Defender for Cloud assesses the configuration of your resources and identifies security issues and vulnerabilities. In Defender for Cloud, you can view information related to a resource when you have one of these roles assigned for the subscription or the resource group the resource belongs to: Owner, Contributor, or Reader.
In addition to the built-in roles, there are two roles specific to Defender for Cloud:
Security Reader: A user that belongs to this role has read-only access to Defender for Cloud. The user can view recommendations, alerts, a security policy, and security states, but can't make changes.
Security Admin: A user that belongs to this role has the same access as the Security Reader and can also update the security policy, and dismiss alerts and recommendations.
We recommend assigning the least permissive role needed for users to complete their tasks.
For example, you can assign the Reader role to users who only need to view security health information of a resource without taking any action. Users with a Reader role can apply recommendations or editing policies.
Roles and allowed actions
The following table displays roles and allowed actions in Defender for Cloud.
Apply security recommendations for a resource (Use Fix)
-
-
✔
✔
✔
View alerts and recommendations
✔
✔
✔
✔
✔
Exempt security recommendations
-
✔
-
-
✔
Configure email notifications
-
✔
✔
✔
✔
Obs!
While the three roles mentioned are sufficient for enabling and disabling Defender plans, to enable all capabilities of a plan the Owner role is required.
The specific role required to deploy monitoring components depends on the extension you're deploying. Learn more about monitoring components.
Roles used to automatically provision agents and extensions
To allow the Security Admin role to automatically provision agents and extensions used in Defender for Cloud plans, Defender for Cloud uses policy remediation in a similar way to Azure Policy. To use remediation, Defender for Cloud needs to create service principals, also called managed identities that assign roles at the subscription level. For example, the service principals for the Defender for Containers plan are:
Service Principal
Roles
Defender for Containers provisioning Azure Kubernetes Service (AKS) Security Profile
When you onboard an Amazon Web Services (AWS) connector, Defender for Cloud creates roles and assign permissions on your AWS account. The following table shows the roles and permission assigned by each plan on your AWS account.
Defender for Cloud plan
Role created
Permission assigned on AWS account
Defender Cloud Security Posture Management (CSPM)
CspmMonitorAws
To discover AWS resources permissions, read all resources except: consolidatedbilling:* freetier:* invoicing:* payments:* billing:* tax:* cur:*
Defender CSPM
Defender for Servers
DefenderForCloud-AgentlessScanner
To create and clean up disk snapshots (scoped by tag) "CreatedBy": "Microsoft Defender for Cloud" Permissions: ec2:DeleteSnapshot ec2:ModifySnapshotAttribute ec2:DeleteTags ec2:CreateTags ec2:CreateSnapshots ec2:CopySnapshot ec2:CreateSnapshot ec2:DescribeSnapshots ec2:DescribeInstanceStatus Permission to EncryptionKeyCreation kms:CreateKey kms:ListKeys Permissions to EncryptionKeyManagement kms:TagResource kms:GetKeyRotationStatus kms:PutKeyPolicy kms:GetKeyPolicy kms:CreateAlias kms:TagResource kms:ListResourceTags kms:GenerateDataKeyWithoutPlaintext kms:DescribeKey kms:RetireGrant kms:CreateGrant kms:ReEncryptFrom
Defender CSPM
Defender for Storage
SensitiveDataDiscovery
Permissions to discover S3 buckets in the AWS account, permission for the Defender for Cloud scanner to access data in the S3 buckets S3 read only
Permissions to List EKS clusters and Collect Data from EKS clusters eks:UpdateClusterConfig eks:DescribeCluster
Defender for Containers
DefenderForCloud-DataCollection
Permissions to CloudWatch Log Group created by Defender for Cloud logs:PutSubscriptionFilter logs:DescribeSubscriptionFilters logs:DescribeLogGroups logs:PutRetentionPolicy
Permissions to use SQS queue created by Defender for Cloud sqs:ReceiveMessage sqs:DeleteMessage
Permissions to access Kinesis Data Firehose delivery stream created by Defender for Cloud firehose:*
Defender for Containers
DefenderForCloud-Containers-K8s-kinesis-to-s3
Permissions to access S3 bucket created by Defender for Cloud s3:GetObject s3:GetBucketLocation s3:AbortMultipartUpload s3:GetBucketLocation s3:GetObject s3:ListBucket s3:ListBucketMultipartUploads s3:PutObject
Defender for Containers
Defender CSPM
MDCContainersAgentlessDiscoveryK8sRole
Permissions to Collecting Data from EKS clusters. Updating EKS clusters to support IP restriction and create iamidentitymapping for EKS clusters "eks:DescribeCluster" "eks:UpdateClusterConfig*"
Defender for Containers
Defender CSPM
MDCContainersImageAssessmentRole
Permissions to Scan images from ECR and ECR Public. AmazonEC2ContainerRegistryReadOnly AmazonElasticContainerRegistryPublicReadOnly AmazonEC2ContainerRegistryPowerUser AmazonElasticContainerRegistryPublicPowerUser
Defender for Servers
DefenderForCloud-ArcAutoProvisioning
Permissions to install Azure Arc on all EC2 instances using SSM ssm:CancelCommand ssm:DescribeInstanceInformation ssm:GetCommandInvocation ssm:UpdateServiceSetting ssm:GetServiceSetting ssm:GetAutomationExecution ec2:DescribeIamInstanceProfileAssociations ec2:DisassociateIamInstanceProfile ec2:DescribeInstances ssm:StartAutomationExecution iam:GetInstanceProfile iam:ListInstanceProfilesForRole ssm:GetAutomationExecution ec2:DescribeIamInstanceProfileAssociations ec2:DisassociateIamInstanceProfile ec2:DescribeInstances ssm:StartAutomationExecution iam:GetInstanceProfile iam:ListInstanceProfilesForRole
Defender CSPM
DefenderForCloud-DataSecurityPostureDB
Permission to Discover RDS instances in AWS account, create RDS instance snapshot, - List all RDS DBs/clusters - List all DB/Cluster snapshots - Copy all DB/cluster snapshots - Delete/update DB/cluster snapshot with prefix defenderfordatabases - List all KMS keys - Use all KMS keys only for RDS on source account - List KMS keys with tag prefix DefenderForDatabases - Create alias for KMS keys
When you onboard a Google Cloud Platforms (GCP) connector, Defender for Cloud creates roles and assign permissions on your GCP project. The following table shows the roles and permission assigned by each plan on your GCP project.
Defender for Cloud plan
Role created
Permission assigned on AWS account
Defender CSPM
MDCCspmCustomRole
These permissions allow the CSPM role to discover and scan resources within the organization:
Allows the role to view and organizations, projects, and folders: resourcemanager.folders.get resourcemanager.folders.list resourcemanager.folders.getIamPolicy resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy storage.buckets.getIamPolicy
Allows the autoprovisioning process of new projects and removal of deleted projects: resourcemanager.projects.get resourcemanager.projects.list
Allows the role to enable Google Cloud services used for the discovery of resources: serviceusage.services.enable
Used to create and list IAM roles: iam.roles.create iam.roles.list
Allows the role to act as a service account and gain permission to resources: iam.serviceAccounts.actAs
Allows the role to view project details and set common instance metadata: compute.projects.get compute.projects.setCommonInstanceMetadata
Read-only access to get and list Compute Engine resources: compute.viewer iam.serviceAccountTokenCreator osconfig.osPolicyAssignmentAdmin osconfig.osPolicyAssignmentReportViewer
Defender for Database
defender-for-databases-arc-ap
Permissions to Defender for databases ARC auto provisioning compute.viewer iam.workloadIdentityUser iam.serviceAccountTokenCreator osconfig.osPolicyAssignmentAdmin osconfig.osPolicyAssignmentReportViewer
Defender CSPM
Defender for Storage
data-security-posture-storage
Permission for the Defender for Cloud scanner to discover GCP storage buckets, to access data in the GCP storage buckets storage.objects.list storage.objects.get storage.buckets.get
Defender CSPM
Defender for Storage
data-security-posture-storage
Permission for the Defender for Cloud scanner to discover GCP storage buckets, to access data in the GCP storage buckets storage.objects.list storage.objects.get storage.buckets.get
Defender CSPM
microsoft-defender-ciem
Permissions to get details about the organization resource. resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy storage.buckets.getIamPolicy
Defender CSPM
Defender for Servers
MDCAgentlessScanningRole
Permissions for agentless disk scanning: compute.disks.createSnapshot compute.instances.get
Defender CSPM
Defender for servers
cloudkms.cryptoKeyEncrypterDecrypter
Permissions to an existing GCP KMS role are granted to support scanning disks that are encrypted with CMEK
Defender CSPM
Defender for Containers
mdc-containers-artifact-assess
Permission to Scan images from GAR and GCR. artifactregistry.reader storage.objectViewer
Defender for Containers
mdc-containers-k8s-operator
Permissions to Collect Data from GKE clusters. Update GKE clusters to support IP restriction.
Permissions to create and manage log sink to route logs to a Cloud Pub/Sub topic. logging.sinks.list logging.sinks.get logging.sinks.create logging.sinks.update logging.sinks.delete resourcemanager.projects.getIamPolicy resourcemanager.organizations.getIamPolicy iam.serviceAccounts.get iam.workloadIdentityPoolProviders.get
Defender for Containers
ms-defender-containers-stream
Permissions to allow logging to send logs to pub sub: pubsub.subscriptions.consume pubsub.subscriptions.get
Next steps
This article explained how Defender for Cloud uses Azure Role-Based Access Control to assign permissions to users and identified the allowed actions for each role. Now that you're familiar with the role assignments needed to monitor the security state of your subscription, edit security policies, and apply recommendations, learn how to: