Defender for Cloud deployment in AWS/GCP - Agents, Resources, IAM and Cleanup options
Published Feb 20 2024 06:16 AM 2,706 Views
Microsoft

Objective of the article

The purpose of this article is to provide organizations with a comprehensive understanding of all the agents and resources deployed as part of Defender for Server, Defender for Container, Defender for SQL in their AWS/GCP environment by Defender for Cloud. The article aims to guide organizations on the impact of Defender for Cloud on their environment and what they need to remove when switching Defender for Cloud plans on the security connector. Where possible this article should avoid duplicating information that is already available on Microsoft Learn and focus on providing information that is not publicly available or documented on Microsoft Learn. 

 

Introduction:  

Have you ever wondered about the agents, extensions, resources and roles deployed as part of Defender for Server, Defender for Container, Defender for SQL on your AWS or GCP workloads? Have you ever needed to update the selection of Defender for Cloud plans on a security connector for your AWS or GCP environment? This article provides you with a comprehensive understanding of the impact of agents and resources on your environment and guides you on what can be removed when updating the Defender for Cloud plans on a desired security connector.

 

The following table summarizes Microsoft agents and extensions for CWPP:

Agent

Defender for Servers

Defender for Containers

Defender for SQL on Machines

Azure Arc Agent

Microsoft Defender for Endpoint extension

 

 

Log Analytics or Azure Monitor Agent extension

 

*In deprecation process

 

Defender Sensor

 

 

Azure policy for Kubernetes

 

 

SQL servers on machines

 

 

 

Let's review list of agents, resources and roles per plan and cleanup options

 

Defender for Server - AWS:

Resource

Type

Creation Phase

Offboarding

MDE - The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities

Agent

Post connector creation

Azure Arc - AWS machines connect to Azure using Azure Arc

Agent

Post connector creation

SSM - SSM Agent is

mandatory for Arc onboarding

Agent

Post connector creation

  • Some customers rely on SSM Agent for other purposes so please check it before removal 
  • For removal instructions please check AWS guide

DefenderForCloud-DefenderForServers;

DefenderForCloud-ArcAutoProvisioning;

DefenderForCloud-AgentlessScanner;

IAM - role

Script creation

  • The role name is customizable –
    it is saved within the created connector
  • The policies associated with the role name should be removed too
  •  For removal instructions please check AWS guide

 

Defender for Server - GCP:

Resource

Type

Creation Phase

Offboarding

MDE - The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities

Agent

Post connector creation

Azure Arc - GCP machines connect to Azure using Azure Arc

Agent

Post connector creation

microsoft-defender-for-servers

 

IAM - service account

Script creation

  • The service account is customizable – it is saved within the created connector
  • For removal instructions please check GCP guide

defender-for-servers

IAM - role

Script creation

  • The role name is customizable –
    it is saved within the created connector
  • For removal instructions please check GCP guide

OIDC -

defender-for-servers

IAM - workload identity pool

Script creation

  • For removal instructions please check GCP guide

 

*Defender for Server P2 require Microsoft Monitor Agent (MMA or LA agent) and/or Azure Monitor Agent (AMA) for some features, but since it's in deprecation phase, please follow these articles for details and offboarding options:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/upcoming-changes#defender-for-servers

AMA removal: Manage Azure Monitor Agent - Azure Monitor | Microsoft Learn

MMA removal: Manage the Azure Log Analytics agent - Azure Monitor | Microsoft Learn

For MMA, please make sure Legacy solutions are removed from Log analytics workspace.

