Assign access to workload owners

When you onboard your AWS or GCP environments, Defender for Cloud automatically creates a security connector as an Azure resource inside the connected subscription and resource group. Defender for cloud also creates the identity provider as an IAM role it requires during the onboarding process.

Assign permission to users, on specific security connectors, below the parent connector? Yes, you can. You need to determine to which AWS accounts or GCP projects you want users to have access to. Meaning, you need to identify the security connectors that correspond to the AWS account or GCP project to which you want to assign users access.

Prerequisites

• An Azure account. If you don't already have an Azure account, you can create your Azure free account today.

• At least one security connector for Azure, AWS or GCP.

Configure permissions on the security connector

Permissions for security connectors are managed through Azure role-based access control (RBAC). You can assign roles to users, groups, and applications at a subscription, resource group, or resource level.

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Environment settings.

3. Locate the relevant AWS or GCP connector.

4. Assign permissions to the workload owners with All resources or the Azure Resource Graph option in the Azure portal.

   All resources

   1. Search for and select All resources.

      

   2. Select Manage view > Show hidden types.

      

   3. Select the Types equals all filter.

   4. Enter securityconnector in the value field and add a check to the microsoft.security/securityconnectors.

      

   5. Select Apply.

   6. Select the relevant resource connector.

   Azure Resource Graph

   1. Search for and select Resource Graph Explorer.

      

   2. Copy and paste the following query to locate the security connector:

      AWS

      resources 
      | where type == "microsoft.security/securityconnectors" 
      | extend source = tostring(properties.environmentName)  
      | where source == "AWS" 
      | project name, subscriptionId, resourceGroup, accountId = properties.hierarchyIdentifier, cloud = properties.environmentName  
      

      GCP

      resources 
      | where type == "microsoft.security/securityconnectors" 
      | extend source = tostring(properties.environmentName)  
      | where source == "GCP" 
      | project name, subscriptionId, resourceGroup, projectId = properties.hierarchyIdentifier, cloud = properties.environmentName  
      

   3. Select Run query.

   4. Toggle formatted results to On.

      

   5. Select the relevant subscription and resource group to locate the relevant security connector.

5. Select Access control (IAM).

   

6. Select +Add > Add role assignment.

7. Select the desired role.

8. Select Next.

9. Select + Select members.

   

10. Search for and select the relevant user or group.

11. Select the Select button.

12. Select Next.

13. Select Review + assign.

14. Review the information.

15. Select Review + assign.

After setting the permission for the security connector, the workload owners will be able to view recommendations in Defender for Cloud for the AWS and GCP resources that are associated with the security connector.

Next step

RBAC permissions