Introduction:

Microsoft Defender for Cloud is a multicloud security solution. It provides native Cloud Security Posture Management (CSPM) capabilities for Azure, AWS, and Google Cloud environments (including out-of-the-box recommendations), finding weak spots across your cloud configuration and helping strengthen the overall security posture of your environment. Additionally, it provides native cloud workload protection (CWP) support for Servers, Containers and Databases, to protect workloads across multicloud and hybrid environments from evolving threats. To learn more about onboarding process of your AWS and GCP accounts to Defender for Cloud, be sure to visit our step-by-step technical guidance here

In this blog post, we will help you understand the dependencies and pricing of Microsoft Defender for Cloud’s native AWS and GCP support in detail.

Agent and extension dependencies:

CSPM plan for AWS/GCP

The CSPM plan for AWS and GCP is completely agentless and assesses your AWS resources according to AWS-specific & GCP-specific security recommendations. The onboarding experience is designed to work easily at scale, by simply connecting your AWS master account, which automatically onboards existing and future accounts. You don’t need to install any agents or extensions, nor you need Azure Arc. The only scenario for which you require Azure Arc is if you want to run in-guest policies (on the machine itself). Enabling the CSPM plan is free and through it we’re able to discover all of the resources, making it a to use any of the native CWP capabilities for AWS/GCP (servers, containers and/or databases).

CWP for Servers plan for AWS/GCP

The CWP plan for servers in AWS and GCP brings threat detection and advanced defenses to your AWS and GCP VMs. To get the full security value out of the native AWS/GCP support for servers, you’re required to have additional agents and extensions installed as mentioned below:

• Azure Arc Agent: Connects your servers to Azure Arc (see here for technical guidance) and is a pre-requisite for other extensions, that provide security value on top of Azure Arc. Requires the OS config agent on GCP machines and AWS Systems Manager (SSM) agent for AWS EC2 instances for Auto-provisioning. Additional extensions that should be enabled on the Arc-connected machines, are listed in this documentation.
• Microsoft Defender for Endpoint extension: Integrated license for Microsoft Defender for Endpoint that provides endpoint detection and response (EDR) capabilities.
• Vulnerability assessment: requires either “Microsoft threat and vulnerability management” or “Microsoft Defender for Cloud integrated Qualys scanner” to be enabled.
• Log Analytics extension: The Log Analytics (LA) agent on Arc machines. Ensure the selected workspace has “Security“ solution installed - helps collect security-related configurations and event logs from the machine.

CWP for Containers plan for AWS/GCP

The CWP plan for Containers in AWS and GCP (EKS and GKE respectively) brings threat detection and advanced defenses to your Amazon EKS clusters and Google GKE Standard clusters. It requires the Azure Arc agent, the Defender extension and Azure Policy extension to be installed. Additionally, Defender for Cloud provides agentless collection of the Kubernetes audit log data through GCP Cloud logging (enabled by default and available at a GCP project level) and AWS CloudWatch (enabled by default and available at an AWS account level). The required agents and extensions are:

• Azure Arc Agent: Connects your clusters to Azure Arc (see here for technical guidance). You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three different ways as mentioned in detail here.
• The Defender extension: collects signals from hosts and provides runtime protection
• The Azure Policy extension: collects workload’s configuration information and makes it possible to apply at-scale enforcements.

NOTE: In addition to the above agent and extensions, the CWP for Containers plan for AWS/GCP requires the sending of “Kubernetes audit logs” to be enabled on the AWS/GCP connector level, in order to get threat detection alerts for the control plane

CWP for Databases plan for AWS/GCP

The CWP plan for Databases brings threat detection and advanced defenses to your SQL servers running on AWS EC2, AWS RDS Custom for SQL Server and GCP VM instances. To get full value out of the Database plan, its required to have the following agents and extensions installed:

• Azure Arc agent: Connects your servers to Azure Arc so you can manage your SQL instance (see here for technical guidance).
• SQL servers on machines: Applies to SQL on Azure virtual machines, SQL servers on-premises, and Azure Arc enabled SQL servers. 
• Log Analytics extension: Collects security-related configurations and event logs from the machines.
• Automatic SQL server discovery and registration: Provides centralized SQL asset inventory and manager also automatic discovery and registration of SQL servers when you enable these settings.

