Defender for Cloud deployment in AWS/GCP – Agents, Resources, IAM and Cleanup options
Objective of the article
The purpose of this article is to provide organizations with a comprehensive understanding of all the agents and resources deployed as part of Defender for Server, Defender for Container, Defender for SQL in their AWS/GCP environment by Defender for Cloud. The article aims to guide organizations on the impact of Defender for Cloud on their environment and what they need to remove when switching Defender for Cloud plans on the security connector. Where possible this article should avoid duplicating information that is already available on Microsoft Learn and focus on providing information that is not publicly available or documented on Microsoft Learn.
Introduction:
Have you ever wondered about the agents, extensions, resources and roles deployed as part of Defender for Server, Defender for Container, Defender for SQL on your AWS or GCP workloads? Have you ever needed to update the selection of Defender for Cloud plans on a security connector for your AWS or GCP environment? This article provides you with a comprehensive understanding of the impact of agents and resources on your environment and guides you on what can be removed when updating the Defender for Cloud plans on a desired security connector.
The following table summarizes Microsoft agents and extensions for CWPP:
Agent
Defender for Servers
Defender for Containers
Defender for SQL on Machines
Azure Arc Agent
✔
✔
✔
Microsoft Defender for Endpoint extension
✔
Log Analytics or Azure Monitor Agent extension
✔
*In deprecation process
✔
Defender Sensor
✔
Azure policy for Kubernetes
✔
SQL servers on machines
✔
Let’s review list of agents, resources and roles per plan and cleanup options
Defender for Server – AWS:
Resource
Type
Creation Phase
Offboarding
MDE – The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities
Agent
Post connector creation
For Windows servers instructions: Offboard Windows servers
For non-Windows servers instructions: Offboard non-Windows servers
Azure Arc – AWS machines connect to Azure using Azure Arc
Agent
Post connector creation
SSM – SSM Agent is
mandatory for Arc onboarding
Agent
Post connector creation
Some customers rely on SSM Agent for other purposes so please check it before removal
For removal instructions please check AWS guide
DefenderForCloud-DefenderForServers;
DefenderForCloud-ArcAutoProvisioning;
DefenderForCloud-AgentlessScanner;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Defender for Server – GCP:
Resource
Type
Creation Phase
Offboarding
MDE – The Microsoft Defender for Endpoint agent provides comprehensive endpoint detection and response (EDR) capabilities
Agent
Post connector creation
For Windows servers instructions: Offboard Windows servers
For non-Windows servers instructions: Offboard non-Windows servers
Azure Arc – GCP machines connect to Azure using Azure Arc
Agent
Post connector creation
microsoft-defender-for-servers
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
defender-for-servers
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
OIDC –
defender-for-servers
IAM – workload identity pool
Script creation
For removal instructions please check GCP guide
*Defender for Server P2 require Microsoft Monitor Agent (MMA or LA agent) and/or Azure Monitor Agent (AMA) for some features, but since it’s in deprecation phase, please follow these articles for details and offboarding options:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/upcoming-changes#defender-for-servers
AMA removal: Manage Azure Monitor Agent – Azure Monitor | Microsoft Learn
MMA removal: Manage the Azure Log Analytics agent – Azure Monitor | Microsoft Learn
For MMA, please make sure Legacy solutions are removed from Log analytics workspace.
Defender for Container – AWS:
Offering
Resource
Type
Creation Phase
Offboarding
Run-time threat protection
Azure Arc enabled kubernetes- Connects your EKS clusters to Azure and onboards the Defender sensor
Agent deployed on single node
Post connector creation
You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS:
Cleanup Azure Arc-enabled Kubernetes
Running this command will delete all arc related resources including extensions
Defender Sensor
Sensor deployed on each node
Post connector creation
You can remove defender sensor using the Azure portal, Azure CLI, or REST API: Remove the Defender sensor
Azure Policy for Kubernetes – Extends the Gatekeeper v3
Extension deployed on one single node
Post connector creation
You can remove defender extensions using the Azure portal, Azure CLI, or REST API: Remove the Defender agent
Agentless threat protection
S3
Post connector creation
Delete S3 bucket with ARN: arn:aws:s3:::azuredefender-{ AwsRegion}-{ AwsAccountId}-{ ClusterName}
For removal instructions please check AWS guide
SQS
Post connector creation
Delete a queue with ARN:
arn:aws:sqs:{ AwsRegion}:{ AwsAccountId}:azuredefender-{ ClusterName}
For removal instructions please check AWS guide
Kinesis Data firehose (Amazon Kinesis Data Streams)
Post connector creation
Delete a stream with ARN:
arn:aws:firehose:{AwsRegion}:{ AwsAccountId}:deliverystream/azuredefender-{ ClusterName}
For removal instructions please check AWS guide
DefenderForCloud-DataCollection;
DefenderForCloud-Containers-K8s-cloudwatch-to-kinesis;
DefenderForCloud-Containers-K8s-kinesis-to-s3
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Agentless Container Vulnerability Assessment
MDCContainersImageAssessmentRole
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Agentless discovery for Kubernetes
MDCContainersAgentlessDiscoveryK8sRole
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Defender for Container – GCP:
Offering
Resource
Type
Creation Phase
Offboarding
Run-time threat protection
Azure Arc enabled kubernetes- Connects your GKE clusters to Azure and onboards the Defender sensor
