| title | description | ms.date | ms.topic |
|---|---|---|---|
Connect Amazon Web Services with Defender for Cloud Apps |
This article provides information about how to connect your AWS app to Defender for Cloud Apps using the API connector for visibility and control over use. |
11/09/2021 |
how-to |
[!INCLUDE Banner for top of topics]
This article provides instructions for connecting your existing Amazon Web Services (AWS) account to Microsoft Defender for Cloud Apps using the connector APIs. For information about how Defender for Cloud Apps protects AWS, see Protect AWS.
You can connect one or both of the following AWS to Defender for Cloud Apps connections:
- Security auditing: This connection gives you visibility into and control over AWS app use.
- Security configuration: This connection gives you fundamental security recommendations based on the Center for Internet Security (CIS) benchmark for AWS.
Since you can add either or both of the connections, the steps in this article are written as independent instructions. If you've already added one of the connections, where relevant edit the existing configurations.
Use the following steps to configure your AWS auditing and then connect it to Defender for Cloud Apps.
-
In your Amazon Web Services console, under Security, Identity & Compliance, select IAM.
-
Select Users and then select Add user.
-
In the Details step, provide a new user name for Defender for Cloud Apps. Make sure that under Access type you select Programmatic access and select Next Permissions.
-
Select Attach existing policies directly, and then Create policy.
-
Select the JSON tab:
-
Paste the following script into the provided area:
{ "Version" : "2012-10-17", "Statement" : [{ "Action" : [ "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:GetTrailStatus", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "iam:List*", "iam:Get*", "s3:ListAllMyBuckets", "s3:PutBucketAcl", "s3:GetBucketAcl", "s3:GetBucketLocation" ], "Effect" : "Allow", "Resource" : "*" } ] } -
Select Next: Tags
-
Select Next: Review.
-
Provide a Name and select Create policy.
-
Back in the Add user screen, refresh the list if necessary, and select the user you created, and select Next: Tags.
-
Select Next: Review.
-
If all the details are correct, select Create user.
-
When you get the success message, select Download .csv to save a copy of the new user's credentials. You'll need these later.
[!NOTE] After connecting AWS, you'll receive events for seven days prior to connection. If you just enabled CloudTrail, you'll receive events from the time you enabled CloudTrail.
-
In the Defender for Cloud Apps portal, select Investigate and then Connected apps.
-
In the App connectors page, to provide the AWS connector credentials, do one of the following:
For a new connector
-
Select the plus sign (+) followed by Amazon Web Services.
-
In the pop-up, provide a name for the connector, and then select Connect Amazon Web Services.
-
On the Connect Amazon Web services page, select Security auditing, paste the Access key and Secret key from the .csv file into the relevant fields, and select Connect.
For an existing connector
-
In the list of connectors, on the row in which the AWS connector appears, select Connect security auditing.
-
On the Connect Amazon Web Services page, paste the Access key and Secret key from the .csv file into the relevant fields, and select Connect.
-
-
Select Test API to make sure the connection succeeded.
Testing may take a couple of minutes. When it's finished, you get a success or failure notification. After receiving a success notice, select Done.
Connecting AWS security configuration gives you insights into fundamental security recommendations based on the Center for Internet Security (CIS) benchmark for AWS.
Follow these steps to connect AWS security configuration to Defender for Cloud Apps.
[!div class="checklist"]
To view security recommendations for multiple regions, repeat the following steps for each relevant region.
Note
If you are using a master account, repeat these steps to configure the master account and all connected member accounts across all relevant regions.
-
Enable AWS Config.
-
Enable AWS Security Hub.
-
Verify that there is data flowing to the Security Hub.
[!NOTE] When you first enable Security Hub, it may take several hours for data to be available.
Before you can connect AWS security configuration, make sure that you have set up your AWS environment to collect fundamental security and compliance recommendations.
Note
If you are using an AWS master account, use the following steps to connect the master account. Connecting your master account allows you to receive recommendations for all member accounts across all regions.
-
Follow the How to connect AWS Security auditing steps to get to the permissions page.
-
On the permissions page, select Attach existing policies directly, apply the AWSSecurityHubReadOnlyAccess and SecurityAudit policies, and then select Next Tags.
-
Optional: Add tags to the user.
[!NOTE] Adding tags to the user won't affect the connection.
-
Select Next Review.
-
If all the details are correct, select Create user.
-
When you get the success message, select Download .csv to save a copy of the Access key ID and the Secret access key. You'll need these later.
-
In Defender for Cloud Apps, select Investigate, and then select Connected apps.
-
In the Security configuration apps tab, select the plus button, and then select Amazon Web Services.
-
In the Instance name page, choose the instance type, and then select Next.
-
For an existing connector, choose the relevant instance.
-
For a new connector, provide a name for the instance.
-
-
In the Account details page, paste the Access key and Secret key from the .csv file into the relevant fields, and then select Next.
-
In the Finished page, make sure the connection succeeded, and then select Finished.
If you have any problems connecting the app, see Troubleshooting App Connectors.
[!div class="nextstepaction"] Control cloud apps with policies
[!INCLUDE Open support ticket]