The security of AWS environments with Microsoft Defender for Cloud

Microsoft Defender for Cloud, previously known as Azure Security Center and Azure Defender, is a solution of Cloud Security Posture Management (CSPM) and for the protection of workloads, able to identify security weaknesses in cloud configurations, strengthen the overall security posture of the environment and protect workloads in hybrid and multi-cloud environments. For those who are adopting a multi-cloud strategy and who need high security standards for their environment, it is important to know that Microsoft Defender for Cloud can also include resources present in Amazon Web Services (AWS) and Google Cloud Platform (GCP). This article describes how to secure AWS environments using Microsoft Defender for Cloud.

The pillars of security covered by Microsoft Defender for Cloud

The capabilities of Microsoft Defender for Cloud are capable of contemplating two great pillars of cloud security:

  • Cloud Security Posture Management (CSPM) capable of providing the following features:
    • Visibility: to assess the current security situation.
    • Hardening Guide: to be able to improve security efficiently and effectively

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, assets are flagged and you get a priority list of recommendations on what to fix to improve their security. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks, with a focus on cloud-centric security. This benchmark may cover the controls of theCenter for Internet Security (CIS) and theNational Institute of Standards and Technology (NIST).

Defender for Cloud assigns a global score to the ambient environment, defined Secure Score, which allows you to evaluate the risk profile (the higher the score, the lower the level of risk identified) and to take action to take remediation actions.

  • Cloud workload protection (CWP): Defender for Cloud delivers security alerts based on Microsoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments.

Defender for Cloud therefore allows you to meet the following three needs, considered essential when managing the security of resources and workloads residing in the cloud and locally:

Figure 1 - Security needs covered by Microsoft Defender for Cloud

AWS resource protection

To protect resources on other public clouds with this solution, there has been a mechanism for some time now that involves the use of interfacing connectors with AWS and GCP accounts. The onboarding process of your AWS account was based on the integration of the solution AWS Security Hub, as detailed in this article.

Now a new native mechanism and, through an approach agentless, allows you to connect to AWS environments. This new method of interfacing take advantage of the AWS API and it has no dependence on other solutions, like AWS Security Hub. The onboarding experience is designed to work easily on a large scale, simply by connecting your AWS master account, which allows you to automatically onboard existing and future accounts.

Figure 2 - Connect AWS to Microsoft Defender for Cloud

This mechanism easily extends Defender for Cloud's advanced security capabilities to your AWS resources and includes the following areas.

Figure 3 - Protection plans available

Cloud Security Posture Management (CSPM) for AWS

Defender for Cloud CSPM capabilities are extended to your AWS resources. This agentless plan evaluates AWS resources against AWS specific security recommendations and these are included in the calculation of the global security score. To provide an overall view on the security status of your multi-cloud environments, AWS security recommendations are also integrated into the Defender for Cloud portal, along with Azure recommendations. Have been implemented by Microsoft beyond 160 ready-to-use recommendations for IaaS and PaaS services and three regulatory standards including AWS CIS, AWS PCI DSS e AWS Foundational Security Best Practices. All this allows you to strengthen your security posture while also contemplating AWS resources in the best possible way. Furthermore, you can customize existing models or create new ones that contain your own recommendations and standards to verify compliance with internal requirements.

Figure 4 - Recommendations for AWS integrated in Defender for Cloud

Cloud workload protection (CWP) for AWS

AWS currently provides enhanced security for the following workloads:

  • Server protection: Microsoft Defender for server offers advanced threat detection and defense for EC2 instances as well, for both Windows and Linux systems. This plan includes the integrated license for Microsoft Defender for Endpoint and several features, including: Security baselines and assessment at the OS level, Vulnerability assessment, Adaptive Application Controls (AAC) and File Integrity Monitoring (FIM).
  • Container protection: Microsoft Defender for Containers extends container threat detection and advanced defenses of Defender for Kubernetes to Amazon EKS Clusters (Elastic Kubernetes Service). For Defender for Kubernetes to be able to protect AWS EKS clusters, Azure Arc-enabled Kubernetes and Defender extension are required.

Figure 5 – Alerts and recommendations for EKS clusters

Note: For those who have already set up an AWS connector using classic cloud connectors, it is recommended to connect the account again using the new mechanism.

The Cost of the Solution

If you decide to activate this integration, the following information on costs applies:

  • The CSPM plan is free. To provide recommendations, the CSPM plan queries the AWS resource APIs multiple times a day. These read-only API calls incur no charge, but they are logged in CloudTrail in case you have enabled the trail for reading events. As noted in the AWS documentation, this does not involve additional costs for maintenance. However, it is necessary to be careful and possibly filter these events if data exports are expected (for example to make them flow into an external SIEM).
  • The Defender for Containers plan will be billed at the same price as the plan Defend for Kubernetes for Azure resources.
  • For each AWS machine connected to Azure through Azure Arc, the Defender per server plan is billed at the same price as the Microsoft Defender for server plan for Azure machines.


Microsoft Defender for Cloud, originally developed with the claim of being the best tool to protect resources in an Azure environment, extend and refine its capabilities to cover other public clouds as well. In particular, Thanks to the new integration mechanism with AWS, you can natively adopt a CSPM solution and enable threat protection for your computing workloads in Amazon Web Services (AWS). This allows to obtain a high degree of security, to improve security postures in multi-cloud environments and to simplify the management of tools useful for governing security.

Please follow and like us: