Merge pull request #233138 from Shereen-Bhar/agentless-containers-dcspm

agentless containers feature

Author: v-regandowner

articles/defender-for-cloud/TOC.yml

@@ -166,6 +166,8 @@
       href: concept-data-security-posture.md
     - name: Support and prerequisites
       href: concept-data-security-posture-prepare.md
+  - name: Improve your container security posture
+    href: concept-agentless-containers.md
   - name: Security recommendations
     items:
     - name: Reference list of Azure recommendations

articles/defender-for-cloud/attack-path-reference.md

@@ -128,8 +128,8 @@ This section  lists all of the cloud security graph components (connections and
 | DEASM findings | Microsoft Defender External Attack Surface Management (DEASM) internet scanning findings | Public IP |
 | Privileged container | Indicates that a Kubernetes container runs in a privileged mode | Kubernetes container |
 | Uses host network | Indicates that a Kubernetes pod uses the network namespace of its host machine | Kubernetes pod |
-| Has high severity vulnerabilities | Indicates that a resource has high severity vulnerabilities | Azure VM, AWS EC2, Kubernetes image |
-| Vulnerable to remote code execution | Indicates that a resource has vulnerabilities allowing remote code execution | Azure VM, AWS EC2, Kubernetes image |
+| Has high severity vulnerabilities | Indicates that a resource has high severity vulnerabilities | Azure VM, AWS EC2, Container image |
+| Vulnerable to remote code execution | Indicates that a resource has vulnerabilities allowing remote code execution | Azure VM, AWS EC2, Container image |
 | Public IP metadata | Lists the metadata of an Public IP | Public IP |
 | Identity metadata | Lists the metadata of an identity | Azure AD Identity |
 
@@ -141,7 +141,7 @@ This section  lists all of the cloud security graph components (connections and
 | Has permission to | Indicates that an identity has permissions to a resource or a group of resources | Azure AD user account, Managed Identity, IAM user, EC2 instance | All Azure & AWS resources|
 | Contains | Indicates that the source entity contains the target entity | Azure subscription, Azure resource group, AWS account, Kubernetes namespace, Kubernetes pod, Kubernetes cluster, GitHub owner, Azure DevOps project, Azure DevOps organization, Azure SQL server | All Azure & AWS resources, All Kubernetes entities, All DevOps entities, Azure SQL database |
 | Routes traffic to | Indicates that the source entity can route network traffic to the target entity | Public IP, Load Balancer, VNET, Subnet, VPC, Internet Gateway, Kubernetes service, Kubernetes pod| Azure VM, Azure VMSS, AWS EC2, Subnet, Load Balancer, Internet gateway, Kubernetes pod, Kubernetes service |
-| Is running | Indicates that the source entity is running the target entity as a process | Azure VM, EC2, Kubernetes container | SQL, Arc-Enabled SQL, Hosted MongoDB, Hosted MySQL, Hosted Oracle, Hosted PostgreSQL, Hosted SQL Server, Kubernetes image, Kubernetes pod |
+| Is running | Indicates that the source entity is running the target entity as a process | Azure VM, EC2, Kubernetes container | SQL, Arc-Enabled SQL, Hosted MongoDB, Hosted MySQL, Hosted Oracle, Hosted PostgreSQL, Hosted SQL Server, Container image, Kubernetes pod |
 | Member of | Indicates that the source identity is a member of the target identities group | Azure AD group, Azure AD user | Azure AD group |
 | Maintains | Indicates that the source Kubernetes entity manages the life cycle of the target Kubernetes entity | Kubernetes workload controller, Kubernetes replica set, Kubernetes stateful set, Kubernetes daemon set, Kubernetes jobs, Kubernetes cron job | Kubernetes pod |
 