Agent deployed on single node
Post creation
You can remove Azure Arc-enabled Kubernetes via Azure CLI or Azure PS: Cleanup Azure Arc-enabled Kubernetes
Running this command will delete all arc related resources including extensions
Defender Sensor
Sensor deployed on each node
Post connector creation
You can remove defender sensor using the Azure portal, Azure CLI, or REST API: Remove the Defender sensor
Azure Policy for Kubernetes – Extends the Gatekeeper v3
Extension deployed on one single node
Post connector creation
You can remove defender extensions using the Azure portal, Azure CLI, or REST API:Remove the Defender agent
Run-time threat protection (AuditLogs)
Container.googleapis.com
Enable API
Script creation
Please note, it might be used by other solutions
For removal instructions please check GCP guide
logging.googleapis.com
Enable API
Script creation
Please note, it might be used by other solutions
For removal instructions please check GCP guide
Data Access audit logs configuration
Settings
Script creation
Please note, it might be used by other solutions
Name of component to disable:
Kubernetes Engine API
For removal instructions please check GCP guide
Pub/Sub Topic
Post creation
For each cluster in a project a topic is created with prefix: “MicrosoftDefender-“
For removal instructions please check GCP guide
Pub/sub Subscription
Post creation
For each cluster in a project a subscription is created with prefix: “MicrosoftDefender
For removal instructions please check GCP guide
SINK – log route
Post creation
For removal instructions please check GCP guide
microsoft-defender-containers;
ms-defender-containers-stream;
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
MicrosoftDefenderContainersDataCollectionRole;
MicrosoftDefenderContainersRole;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
OIDC – containers
IAM – workload identity provider
Script creation
For removal instructions please check GCP guide
Agentless discovery for Kubernetes
containers
IAM – workload identity pool
Script creation
Please note, this identity been used by DCSPM plan as well
For removal instructions please check GCP guide
mdc-containers-k8s-operator
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
Agentless Container Vulnerability Assessment
containers
IAM – workload identity pool
Script creation
Please note, this identity been used by DCSPM plan as well
For removal instructions please check GCP guide
mdc-containers-artifact-assess
IAM – service account
Script creation
The service account is customizable – it is saved within the created connector
For removal instructions please check GCP guide
Defender for SQL- AWS:
Resource
Type
Creation Phase
Offboarding
Defender Agent
Agent
Post connector creation
Removed automatically on plan change
Removal can be done via Azure Portal in extension tab
Azure Monitor Agent for SQL server – Collects security-related configuration information and event logs from machines
Agent
Post connector creation
Azure Monitor Agent offboarding: Unistall AMA
Azure Arc – AWS machines connect to Azure using Azure Arc
Agent
Post connector creation
Uninstall Azure Arc
Please remove Arc only after defender agent removal
DefenderForCloud-ArcAutoProvisioning;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
The policies associated with the role name should be removed too
For removal instructions please check AWS guide
Defender for SQL- GCP:
Resource
Type
Creation Phase
Offboarding
Defender Agent
Agent
Post connector creation
Removed automatically on plan change
Removal can be done via Azure Portal in extension tab
Azure Monitor Agent for SQL server – Collects security-related configuration information and event logs from machines
Agent
Post connector creation
Azure Monitor Agent offboarding: Unistall AMA
Azure Arc – GCP machines connect to Azure using Azure Arc
Agent
Post connector creation
Uninstall Azure Arc
Please remove Arc only after defender agent removal
microsoft-databases-arc-ap;
IAM – service account
Script creation
The service account is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
defender-for-databases-arc-ap;
IAM – role
Script creation
The role name is customizable –
it is saved within the created connector
For removal instructions please check GCP guide
OIDC – defender-for-databases-arc-ap
IAM – workload identity pool
Script creation
Delete: defender-for-databases-arc-ap
For removal instructions please check GCP guide
Note: Microsoft Monitoring Agent (MMA) is being deprecated in August 2024. As a result, Azure Monitoring Agent (AMA) been used, but for customers that still use MMA, removal option:
Manage the Azure Log Analytics agent – Azure Monitor | Microsoft Learn
Please make sure Legacy solutions are removed from Log analytics workspace.
Conclusion: In this article, we have provided a comprehensive overview of all the agents, extensions, and resources deployed as part of Defender for Servers, Defender for Containers and Defender for SQL on AWS/GCP workloads. We have also presented detailed clean-up options for organizations looking to switch their Defender for Cloud plans. While our focus has been on Cloud Workload Protection Plans (CWPP), it is important to note that resources deployed by Cloud Security Posture Management (CSPM) plans are not listed here. As the solution and its features continue to evolve, the resources deployed or impacted by Defender for Cloud may vary between versions. We hope this article serves as a valuable resource for organizations looking to better understand the impact of Defender for Cloud on their AWS/GCP environment.
Acknowledgements
Special thanks to Bojan Magusic for the great partnership and technical review.
Reviewed by:
Lior Arviv, Senior Program Manager
Aviv Mor, Principal PM Manager
Ido Keshet, Principal PM Manager
Maya Herskovic, Senior PM Manager
Bojan Magusic, Product Manager 2
Microsoft Tech Community – Latest Blogs –Read More