AWS Posture Management with Microsoft Defender for Cloud CSPM
Microsoft Defender for Cloud (DfC) is a multicloud security solution. It provides native cloud security posture management (CSPM) capabilities for Azure, AWS, and Google Cloud environments and supports threat protection across these platforms.
DfC capabilieties for multicloud, specifically for AWS include:
Cloud Security Posture Management (CSPM) — CSPM provides you with hardening guidance that helps you efficiently and effectively improve your security. CSPM also gives you visibility into your current security situation. Some of the features available on AWS are:
- Security recommendations to fix misconfigurations and weaknesses
- Asset Inventory
- Data visualization and reporting with Azure Workbooks
- Workflow Automation
- Governance
- Regulatory Compliance
Cloud Workolad Protection (CWP) — surface workload-specific recommendations that lead you to the right security controls to protect your workloads.
- AWS server protection
- AWS container protection
- AWS database protection
In this article I will concentrate on CSPM features and integration only.
Defender for Cloud CSPM licensing (AWS context)
Defender for Cloud offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default on any account that has onboarded to Defender for Cloud. The foundational CSPM includes asset discovery, continuous assessment and security recommendations for posture hardening, compliance with Microsoft Cloud Security Benchmark (MCSB), and a Secure score which measure the current status of your organization’s posture.
The optional Defender CSPM plan, provides advanced posture management capabilities such as Attack path analysis, Cloud security explorer, advanced threat hunting, security governance capabilities, and also tools to assess your security compliance with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region.
Free Plan — AWS context
Even that the foundational CSPM plan is free we must be aware of some additional charges related to the platform operations. To check the status of AWS resources, DfC use read-only API calls. If AWS CloudTrail is logging read events, and if export of data to SIEM is configured, ingestion costs might increase.
Included Features:
- Continuous assessment of the security configuration of your cloud resources
- Security recommendations to fix misconfigurations and weaknesses
- Secure score summarizing your current security situation
Paid Plan — AWS context
Microsoft Defender CSPM protects across all your multicloud workloads, but billing only applies for Servers, Database, and Storage accounts at $5/billable resource/month. The underlying compute services for EKS are regarded as servers for billing purposes.
Included Features:
- Identity and role assignments discovery
- Network exposure detection
- Attack path analysis
- Cloud security explorer for risk hunting
- Agentless vulnerability scanning
- Agentless secrets scanning
- Governance rules to drive timely remediation and accountability
- Regulatory compliance and industry best practices
- Data-aware security posture
- Custom recommendations
Objectives
Now that we have general understanding of DfC capabilities lets go through the following scenario:
- Connect single AWS account to DfC
- View Asset Inventory
- Analyse Recommendations
- Explore Regulatory Compliance
DfC AWS account connection
To protect your AWS-based resources, we must connect AWS account using the built-in connector. The connector provides an agentless connection to AWS environment that can be extend with Defender for Cloud’s Defender plans to secure AWS resources. In this scenario we will only use Defender for CSPM
Prerequisites:
- Azure Tenant
- Azure Subscription
- Microsoft Defender for Cloud set up on Azure subscription.
- Access to an AWS account.
- Contributor permission for the relevant Azure subscription, and Administrator permission on the AWS account.
Onboarding:
Azure Portal
To onboard an AWS account to Defender for Cloud, you can perform the following steps through the Azure portal:
- Log in to the Azure Portal.
- Search for the ‘Defender for Cloud’ service.
Provide required details about connector name, type of onboarding organization / single account, regions, resource group where the connector will be located and most important AWS account Id
Select appropriate plans, in this scenario we are only enabling CSPM plans
On the next screen we will generate CloudFormation template to deploy custom roles which will be used for onboarding and account management. We have couple of options here
Default access template:
- Assignes build in ReadOnlyAccess policy to the CspmMonitorAwsRole which grants read-only permissions to wide range of AWS resources.
- Explicitly denies certain billing-related actions
Least Privilege Access:
- It does not assign default ReadOnlyAccess policy to the CspmMonitorAwsRole
- It creates policy to allow access only to specific AWS services (presenting only part of policy)
Of course recommended approach is to use Least Privilege option, however we must remember to maintain the role and policy in the future. DfC will be expanding the coverage to broader list of AWS services which must then be listed explicitly under policy actions.
Default access policy will accommodate the coverage automatically but we are losing the control of what we allow /deny.
Once you preferred template is downloaded we can move to AWS account
AWS Account
Once logged in to AWS we search for ‘Stacks’ and create new stack ‘with new resources (standard)’
Chose the template downloaded from DfC portal and press ‘Next’
On the next screen, provide the stack name; all other parameters should already be pre-populated. On the following screen, review and adjust stack options in line with your requirements.
The last step is to acknowledge the capabilities checkbox and press submit.
Once completed you can check status of the deployment
And created roles
At this stage we can go back to Azure portal and finalize the connector creation
We can also check the status under [ Environment settings / AWS account / Settings ]
It will take a little while for the date to be ingested but we can slowly start exploring DfC AWS findings.
View Asset Inventory
The asset inventory page of Microsoft Defender for Cloud shows the security posture of the resources connected to Defender for Cloud. Defender for Cloud periodically analyzes the security state of resources connected to the AWS account to identify potential security issues and provides active recommendations. Active recommendations are recommendations that can be resolved to improve security posture.
We can browse through identified assets by going to the inventory and setting correct filters
We can choose specific resource to see recommendations related to it
Analyse recommendations
Recommendations give you suggestions on how to better secure resources. Recommendations provide manual remediation steps which can help to resolve discovered problems, of course that is not ideal and in our perfect world everyone will follow the CICD deployments and control resources with central policies. Based on that my recommendation is to analyse the findings and implement them into the deployment templates or specify appropriate polices to prevent certain configuration setting from being allowed.
Recommendation provide holistic view on all misconfigurations related to our services, we also get secure score which can give you indication on how good or bad your account state is. Personally I am not a big fan of the secure score, it is rather meaningless number which does not really provide any specific indications, but on the other hand we all know that management loves different states and KPIs which can be used for all source of measurements.
Each recommendation provides the description, remediation steps and list of healthy and unhealthy resources
In addition some of the recommendations provide ‘Quick fix logic’ script which can be used for auto remediation
Explore regulatory compliance
Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard. Defender for Cloud continuously assesses hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards that you’ve applied to your subscriptions. The dashboard reflects the status of your compliance with these standards.
DfC offers range of regulatory standards for AWS:
Note: The Microsoft cloud security benchmark (MCSB) is automatically assigned to your accounts when you onboard Defender for Cloud. This benchmark builds on the cloud security principles defined by the Azure Security Benchmark and applies these principles with detailed technical implementation guidance for Azure, for other cloud providers (such as AWS and GCP), and for other Microsoft clouds.
Regulatory Compliance dashboard provides us with the summary state of our organization and allows to export it to the report.
Conclusion
Microsoft Defender for Cloud (DfC) provides a range of features and capabilities for multicloud environments. Organizations seeking a comprehensive solution to enhance visibility and bolster their overall posture across different clouds can benefit from a single pane of glass, offering a centralized and unified view of their multi-cloud environment — Azure, AWS and GCP.
The DfC Cloud Security Posture Management (CSPM) feature offers insights into your AWS infrastructure and guidance on addressing misconfigurations. However, it’s just one piece of the larger puzzle. From here, we must extend the coverage to EC2 instances, EKS clusters, and databases, and Defender can certainly help. We will explore how in the next part.
Thank you for reading, and on to the next one.