 

Defender for Container - AWS:

Offering

Resource

Type

Creation Phase

Offboarding

Run-time threat protection

Azure Arc enabled kubernetes- Connects your EKS clusters to Azure and onboards the Defender sensor

Agent deployed on single node

Post connector creation

  • You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS:

Cleanup Azure Arc-enabled Kubernetes

  • Running this command will delete all arc related resources including extensions

 

Defender Sensor

Sensor deployed on each node

Post connector creation

 

Azure Policy for Kubernetes - Extends the Gatekeeper v3

Extension deployed on one single node

Post connector creation

Agentless threat protection

S3

 

Post connector creation

  • Delete S3 bucket with ARN: arn:aws:s3:::azuredefender-{ AwsRegion}-{ AwsAccountId}-{ ClusterName}
  • For removal instructions please check AWS guide

 

SQS

 

Post connector creation

  • Delete a queue with ARN:
    arn:aws:sqs:{ AwsRegion}:{ AwsAccountId}:azuredefender-{ ClusterName}
  • For removal instructions please check AWS guide

 

Kinesis Data firehose (Amazon Kinesis Data Streams)

 

Post connector creation

  • Delete a stream with ARN:
    arn:aws:firehose:{AwsRegion}:{ AwsAccountId}:deliverystream/azuredefender-{ ClusterName}
  • For removal instructions please check AWS guide

 

DefenderForCloud-Containers-K8s;

DefenderForCloud-DataCollection;

DefenderForCloud-Containers-K8s-cloudwatch-to-kinesis;

DefenderForCloud-Containers-K8s-kinesis-to-s3

IAM - role

Script creation

  • The role name is customizable –
    it is saved within the created connector
  • The policies associated with the role name should be removed too
  • For removal instructions please check AWS guide

Agentless Container Vulnerability Assessment

 

MDCContainersImageAssessmentRole

IAM - role

Script creation

  • The role name is customizable –
    it is saved within the created connector
  • The policies associated with the role name should be removed too
  • For removal instructions please check AWS guide

Agentless discovery for Kubernetes

MDCContainersAgentlessDiscoveryK8sRole

IAM - role

Script creation

  • The role name is customizable –
    it is saved within the created connector
  • The policies associated with the role name should be removed too
  • For removal instructions please check AWS guide

 

 

Defender for Container - GCP:

Offering

Resource

Type

Creation Phase

Offboarding

Run-time threat protection

Azure Arc enabled kubernetes- Connects your GKE clusters to Azure and onboards the Defender sensor

Agent deployed on single node

Post creation

  • You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS: Cleanup Azure Arc-enabled Kubernetes
  • Running this command will delete all arc related resources including extensions
 

Defender Sensor

Sensor deployed on each node

Post connector creation

 

Azure Policy for Kubernetes - Extends the Gatekeeper v3

Extension deployed on one single node

Post connector creation

Run-time threat protection (AuditLogs)

Container.googleapis.com

Enable API

Script creation

  • Please note, it might be used by other solutions
  • For removal instructions please check GCP guide

 

logging.googleapis.com

Enable API

Script creation

  • Please note, it might be used by other solutions
  • For removal instructions please check GCP guide
 

Data Access audit logs configuration

Settings

Script creation

  • Please note, it might be used by other solutions
  • Name of component to disable:

Kubernetes Engine API

  • For removal instructions please check GCP guide
 

Pub/Sub Topic

 

Post creation

  • For each cluster in a project a topic is created with prefix: “MicrosoftDefender-“
  • For removal instructions please check GCP guide
 

Pub/sub Subscription

 

Post creation

  • For each cluster in a project a subscription is created with prefix: “MicrosoftDefender
  • For removal instructions please check GCP guide
 

SINK – log route

 

Post creation

  • For removal instructions please check GCP guide
 

microsoft-defender-containers;

ms-defender-containers-stream;

 

IAM - service account

Script creation

  • The service account is customizable – it is saved within the created connector
  • For removal instructions please check GCP guide
 

MicrosoftDefenderContainersDataCollectionRole;

MicrosoftDefenderContainersRole;

 

IAM - role

Script creation

  • The role name is customizable –
    it is saved within the created connector
  • For removal instructions please check GCP guide

 

OIDC - containers

OIDC -containers-stream

IAM - workload identity provider

Script creation

  • For removal instructions please check GCP guide

Agentless discovery for Kubernetes

containers

IAM - workload identity pool

Script creation

  • Please note, this identity been used by DCSPM plan as well
  • For removal instructions please check GCP guide

 

mdc-containers-k8s-operator

IAM - service account

Script creation

  • The service account is customizable – it is saved within the created connector
  • For removal instructions please check GCP guide

Agentless Container Vulnerability Assessment

containers

IAM - workload identity pool

Script  creation

  • Please note, this identity been used by DCSPM plan as well
  • For removal instructions please check GCP guide

 

mdc-containers-artifact-assess

IAM - service account

Script creation

  • The service account is customizable – it is saved within the created connector
  • For removal instructions please check GCP guide

 

 

 

Defender for SQL- AWS:

Resource

Type

Creation Phase

Offboarding

Defender Agent

Agent

Post connector creation

  • Removed automatically on plan change
  • Removal can be done via Azure Portal in extension tab

Azure Monitor Agent for SQL server - Collects security-related configuration information and event logs from machines

Agent

Post connector creation

 

 

Azure Arc - AWS machines connect to Azure using Azure Arc

Agent

Post connector creation

DefenderForCloud-ArcAutoProvisioning;

IAM - role

Script creation

  • The role name is customizable –
    it is saved within the created connector
  • The policies associated with the role name should be removed too
  • For removal instructions please check AWS guide

 

Defender for SQL- GCP:

Resource

Type

Creation Phase

Offboarding

Defender Agent

Agent

Post connector creation

  • Removed automatically on plan change
  • Removal can be done via Azure Portal in extension tab

Azure Monitor Agent for SQL server - Collects security-related configuration information and event logs from machines

Agent

Post connector creation

 

 

Azure Arc - GCP machines connect to Azure using Azure Arc

Agent

Post connector creation

microsoft-databases-arc-ap;

 

IAM - service account

Script creation

  • The service account is customizable –
    it is saved within the created connector
  •  For removal instructions please check GCP guide

defender-for-databases-arc-ap;

IAM - role

Script creation

  • The role name is customizable –
    it is saved within the created connector
  •  For removal instructions please check GCP guide

OIDC - defender-for-databases-arc-ap

 

IAM - workload identity pool 

Script creation

  • Delete: defender-for-databases-arc-ap
  • For removal instructions please check GCP guide

 

Note: Microsoft Monitoring Agent (MMA) is being deprecated in August 2024.  As a result, Azure Monitoring Agent (AMA) been used, but for customers that still use MMA, removal option:

Manage the Azure Log Analytics agent - Azure Monitor | Microsoft Learn

Please make sure Legacy solutions are removed from Log analytics workspace.

 

Conclusion: In this article, we have provided a comprehensive overview of all the agents, extensions, and resources deployed as part of Defender for Servers, Defender for Containers and Defender for SQL on AWS/GCP workloads. We have also presented detailed clean-up options for organizations looking to switch their Defender for Cloud plans. While our focus has been on Cloud Workload Protection Plans (CWPP), it is important to note that resources deployed by Cloud Security Posture Management (CSPM) plans are not listed here. As the solution and its features continue to evolve, the resources deployed or impacted by Defender for Cloud may vary between versions. We hope this article serves as a valuable resource for organizations looking to better understand the impact of Defender for Cloud on their AWS/GCP environment.

 

Acknowledgements

Special thanks to Bojan Magusic for the great partnership and technical review.

 

Reviewed by:

  • Lior Arviv, Senior Program Manager
  • Aviv Mor, Principal PM Manager
  • Ido Keshet, Principal PM Manager
  • Maya Herskovic, Senior PM Manager
  • Bojan Magusic, Product Manager 2
  • Lizet Pena De Sola - Senior Customer Engineer

 

Co-Authors
Version history
Last update:
‎Feb 22 2024 05:59 AM
Updated by: