Determine Compliance Requirements

Implementation Effort: Medium – This requires collaboration between security, compliance, and cloud operations teams to identify applicable standards and configure assessments across cloud platforms.

User Impact: Low – This is a backend configuration and monitoring task; end users are not directly affected.

Overview

Determining compliance requirements in Microsoft Defender for Cloud is a foundational step in building a secure and compliant multicloud environment. Defender for Cloud continuously assesses your cloud resources against industry and regulatory standards such as:

• Azure Security Benchmark (ASB) – Default for all Azure subscriptions.
• AWS Standards – Includes AWS Foundational Security Best Practices, CIS 1.2.0, and PCI DSS 3.2.1.
• GCP Standards – Includes GCP Default, CIS 1.1.0/1.2.0, ISO 27001, NIST 800-53, and PCI DSS 3.2.1.

Each cloud connector (Azure, AWS, GCP) comes with a default benchmark, and additional standards can be added once enhanced security features are enabled. Organizations can also define custom compliance standards to align with internal policies or regional regulations 1.

This activity supports the Zero Trust principle of "Verify Explicitly" by ensuring that all cloud resources are continuously evaluated against relevant compliance controls, helping to identify misconfigurations and reduce risk exposure.

Reference

• Determine compliance requirements – Microsoft Defender for Cloud
• Regulatory compliance standards – Microsoft Defender for Cloud
• Improve regulatory compliance – Microsoft Defender for Cloud