NOTE: Currently, the integration of Azure Monitor Agent (AMA) is in Public Preview. When it becomes Generally Available, it will included in the table above. In addition to agents and extensions covered above, it’s required to enable the corresponding plan on the AWS/GCP connector.

Now, that we covered the dependencies, let’s check out the pricing details next!

Pricing:

CSPM plan for AWS/GCP

The CSPM plan for AWS and GCP is available for free and enabled by default. It includes Secure Score (across Azure, AWS & GCP), security recommendations, remediation and automation capability. However, if an organization wants to avail of regulatory compliance and standards, they need to have Defender for Cloud plans enabled. 

NOTE: The CSPM plan queries the AWS APIs several times per day. These read-only API calls incur no charges, but they are registered in CloudTrail. Therefore, if you’ve enabled a trail for read events and are exporting data out of AWS, due to increased volume of calls, there might be ingestion costs.

CWP for Servers plan for AWS/GCP

The CWP plan for servers in Azure, AWS, and GCP, comes in two flavors. The price for P2 plan is either $15/ Server/ month and for P1 plan $5/Server/month. For latest information be sure to consult the pricing page. This plan is not enabled by default and needs to be enabled on the AWS/GCP connector level.

NOTE: You will be charged for all EC2 machines that are connected to the AWS account, regardless of whether they have the Azure Arc agent deployed or not. With regards to GCP, the Azure Arc auto-provisioning process leverages the VM manager on GCP and this will incur costs, as well as changing the OS config agent from inactive to active (done by Microsoft Defender for Servers).

CWP for Containers plan for AWS/GCP

The CWP plan for Containers in AWS and GCP (EKS and GKE respectively) is currently in preview and during preview is available for free. After which, once the plan is in GA, will be billed at the same price as for Azure resources, $7/Kubernetes vCore/month. It includes 20 free scans per vCore. Every subsequent scan will be charged at $0.29 per image digest. Pricing might value based on the region in question. For latest information be sure to consult the pricing page. This plan is not enabled by default and needs to be enabled on the AWS/GCP connector level.

CWP for Databases plan for AWS/GCP

The CWP plan for Databases in AWS and GCP is billed at the same price as for Azure resources - $15/ Server/ month. For latest information be sure to consult the pricing page. This plan is not enabled by default and needs to be enabled on the AWS/GCP connector level.

NOTE: With regards to GCP, the Azure Arc auto-provisioning process leverages the VM manager on GCP and this will incur costs, as well as changing the OS config agent from inactive to active (done by the plan).

Frequently asked questions:

See below answers to common questions related to Microsoft Defender for Cloud Multicloud Capabilities

How much does Arc for Kubernetes cost?

Azure Policy for Kubernetes is still in preview and available for free while in preview.

Policy for Kubernetes assignments used by Defender for Cloud should not be billed if the Defender for Kubernetes plan is enabled.

Is the VA capability supported for AWS and GCP containers?

This feature is in Private preview.

What license do I need to use Regulatory Compliance in AWS/GCP environments?

To benefit from Regulatory Compliance for AWS/GCP, you should either have atleast one plan enabled on either the connector or the subscription the connector has been created in.

Microsoft Defender for Servers for resources in AWS:

Is onboarding of Azure Arc a requirement?

Yes, Azure Arc for servers is required.

If onboarding to Arc is indeed required for Azure Arc for servers, does Defender require “Guest configuration” and therefore incurs the $6/server per month cost?

No. 

Microsoft Defender for containers for resources in AWS:

Is onboarding of Azure Arc a requirement?

It is highly recommended, because with Azure Arc you can leverage the Microsoft Defender’s cluster extension which provides security capabilities for your EKS clusters: Azure Arc-enabled Kubernetes cluster extensions - Azure Arc | Microsoft Docs.

While the same docs say Defender for Containers is free during the preview and will be the same price for Azure resources; is there extra cost required for ARC?

Kubernetes assignments used by Defender for Cloud should not be billed if the Defender for Containers plan is enabled. Additional policies / configurations that are not used by Defender for Containers will be charged as mentioned here:  Pricing – Azure Arc | Microsoft Azure. (in addition to any additional services/extensions such as Azure Monitor that have their own price tag).

Many Thanks to the Reviewers of the blog: 

@Meital Taran- Gutman , Principal PM Manager, 

@OrSerokJeppa, Senior Program Manager, 

@Maya_Herskovic , Senior Program Manager

@Tomer Spivak, Senior Program Manager