Defender for Cloud deployment in AWS/GCP – Agents, Resources, IAM and Cleanup options

Objective of the article

The purpose of this article is to provide organizations with a comprehensive understanding of all the agents and resources deployed as part of for Server, for Container, Defender for SQL in their AWS/GCP environment by Defender for Cloud. The article aims to guide organizations on the impact of Defender for Cloud on their environment and what they need to remove when switching Defender for Cloud plans on the security connector. Where possible this article should avoid duplicating information that is already available on Microsoft Learn and focus on providing information that is not publicly available or documented on Microsoft Learn. 

Introduction

Have you ever wondered about the agents, extensions, resources and roles deployed as part of Defender for Server, Defender for Container, Defender for SQL on your AWS or GCP workloads? Have you ever needed to update the selection of Defender for Cloud plans on a security connector for your AWS or GCP environment? This article provides you with a comprehensive understanding of the impact of agents and resources on your environment and guides you on what can be removed when updating the Defender for Cloud plans on a desired security connector.

The following table summarizes Microsoft agents and extensions for CWPP:

AgentDefender for ServersDefender for ContainersDefender for SQL on Machines

Azure Arc Agent
Microsoft Defender for Endpoint extension
Log Analytics or Agent extension ✔ *In deprecation process
Defender Sensor
Azure policy for Kubernetes
SQL servers on machines

Defender for Server – AWS

ResourceTypeCreation PhaseOffboarding
MDE – The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities Agent Post connector creation
Azure Arc – AWS machines connect to Azure using Azure Arc Agent Post connector creation
SSM -SSM Agent is mandatory for Arc onboarding Agent Post connector creation Some customers rely on SSM Agent for other purposes so please check it before removal

For removal instructions please check AWS guide
DefenderForCloud-DefenderForServers; DefenderForCloud-ArcAutoProvisioning; DefenderForCloud-AgentlessScanner; IAM – role Script creation The role name is customizable –
it is saved within the created connector

The policies associated with the role name should be removed too

For removal instructions please check AWS guide

Defender for Server – GCP

ResourceTypeCreation PhaseOffboarding
MDE – The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities Agent Post connector creation
Azure Arc – GCP machines connect to Azure using Azure Arc Agent Post connector creation
microsoft-defender-for-servers IAM – service account Script creation The service account is customizable – it is saved within the created connector

For removal instructions please check GCP guide
defender-for-servers IAM – role Script creation The role name is customizable – it is saved within the created connector

For removal instructions please check GCP guide
OIDC – defender-for-servers IAM -workload identity pool Script creation For removal instructions please check GCP guide

*Defender for Server P2 require Microsoft Monitor Agent (MMA or LA agent) and/or Agent (AMA) for some features, but since it's in deprecation phase, please follow these articles for details and offboarding options:

For MMA, please make sure Legacy solutions are removed from Log analytics workspace.

Defender for Container – AWS

OfferingResourceTypeCreation PhaseOffboarding
Run-time threat protection Azure Arc enabled kubernetes- Connects your EKS clusters to Azure and onboards the Defender sensor Agent deployed on single node Post connector creation You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS: Cleanup Azure Arc-enabled Kubernetes

Running this command will delete all arc related resources including extensions
Defender Sensor Sensor deployed on each node Post connector creation
Azure Policy for Kubernetes – Extends the Gatekeeper v3 Extension deployed on one single node Post connector creation
Agentless threat protection S3 Post connector creation Delete S3 bucket with ARN: arn:aws:s3:::azuredefender-{ AwsRegion}-{ AwsAccountId}-{ ClusterName}

For removal instructions please check AWS guide
SQS Post connector creation Delete a queue with ARN:
arn:aws:sqs:{ AwsRegion}:{ AwsAccountId}:azuredefender-{ ClusterName}

For removal instructions please check AWS guide
Kinesis Data firehose (Amazon Kinesis Data Streams) Post connector creation Delete a stream with ARN:
arn:aws:firehose:{AwsRegion}:{ AwsAccountId}:deliverystream/azuredefender-{ ClusterName}

For removal instructions please check AWS guide
DefenderForCloud--K8s;
DefenderForCloud-DataCollection; DefenderForCloud--K8s-cloudwatch-to-kinesis; DefenderForCloud-Containers-K8s-kinesis-to-s3
IAM – role Script creation The role name is customizable –
it is saved within the created connector

The policies associated with the role name should be removed too

For removal instructions please check AWS guide
Agentless Container Vulnerability Assessment MDCContainersImageAssessmentRole IAM – role Script creation The role name is customizable –
it is saved within the created connector

The policies associated with the role name should be removed too

For removal instructions please check AWS guide
Agentless discovery for Kubernetes MDCContainersAgentlessDiscoveryK8sRole IAM – role Script creation The role name is customizable –
it is saved within the created connector

The policies associated with the role name should be removed too

For removal instructions please check AWS guide

Defender for Container – GCP

OfferingResourceTypeCreation PhaseOffboarding
Run-time threat protection Azure Arc enabled kubernetes- Connects your GKE clusters to Azure and onboards the Defender sensor Agent deployed on single node Post creation You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS:Cleanup Azure Arc-enabled Kubernetes

Running this command will delete all arc related resources including extensions
Defender Sensor Sensor deployed on each node Post connector creation
Azure Policy for Kubernetes – Extends the Gatekeeper v3 Extension deployed on one single node Post connector creation
Run-time threat protection (AuditLogs) Container.googleapis.com Enable API Script creation Please note, it might be used by other solutions

For removal instructions please check GCP guide
logging.googleapis.com Enable API Script creation Please note, it might be used by other solutions

For removal instructions please check GCP guide
Data Access audit logs configuration Settings Script creation Please note, it might be used by other solutions

Name of component to disable:

Kubernetes Engine API

For removal instructions please check GCP guide
Pub/Sub Topic Post creation For each cluster in a project a topic is created with prefix: “MicrosoftDefender-“

For removal instructions please check GCP guide
Pub/sub Subscription Post creation For each cluster in a project a subscription is created with prefix: “MicrosoftDefender

For removal instructions please check GCP guide
SINK – log route Post creation For removal instructions please check GCP guide
microsoft-defender-containers; ms-defender-containers-stream; IAM – service account Script creation The service account is customizable – it is saved within the created connector

For removal instructions please check GCP guide
MicrosoftDefenderContainersDataCollectionRole; MicrosoftDefenderContainersRole; IAM – role Script creation The role name is customizable –
it is saved within the created connector

For removal instructions please check GCP guide
OIDC -containers
OIDC -containers-stream
IAM -workload identity provider Script creation For removal instructions please check GCP guide
Agentless discovery for Kubernetes containers IAM -workload identity pool Script creation Please note, this identity been used by DCSPM plan as well

For removal instructions please check GCP guide
mdc-containers-k8s-operator IAM – service account Script creation The service account is customizable – it is saved within the created connector

For removal instructions please check GCP guide
Agentless Container Vulnerability Assessment containers IAM -workload identity pool Script creation Please note, this identity been used by DCSPM plan as well

For removal instructions please check GCP guide
mdc-containers-artifact-assess IAM – service account Script creation The service account is customizable – it is saved within the created connector

For removal instructions please check GCP guide

Defender for SQL- AWS

ResourceTypeCreation PhaseOffboarding
Defender Agent Agent Post connector creation Removed automatically on plan change

Removal can be done via Azure Portal in extension tab
Agent for – Collects security-related configuration information and event logs from machines Agent Post connector creation  
Azure Arc – AWS machines connect to Azure using Azure Arc Agent Post connector creation  
DefenderForCloud-ArcAutoProvisioning; IAM – role Script creation The role name is customizable –
it is saved within the created connector

The policies associated with the role name should be removed too

For removal instructions please check AWS guide

Defender for SQL- GCP

ResourceTypeCreation PhaseOffboarding
Defender Agent Agent Post connector creation Removed automatically on plan change

Removal can be done via Azure Portal in extension tab
Azure Monitor Agent for – Collects security-related configuration information and event logs from machines Agent Post connector creation
Azure Arc – GCP machines connect to Azure using Azure Arc Agent Post connector creation
microsoft-databases-arc-ap; IAM – service account Script creation The service account is customizable –
it is saved within the created connector

For removal instructions please check GCP guide
defender-for-databases-arc-ap; IAM – role Script creation The role name is customizable –
it is saved within the created connector

For removal instructions please check GCP guide
OIDC – defender-for-databases-arc-ap IAM -workload identity pool Script creation Delete: defender-for-databases-arc-ap

For removal instructions please check GCP guide

Note: Microsoft Monitoring Agent (MMA) is being deprecated in August 2024.  As a result, Azure Monitoring Agent (AMA) been used, but for customers that still use MMA, removal option:

Please make sure Legacy solutions are removed from Log analytics workspace.

Conclusion

In this article, we have provided a comprehensive overview of all the agents, extensions, and resources deployed as part of Defender for Servers, Defender for Containers and Defender for SQL on AWS/GCP workloads. We have also presented detailed clean-up options for organizations looking to switch their Defender for Cloud plans. While our focus has been on Cloud Workload Protection Plans (CWPP), it is important to note that resources deployed by Cloud Security Posture Management (CSPM) plans are not listed here. As the solution and its features continue to evolve, the resources deployed or impacted by Defender for Cloud may vary between versions. We hope this article serves as a valuable resource for organizations looking to better understand the impact of Defender for Cloud on their AWS/GCP environment.

Acknowledgments

Special thanks to Bojan Magusic for the great partnership and technical review.

Reviewed by:

  • Lior Arviv, Senior Program Manager
  • Aviv Mor, Principal PM Manager
  • Ido Keshet, Principal PM Manager
  • Maya Herskovic, Senior PM Manager
  • Bojan Magusic, Product Manager 2

 

This article was originally published by Microsoft's Defender for Cloud Blog. You can find the original article here.