Defender for Cloud deployment in AWS/GCP - Agents, Resources, IAM and Cleanup options

Microsoft

Feb 20, 2024

Objective of the article

The purpose of this article is to provide organizations with a comprehensive understanding of all the agents and resources deployed as part of Defender for Server, Defender for Container, Defender for SQL in their AWS/GCP environment by Defender for Cloud. The article aims to guide organizations on the impact of Defender for Cloud on their environment and what they need to remove when switching Defender for Cloud plans on the security connector. Where possible this article should avoid duplicating information that is already available on Microsoft Learn and focus on providing information that is not publicly available or documented on Microsoft Learn.

Introduction:

Have you ever wondered about the agents, extensions, resources and roles deployed as part of Defender for Server, Defender for Container, Defender for SQL on your AWS or GCP workloads? Have you ever needed to update the selection of Defender for Cloud plans on a security connector for your AWS or GCP environment? This article provides you with a comprehensive understanding of the impact of agents and resources on your environment and guides you on what can be removed when updating the Defender for Cloud plans on a desired security connector.

The following table summarizes Microsoft agents and extensions for CWPP:

Agent	Defender for Servers	Defender for Containers	Defender for SQL on Machines
Azure Arc Agent	✔	✔	✔
Microsoft Defender for Endpoint extension	✔
Log Analytics or Azure Monitor Agent extension	✔ *In deprecation process		✔
Defender Sensor		✔
Azure policy for Kubernetes		✔
SQL servers on machines			✔

Let's review list of agents, resources and roles per plan and cleanup options

Defender for Server - AWS:

Resource	Type	Creation Phase	Offboarding
MDE - The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities	Agent	Post connector creation	For Windows servers instructions: Offboard Windows servers For non-Windows servers instructions: Offboard non-Windows servers
Azure Arc - AWS machines connect to Azure using Azure Arc	Agent	Post connector creation	Uninstall Azure Arc
SSM - SSM Agent is mandatory for Arc onboarding	Agent	Post connector creation	Some customers rely on SSM Agent for other purposes so please check it before removal For removal instructions please check AWS guide
DefenderForCloud-DefenderForServers; DefenderForCloud-ArcAutoProvisioning; DefenderForCloud-AgentlessScanner;	IAM - role	Script creation	The role name is customizable – it is saved within the created connector The policies associated with the role name should be removed too For removal instructions please check AWS guide

Defender for Server - GCP:

Resource	Type	Creation Phase	Offboarding
MDE - The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities	Agent	Post connector creation	For Windows servers instructions: Offboard Windows servers For non-Windows servers instructions: Offboard non-Windows servers
Azure Arc - GCP machines connect to Azure using Azure Arc	Agent	Post connector creation	Uninstall Azure Arc
microsoft-defender-for-servers	IAM - service account	Script creation	The service account is customizable – it is saved within the created connector For removal instructions please check GCP guide
defender-for-servers	IAM - role	Script creation	The role name is customizable – it is saved within the created connector For removal instructions please check GCP guide
OIDC - defender-for-servers	IAM - workload identity pool	Script creation	For removal instructions please check GCP guide

*Defender for Server P2 require Microsoft Monitor Agent (MMA or LA agent) and/or Azure Monitor Agent (AMA) for some features, but since it's in deprecation phase, please follow these articles for details and offboarding options:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/upcoming-changes#defender-for-servers

AMA removal: Manage Azure Monitor Agent - Azure Monitor | Microsoft Learn

MMA removal: Manage the Azure Log Analytics agent - Azure Monitor | Microsoft Learn

For MMA, please make sure Legacy solutions are removed from Log analytics workspace.

Defender for Container - AWS:

Offering	Resource	Type	Creation Phase	Offboarding
Run-time threat protection	Azure Arc enabled kubernetes- Connects your EKS clusters to Azure and onboards the Defender sensor	Agent deployed on single node	Post connector creation	You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS: Cleanup Azure Arc-enabled Kubernetes Running this command will delete all arc related resources including extensions
	Defender Sensor	Sensor deployed on each node	Post connector creation	You can remove defender sensor using the Azure portal, Azure CLI, or REST API: Remove the Defender sensor
	Azure Policy for Kubernetes - Extends the Gatekeeper v3	Extension deployed on one single node	Post connector creation	You can remove defender extensions using the Azure portal, Azure CLI, or REST API: Remove the Defender extension
Agentless threat protection	S3		Post connector creation	Delete S3 bucket with ARN: arn:aws:s3:::azuredefender-{ AwsRegion}-{ AwsAccountId}-{ ClusterName} For removal instructions please check AWS guide
	SQS		Post connector creation	Delete a queue with ARN: arn:aws:sqs:{ AwsRegion}:{ AwsAccountId}:azuredefender-{ ClusterName} For removal instructions please check AWS guide
	Kinesis Data firehose (Amazon Kinesis Data Streams)		Post connector creation	Delete a stream with ARN: arn:aws:firehose:{AwsRegion}:{ AwsAccountId}:deliverystream/azuredefender-{ ClusterName} For removal instructions please check AWS guide
	DefenderForCloud-Containers-K8s; DefenderForCloud-DataCollection; DefenderForCloud-Containers-K8s-cloudwatch-to-kinesis; DefenderForCloud-Containers-K8s-kinesis-to-s3	IAM - role	Script creation	The role name is customizable – it is saved within the created connector The policies associated with the role name should be removed too For removal instructions please check AWS guide
Agentless Container Vulnerability Assessment	MDCContainersImageAssessmentRole	IAM - role	Script creation	The role name is customizable – it is saved within the created connector The policies associated with the role name should be removed too For removal instructions please check AWS guide
Agentless discovery for Kubernetes	MDCContainersAgentlessDiscoveryK8sRole	IAM - role	Script creation	The role name is customizable – it is saved within the created connector The policies associated with the role name should be removed too For removal instructions please check AWS guide

Defender for Container - GCP:

Offering	Resource	Type	Creation Phase	Offboarding
Run-time threat protection	Azure Arc enabled kubernetes- Connects your GKE clusters to Azure and onboards the Defender sensor	Agent deployed on single node	Post creation	You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS: Cleanup Azure Arc-enabled Kubernetes Running this command will delete all arc related resources including extensions
	Defender Sensor	Sensor deployed on each node	Post connector creation	You can remove defender sensor using the Azure portal, Azure CLI, or REST API: Remove the Defender sensor
	Azure Policy for Kubernetes - Extends the Gatekeeper v3	Extension deployed on one single node	Post connector creation	You can remove defender extensions using the Azure portal, Azure CLI, or REST API: Remove the Defender extension
Run-time threat protection (AuditLogs)	Container.googleapis.com	Enable API	Script creation	Please note, it might be used by other solutions For removal instructions please check GCP guide
	logging.googleapis.com	Enable API	Script creation	Please note, it might be used by other solutions For removal instructions please check GCP guide
	Data Access audit logs configuration	Settings	Script creation	Please note, it might be used by other solutions Name of component to disable: Kubernetes Engine API For removal instructions please check GCP guide
	Pub/Sub Topic		Post creation	For each cluster in a project a topic is created with prefix: “MicrosoftDefender-“ For removal instructions please check GCP guide
	Pub/sub Subscription		Post creation	For each cluster in a project a subscription is created with prefix: “MicrosoftDefender For removal instructions please check GCP guide
	SINK – log route		Post creation	For removal instructions please check GCP guide
	microsoft-defender-containers; ms-defender-containers-stream;	IAM - service account	Script creation	The service account is customizable – it is saved within the created connector For removal instructions please check GCP guide
	MicrosoftDefenderContainersDataCollectionRole; MicrosoftDefenderContainersRole;	IAM - role	Script creation	The role name is customizable – it is saved within the created connector For removal instructions please check GCP guide
	OIDC - containers OIDC -containers-stream	IAM - workload identity provider	Script creation	For removal instructions please check GCP guide
Agentless discovery for Kubernetes	containers	IAM - workload identity pool	Script creation	Please note, this identity been used by DCSPM plan as well For removal instructions please check GCP guide
	mdc-containers-k8s-operator	IAM - service account	Script creation	The service account is customizable – it is saved within the created connector For removal instructions please check GCP guide
Agentless Container Vulnerability Assessment	containers	IAM - workload identity pool	Script creation	Please note, this identity been used by DCSPM plan as well For removal instructions please check GCP guide
	mdc-containers-artifact-assess	IAM - service account	Script creation	The service account is customizable – it is saved within the created connector For removal instructions please check GCP guide

Defender for SQL- AWS:

Resource	Type	Creation Phase	Offboarding
Defender Agent	Agent	Post connector creation	Removed automatically on plan change Removal can be done via Azure Portal in extension tab
Azure Monitor Agent for SQL server - Collects security-related configuration information and event logs from machines	Agent	Post connector creation	Azure Monitor Agent offboarding: Unistall AMA
Azure Arc - AWS machines connect to Azure using Azure Arc	Agent	Post connector creation	Uninstall Azure Arc Please remove Arc only after defender agent removal
DefenderForCloud-ArcAutoProvisioning;	IAM - role	Script creation	The role name is customizable – it is saved within the created connector The policies associated with the role name should be removed too For removal instructions please check AWS guide

Defender for SQL- GCP:

Resource	Type	Creation Phase	Offboarding
Defender Agent	Agent	Post connector creation	Removed automatically on plan change Removal can be done via Azure Portal in extension tab
Azure Monitor Agent for SQL server - Collects security-related configuration information and event logs from machines	Agent	Post connector creation	Azure Monitor Agent offboarding: Unistall AMA
Azure Arc - GCP machines connect to Azure using Azure Arc	Agent	Post connector creation	Uninstall Azure Arc Please remove Arc only after defender agent removal
microsoft-databases-arc-ap;	IAM - service account	Script creation	The service account is customizable – it is saved within the created connector For removal instructions please check GCP guide
defender-for-databases-arc-ap;	IAM - role	Script creation	The role name is customizable – it is saved within the created connector For removal instructions please check GCP guide
OIDC - defender-for-databases-arc-ap	IAM - workload identity pool	Script creation	Delete: defender-for-databases-arc-ap For removal instructions please check GCP guide

Note: Microsoft Monitoring Agent (MMA) is being deprecated in August 2024. As a result, Azure Monitoring Agent (AMA) been used, but for customers that still use MMA, removal option:

Manage the Azure Log Analytics agent - Azure Monitor | Microsoft Learn

Please make sure Legacy solutions are removed from Log analytics workspace.

Conclusion: In this article, we have provided a comprehensive overview of all the agents, extensions, and resources deployed as part of Defender for Servers, Defender for Containers and Defender for SQL on AWS/GCP workloads. We have also presented detailed clean-up options for organizations looking to switch their Defender for Cloud plans. While our focus has been on Cloud Workload Protection Plans (CWPP), it is important to note that resources deployed by Cloud Security Posture Management (CSPM) plans are not listed here. As the solution and its features continue to evolve, the resources deployed or impacted by Defender for Cloud may vary between versions. We hope this article serves as a valuable resource for organizations looking to better understand the impact of Defender for Cloud on their AWS/GCP environment.