender for Cloud.
  5. Select Next.

  6. In the Attach permission policies section, select the following AWS managed policies:

    • SecurityAudit (arn:aws:iam::aws:policy/SecurityAudit)
    • AmazonSSMAutomationRole (arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole)
    • AWSSecurityHubReadOnlyAccess (arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess)
  7. Optionally add tags. Adding Tags to the user doesn't affect the connection.

  8. Select Next.

  9. In The Roles list, choose the role you created

  10. Save the Amazon Resource Name (ARN) for later.

Create an AWS user for Defender for Cloud

  1. Open the Users tab and select Add user.

  2. In the Details step, enter a username for Defender for Cloud and ensure that you select Programmatic access for the AWS Access Type.

  3. Select Next Permissions.

  4. Select Attach existing policies directly and apply the following policies:

    • SecurityAudit
    • AmazonSSMAutomationRole
    • AWSSecurityHubReadOnlyAccess
  5. Select Next: Tags. Optionally add tags. Adding Tags to the user doesn't affect the connection.

  6. Select Review.

  7. Save the automatically generated Access key ID and Secret access key CSV file for later.

  8. Review the summary and select Create user.

Step 3. Configure the SSM Agent

AWS Systems Manager is required for automating tasks across your AWS resources. If your EC2 instances don't have the SSM Agent, follow the relevant instructions from Amazon:

Step 4. Complete Azure Arc prerequisites

  1. Make sure the appropriate Azure resources providers are registered:

    • Microsoft.HybridCompute
    • Microsoft.GuestConfiguration
  2. Create a Service Principal for onboarding at scale. As an Owner on the subscription you want to use for the onboarding, create a service principal for Azure Arc onboarding as described in Create a Service Principal for onboarding at scale.

Step 5. Connect AWS to Defender for Cloud

  1. From Defender for Cloud's menu, open Environment settings and select the option to switch back to the classic connectors experience.

    Switching back to the classic cloud connectors experience in Defender for Cloud.

  2. Select Add AWS account. Add AWS account button on Defender for Cloud's multicloud connectors page

  3. Configure the options in the AWS authentication tab:

    1. Enter a Display name for the connector.
    2. Confirm that the subscription is correct. It's the subscription that will include the connector and AWS Security Hub recommendations.
    3. Depending on the authentication option, you chose in Step 2. Set up authentication for Defender for Cloud in AWS:
  4. Select Next.

  5. Configure the options in the Azure Arc Configuration tab:

    Defender for Cloud discovers the EC2 instances in the connected AWS account and uses SSM to onboard them to Azure Arc.

    Tip

    For the list of supported operating systems, see What operating systems for my EC2 instances are supported? in the FAQ.

    1. Select the Resource Group and Azure Region that the discovered AWS EC2s will be onboarded to in the selected subscription.

    2. Enter the Service Principal ID and Service Principal Client Secret for Azure Arc as described here Create a Service Principal for onboarding at scale

    3. If the machine is connecting to the internet via a proxy server, specify the proxy server IP address, or the name and port number that the machine uses to communicate with the proxy server. Enter the value in the format http://<proxyURL>:<proxyport>

    4. Select Review + create.

      Review the summary information

      The Tags sections will list all Azure Tags that will be automatically created for each onboarded EC2 with its own relevant details to easily recognize it in Azure.

      Learn more about Azure Tags in Use tags to organize your Azure resources and management hierarchy.

Step 6. Confirmation

When the connector is successfully created, and AWS Security Hub has been configured properly:

  • Defender for Cloud scans the environment for AWS EC2 instances, onboarding them to Azure Arc, enabling to install the Log Analytics agent and providing threat protection and security recommendations.
  • The Defender for Cloud service scans for new AWS EC2 instances every 6 hours and onboards them according to the configuration.
  • The AWS CIS standard will be shown in the Defender for Cloud's regulatory compliance dashboard.
  • If Security Hub policy is enabled, recommendations will appear in the Defender for Cloud portal and the regulatory compliance dashboard 5-10 minutes after onboard completes.

AWS resources and recommendations in Defender for Cloud's recommendations page

Monitoring your AWS resources

As you can see in the previous screenshot, Defender for Cloud's security recommendations page displays your AWS resources. You can use the environments filter to enjoy Defender for Cloud's multicloud capabilities: view the recommendations for Azure, AWS, and GCP resources together.

To view all the active recommendations for your resources by resource type, use Defender for Cloud's asset inventory page and filter to the AWS resource type in which you're interested:

screenshot of the asset inventory page's resource type filter showing the AWS options.

FAQ - AWS in Defender for Cloud

What operating systems for my EC2 instances are supported?

For a list of the AMIs with the SSM Agent preinstalled see this page in the AWS docs.

For other operating systems, the SSM Agent should be installed manually using the following instructions:

For the CSPM plan, what IAM permissions are needed to discover AWS resources?

The following IAM permissions are needed to discover AWS resources:

DataCollector AWS Permissions
API Gateway apigateway:GET
Application Auto Scaling application-autoscaling:Describe*
Auto scaling autoscaling-plans:Describe*
autoscaling:Describe*
Certificate manager acm-pca:Describe*
acm-pca:List*
acm:Describe*
acm:List*
CloudFormation cloudformation:Describe*
cloudformation:List*
CloudFront cloudfront:DescribeFunction
cloudfront:GetDistribution
cloudfront:GetDistributionConfig
cloudfront:List*
CloudTrail cloudtrail:Describe*
cloudtrail:GetEventSelectors
cloudtrail:List*
cloudtrail:LookupEvents
CloudWatch cloudwatch:Describe*
cloudwatch:List*
CloudWatch logs logs:DescribeLogGroups
logs:DescribeMetricFilters
CodeBuild codebuild:DescribeCodeCoverages
codebuild:DescribeTestCases
codebuild:List*
Config Service config:Describe*
config:List*
DMS – database migration service dms:Describe*
dms:List*
DAX dax:Describe*
DynamoDB dynamodb:Describe*
dynamodb:List*
Ec2 ec2:Describe*
ec2:GetEbsEncryptionByDefault
ECR ecr:Describe*
ecr:List*
ECS ecs:Describe*
ecs:List*
EFS elasticfilesystem:Describe*
EKS eks:Describe*
eks:List*
Elastic Beanstalk elasticbeanstalk:Describe*
elasticbeanstalk:List*
ELB – elastic load balancing (v1/2) elasticloadbalancing:Describe*
Elastic search es:Describe*
es:List*
EMR – elastic map reduce elasticmapreduce:Describe*
elasticmapreduce:GetBlockPublicAccessConfiguration
elasticmapreduce:List*
elasticmapreduce:View*
GuardDuty guardduty:DescribeOrganizationConfiguration
guardduty:DescribePublishingDestination
guardduty:List*
IAM iam:Generate*
iam:Get*
iam:List*
iam:Simulate*
KMS kms:Describe*
kms:List*
Lambda lambda:GetPolicy
lambda:List*
Network firewall network-firewall:DescribeFirewall
network-firewall:DescribeFirewallPolicy
network-firewall:DescribeLoggingConfiguration
network-firewall:DescribeResourcePolicy
network-firewall:DescribeRuleGroup
network-firewall:DescribeRuleGroupMetadata
network-firewall:ListFirewallPolicies
network-firewall:ListFirewalls
network-firewall:ListRuleGroups
network-firewall:ListTagsForResource
RDS rds:Describe*
rds:List*
RedShift redshift:Describe*
S3 and S3Control s3:DescribeJob
s3:GetEncryptionConfiguration
s3:GetBucketPublicAccessBlock
s3:GetBucketTagging
s3:GetBucketLogging
s3:GetBucketAcl
s3:GetBucketLocation
s3:GetBucketPolicy
s3:GetReplicationConfiguration
s3:GetAccountPublicAccessBlock
s3:GetObjectAcl
s3:GetObjectTagging
s3:List*
SageMaker sagemaker:Describe*
sagemaker:GetSearchSuggestions
sagemaker:List*
sagemaker:Search
Secret manager secretsmanager:Describe*
secretsmanager:List*
Simple notification service – SNS sns:Check*
sns:List*
SSM ssm:Describe*
ssm:List*
SQS sqs:List*
sqs:Receive*
STS sts:GetCallerIdentity
WAF waf-regional:Get*
waf-regional:List*
waf:List*
wafv2:CheckCapacity
wafv2:Describe*
wafv2:List*

Learn more

You can check out the following blogs:

Next steps

Connecting your AWS account is part of the multicloud experience available in Microsoft Defender for Cloud. For related information, see the following pages: