Setup Multicloud Connectors
Implementation Effort: Medium
Security and IT teams must configure cloud connectors for AWS and GCP, either manually or programmatically, and ensure proper permissions and onboarding of resources.
User Impact: Low
Connector setup is handled by administrators; end users are not directly involved.
Overview
Setting up multicloud connectors in Microsoft Defender for Servers enables visibility and protection for workloads running in AWS and Google Cloud Platform (GCP). These connectors allow Defender for Cloud to ingest metadata, assess configurations, and apply Defender for Servers plans to non-Azure machines.
Supported Environments
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP)
Connector Setup Options
-
Portal-Based Setup:
- Navigate to Microsoft Defender for Cloud > Environment settings.
- Select Add environment and choose AWS or GCP.
- Follow the guided steps to configure permissions and deploy the connector.
-
Programmatic Setup:
- Use the Defender for Cloud REST API to automate connector deployment 1.
- Requires:
- CloudFormation templates for AWS
- Cloud Shell scripts for GCP
- Templates/scripts vary based on the Defender plans being enabled.
Key Considerations
- Permissions: Ensure the appropriate IAM roles are granted in AWS/GCP to allow Defender for Cloud to access metadata and security configurations.
- Azure Arc: For full Defender for Servers capabilities (e.g., vulnerability scanning, endpoint protection), onboard machines as Azure Arc-enabled servers 2.
- Security Plans: During connector setup, you can enable Defender for Servers, Defender CSPM, or both depending on your protection needs 3.
Failing to set up multicloud connectors limits visibility into non-Azure workloads and prevents Defender for Servers from applying consistent security policies. This capability supports the "Assume Breach" and "Verify Explicitly" principles of Zero Trust by ensuring all cloud environments are onboarded and monitored.