This is the fourth part of the ‘Multi-Cloud Security Monitoring & Posture Management blog series. The earlier posts, focusing on security monitoring, are found from the links below:

Microsoft Defender for Cloud secures resources in Azure and also in 3rd party clouds & on-premises in the following main categories. This blog focuses on ‘continuously assess’ & ‘secure’ pillars which are categorized as CSPM.

Cloud Connectors in Microsoft Defender for Cloud

Cloud security posture management (CSPM) is shattered across clouds, and there is a need for a ‘single pane of glass’ to provide visibility to security configuration and possible vulnerabilities of deployed resources.

Former Azure Security Center, with Azure Defender, after Microsoft Ignite announcement ‘Microsoft Defender for Cloud (MDC)’, provides an answer for this need, and with this solution, an organization can leverage visibility to other cloud environments using native MDC cloud connectors.

At the time of writing, supported clouds through ‘Cloud Connector’ are Amazon Web Service (AWS) & Google Cloud Platform (GCP). With the new method announced in Ignite, only AWS is supported.

Benefit for using the connectors (AWS)

Microsoft Defender for Cloud provides the following features in the CSPM category in the multi-cloud scenario for AWS. take into account that some of them require Defender plan to be enabled (such as Regulatory Compliance):

  • Detection of security misconfigurations
  • Single view showing Security Center recommendations and AWS Security Hub findings
  • Incorporation of AWS resources into Security Center’s secure score calculations
  • Regulatory compliance assessments of AWS resources

CWP Category:

  • Automatic agent provisioning
    • Security Center uses Azure Arc to deploy the Log Analytics agent to AWS instances
  • Policy management
  • Vulnerability management
  • Embedded Endpoint Detection and Response (EDR)

Another aspect is that when Defender for Cloud is enabled there is threat protection for the following workloads:

  • Azure Defender for Servers
  • Azure Defender for Kubernetes
  • Azure Defender for SQL on Machines

Benefit for using the connectors (GCP)

Microsoft Defender for Cloud provides the following features in the CSPM category in the multi-cloud scenario for GCP:

  • Detection of security misconfigurations
  • Single view showing Security Center recommendations and GCP Security Command Center findings
  • Incorporation of your GCP resources into Security Center’s secure score calculations
  • Integration of GCP Security Command Center recommendations based on the CIS standard into the Security Center’s regulatory compliance dashboard

CWP Category:

  • Currently, support for server workloads is lacking comparing to AWS
    • No auto-deployment option available
    • Azure Arc supports non-Azure servers

As you can see from the lists above, Microsoft Defender for Cloud (former Azure Security Center) provides better capabilities for AWS than Google. It’s also important to understand that Microsoft Defender for Cloud supports auto-deployment for AWS, but not for other clouds (or on-prem) at the time of writing. To clarify, Azure Arc supports the management of non-Azure servers, but auto-deployment is not available.

AWS Account Integration

To establish integration with AWS account you need to enable Defender When enabled you can use ‘Classic Cloud Connectors’ or ‘Environment settings’ depending are you making integration from the legacy or new blade. Pre-requisites are found from just updated onboard-aws guidance, that contains Ignite releases.

Classic Cloud Connector

To integrate the AWS account select “Connect AWS account” and fill required details. In AWS integration “Azure Arc” configuration is needed for successful EC2 instances onboarding to Azure environment & authentication.

This legacy method is dependent on AWS Security Hub and fetched recommendations directly from the Security Hub. More details of prerequisites on the AWS side are found here.

Azure Arc Deployment (Classic Cloud Connector)

When configuring AWS Cloud Connector you can implement Azure Arc at the same time. If decided to go forward with the Azure Arc, you need to configure:

  • Resource group to contain AWS EC2 instances
  • Service Principal to onboard non-Azure machines to Azure
  • Register needed resource providers
    • Microsoft.HybridCompute & Microsoft.GuestConfiguration

When configuration parameters are set the wizard creates a PowerShell script that you can execute to create Azure AD Service Principal for Azure Arc authentication.

Azure Arc Architecture

Azure Arc Connected Machine agent parameters and connections are described in the following picture. In general, Azure Arc is needed for monitoring servers configurations in the multi-cloud scenario to get a better understanding of security posture, no matter where servers are located.

Picture from docs.microsoft.com

Verify Azure Arc Deployment and Server Connection

When the configuration is in place, Microsoft Defender for Cloud scans the AWS environment and onboards EC2 instances to the Azure resource group that you specified in the earlier phase, in my case ‘AWS-EC2-rg’. In my demo environment, this resource group contains both, AWS EC2 instances & servers from on-premises (WIN-CUVTVT6LVBJ) environments.

Environment Settings

Microsoft Defender for Cloud now has native support for multi-cloud environments that are available through the extension of Cloud Security Posture Management (CSPM) and Cloud Workload Protection capabilities to Amazon Web Services (AWS). This new solution removes the dependency from AWS Security Hub and leverages the AWS API. The best side is you can connect AWS management account. When used you can automatically onboard existing and future accounts. This has been an eagerly awaited feature and helps multi-cloud CSPM scenarios a lot!! Key features from Microsoft TechCommunity blog:

  • The ability to assess AWS configurations against security best practices and common regulatory standards, with more than 160 out-of-the-box recommendations and the ability to build custom ones.
  • AWS security recommendations will now also be reflected in Secure Score, enabling teams to better prioritize across multicloud environments through a holistic view of their security state.
  • Support for Amazon Elastic Kubernetes Service (EKS), which extends workload protection capabilities to AWS and provides customers with a more end-to-end experience.
  • Integration with Azure Purview that allows security teams to discover, classify, track and secure sensitive information across their cloud workloads, improving alert prioritization and security recommendations.

More information about the new feature from Ignite news Microsoft Defender for Cloud.

Configuration

To integrate AWS with the new public preview method navigate to the ‘Environment settings’ blade and select ‘Add environment’ where AWS is only supported one.

  • In the account details you can select do you connect only 1 account or use management account to connect ALL AWS accounts. Configuration is saved to resource group
  • On the next page, you can select which workloads you want to deploy and configure auto-provisioning for EC2 instances together with Azure Arc & MDE agents.
    • Service Principal to Azure AD is created automatically and secret for SP is found from the next page
  • In the last pages, you can configure access to the AWS side and the wizard creates ‘CloudFormation’ template to help the deployment. Also, Role ARNs are created automatically based on the selections in earlier steps.

GCP Account Integration

Connecting the GCP account to ASC is straightforward. The pre-requisites are found from onboard-GCP guidance. After pre-requirements are met fill in the required configuration details and onboard GCP to Microsoft Defender for Cloud.

Key takeaways when connecting GCP to Azure:

  • You can connect your GCP accounts to ASC in the organization level
  • You can connect multiple organizations to one Azure subscription
  • You can connect multiple organizations to multiple Azure subscriptions
  • When you connect an organization, all projects within that organization are added to Security Center

When you create a dedicated service account and add it to the organizational level it will be used to access the data gathered by the Security Command Center from all of the other projects in the organization.

If you face the error below, verify that you have all the APIs enabled mentioned in the onboard guidance.

When the connection is established it will take 5-10 minutes before security recommendations are ingested from GCP Security Command Center to Microsoft Defender for Cloud. The GCP CIS standard will be shown in the regulatory compliance dashboard.

Verify Connection for both Cloud Connectors

When the connection is established you can verify it from the Defender for Cloud dashboard. In the overview, there is a number of connections by environment listed.

Security Recommendations & Inventory

Microsoft Defender for Cloud (MDC) receives security recommendations from AWS Security Hub and GCP Security Command Center if those are integrated (10-30 minutes timeframe after integration is established). With this integration you can have a single pane of glass to MDC from all of the resources deployed to AWS or GCP environments, how cool is that!

MITTRE ATT&CK

MITRE ATT&CK® framework is integrated into security recommendations in three ways:

  • Recommendations map to MITRE ATT&CK® tactics and techniques
  • Filter recommendations by MITRE ATT&CK® tactic
  • Query MITRE ATT&CK® tactics and techniques on recommendations using the Azure Resource Graph

This helps strengthen the secure configuration of the environment with recommendations that are mapped to the MITRE ATT&CK® framework and prioritized based on the potential risk across the cyber kill chain. Take into account that the framework is available only in Azure controls and not in all of them at the time of writing.

Resource Graph

Defender for Cloud uses ‘microsoft.security/assessments’ provider to handle security assessment related data. In every recommendation, there is an option to select a query and by selecting the button it will redirect admin to Azure Resource Graph Explorer and shows the actual query behind the security recommendation.

This opens room for creating own queries against the collected data and below is one example that lists ‘Microsoft Defender for Cloud AWS or GCP related Recommendations where severity is high’.

// List MDC AWS or GCP related Recommendations where severity is high
// Returns all MDC assessments, organized in tabular manner with field per property.
// 
// The query uses 'project' to show the listed properties in the results. You can add or remove properties.

securityresources
| where type == 'microsoft.security/assessments'
| where properties.resourceDetails.Source == 'AWS' or properties.resourceDetails.Source == 'GCP'
| where properties.metadata.severity == 'High' 
| extend resourceId=id,
    recommendationId=name,
    recommendationName=properties.displayName,
    source=properties.resourceDetails.Source,
    recommendationState=properties.status.code,
    description=properties.metadata.description,
    assessmentType=properties.metadata.assessmentType,
    remediationDescription=properties.metadata.remediationDescription,
    policyDefinitionId=properties.metadata.policyDefinitionId,
    implementationEffort=properties.metadata.implementationEffort,
    recommendationSeverity=properties.metadata.severity,
    category=properties.metadata.categories,
    userImpact=properties.metadata.userImpact,
    threats=properties.metadata.threats,
    portalLink=properties.links.azurePortal
| project tenantId, subscriptionId, resourceId, recommendationName, recommendationId, recommendationState, recommendationSeverity, description, remediationDescription, assessmentType, policyDefinitionId, implementationEffort, userImpact, category, threats, source, portalLink

Caveats

Same AWS Account

If you have established a connection to the same AWS account earlier from your tenant the information is saved somewhere underneath the hood (I couldn’t find it anywhere) and you can face the same error message that I received. Because I was using a demo environment on the AWS side that implementation was fully automated we decided to create a totally new environment for the AWS side.

Google APIs not Enabled

Establishing integration to GCP – If you haven’t enabled Security Command Center API from the GCP side the following error message is shown.

Latency

Data ingestion from GCP was close to 20min instead of promised 5-10 minutes. Just be patient 🙂

Auto-provisioning for On-Premises or GCP Instances

Currently, auto-provisioning is supported only for AWS. So, when the server is located on-premises or GCP you need to manually deploy the Azure Arc to the servers.

References

Planning Multi-Cloud adoption with Azure Defender

Onboard GCP to Microsoft Defender for Cloud

Onboard AWS to Microsoft Defender for Cloud

Connect SQL Azure Arc

Microsoft Defender for Cloud Ignite News