[11/2/2021 Update - The article below leverages the legacy AWS Connector. For more information about the new AWS Connector released at Ignite 2021, watch this presentation from Ignite]
According to a recent study, cloud misconfigurations take an average 25 days to fix. This number can even be higher if you are managing the cloud security posture across multiple providers without having an aggregate visualization of the current security state of all cloud workloads. Not only it becomes a challenge to understand the current security state, but also to manage multiple dashboards and prioritize which issues should be resolved first.
When you enable Microsoft Defender for Cloud you will be able to connect to AWS and GCP using native Microsoft Defender for Cloud connectors. Once you connect to each cloud provider, you will be able to use the Security Recommendations to quickly filter the environment and see only the recommendations that are relevant for the cloud provider that you want, as shown below:
You can also quickly identify resources on each cloud provider by using the Inventory dashboard, by using the Cloud Environment filter as shown below:
In addition to all that, you can also take advantage of centralized automation by leveraging the Workflow Automation feature to automate response for security recommendations generated in Azure, AWS or GCP.
Cloud security posture management and workload protection
The security recommendations are relevant for the cloud security posture management scenario, which means that you drive the enhancement of your security posture across multiple cloud providers by remediating those recommendations. However, this is not the only scenario available for multi-cloud, you can also use the following Microsoft Defender for Cloud plans to enhance your workload protection. When planning cloud workload protection for workloads in AWS and GCP, make sure to first enable the VMs to use Azure Arc, once you do that, the following Microsoft Defender for Cloud plans will be available across Azure, AWS and GCP:
The potential alerts generated by workloads protected by those plans is going to be surfaced in the Security Alerts dashboard in Microsoft Defender for Cloud. Which means that you again will have a single dashboard to visualize alerts across different cloud providers. These alerts can be streamed to your SIEM platform using Continuous Export feature in Microsoft Defender for Cloud.
Prior to implementing your multi-cloud adoption using Microsoft Defender for Cloud, it is important to consider the following aspects:
When connecting with AWS
- An account is onboarded to a subscription, the subscription has to have Microsoft Defender for Servers enabled
- The VMs under this account will automatically be onboarded to Azure using Azure Arc, and will be covered by Defender (list of supported OS)
- Arc cost is inclusive with Microsoft Defender for Cloud (you won’t pay twice)
- To receive the security recommendations, you will need to enable AWS Security Hub on the accounts you want to onboard
- Security Hub is a paid service that can vary depending on how many accounts and regions it’s enabled on (please refer to AWS official pricing)
When connecting with GCP
- Same requirement for Microsoft Defender for Cloud enabled on the subscription
- Servers are not onboarded automatically, and will need to be onboarded through Arc (Arc onboarding guide)
- To receive security recommendations, you will need to enable GCP Security Command Center
- Google Security Command Center have two pricing tiers: standard (free) and premium
- Free tier includes ~12 recommendations, premium around 120
- Premium tier costs 5% of annual spending in GCP, please refer to GCP official pricing)
The resources below will be useful for you to implement this multi-cloud capability in Microsoft Defender for Cloud:
Or Serok Jeppa, Program Manager