articles/defender-for-cloud/concept-agentless-containers.md

@@ -0,0 +1,131 @@
+---
+title: Agentless Container Posture for Microsoft Defender for Cloud
+description: Learn how Agentless Container Posture offers discovery and visibility for Containers without installing an agent on your machines.
+ms.service: defender-for-cloud
+ms.topic: conceptual
+ms.date: 04/16/2023
+ms.custom: template-concept
+---
+
+# Agentless Container Posture (Preview)
+
+You can identify security risks that exist in containers and Kubernetes realms with the agentless discovery and visibility capability across SDLC and runtime.
+
+You can maximize the coverage of your container posture issues and extend your protection beyond the reach of agent-based assessments to provide a holistic approach to your posture improvement. This includes, for example, container vulnerability assessment insights as part of [Cloud Security Explorer](how-to-manage-cloud-security-explorer.md) and Kubernetes [Attack Path](attack-path-reference.md#azure-containers) analysis.
+
+Learn more about [Cloud Security Posture Management](concept-cloud-security-posture-management.md).
+
+> [!IMPORTANT]
+> The Agentless Container Posture preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available" and are excluded from the service-level agreements and limited warranty. Agentless Container Posture previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use.
+
+## Capabilities
+
+Agentless Container Posture provides the following capabilities:
+
+- Using Kubernetes Attack Path analysis to visualize risks and threats to Kubernetes environments.
+- Using Cloud Security Explorer for risk hunting by querying various risk scenarios.
+- Viewing security insights, such as internet exposure, and other pre-defined security scenarios. For more information, search for `Kubernetes` in the [list of Insights](attack-path-reference.md#insights).
+- Agentless discovery and visibility within Kubernetes components.
+- Agentless container registry vulnerability assessment, using the image scanning results of your Azure Container Registry (ACR) with Cloud Security Explorer.
+
+    [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md) for Containers in Defender Cloud Security Posture Management (CSPM) gives you frictionless, wide, and instant visibility on actionable posture issues without the need for installed agents, network connectivity requirements, or container performance impact.
+
+All of these capabilities are available as part of the [Defender Cloud Security Posture Management](concept-cloud-security-posture-management.md) plan.
+
+## Availability
+
+| Aspect | Details |
+|---------|---------|
+|Release state:|Preview|
+|Pricing:|Requires [Defender Cloud Security Posture Management (CSPM)](concept-cloud-security-posture-management.md) and is billed as shown on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/) |
+| Clouds:    | :::image type="icon" source="./media/icons/yes-icon.png"::: Azure Commercial clouds<br> :::image type="icon" source="./media/icons/no-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure China 21Vianet<br>:::image type="icon" source="./media/icons/no-icon.png"::: Connected AWS accounts<br>:::image type="icon" source="./media/icons/no-icon.png"::: Connected GCP accounts         |
+| Permissions | You need to have access as a Subscription Owner, or, User Access Admin as well as Security Admin permissions for the Azure subscription used for onboarding |
+
+## Prerequisites
+
+You need to have a Defender for CSPM plan enabled. There's no dependency on Defender for Containers​.
+
+This feature uses trusted access. Learn more about [AKS trusted access prerequisites](/azure/aks/trusted-access-feature#prerequisites).
+
+## Onboard Agentless Containers for CSPM
+
+Onboarding Agentless Containers for CSPM will allow you to gain wide visibility into Kubernetes and containers registries across SDLC and runtime.
+
+**To onboard Agentless Containers for CSPM:**
+
+1. In the Azure portal, navigate to the Defender for Cloud's **Environment Settings** page.
+
+1. Select the subscription that's onboarded to the Defender CSPM plan, then select **Settings**.
+
+1. Ensure the **Agentless discovery for Kubernetes** and **Container registries vulnerability assessments** extensions are toggled to **On**.
+
+1. Select **Continue**.
+
+    :::image type="content" source="media/concept-agentless-containers/settings-continue.png" alt-text="Screenshot of selecting agentless discovery for Kubernetes and Container registries vulnerability assessments." lightbox="media/concept-agentless-containers/settings-continue.png":::
+
+1. Select **Save**.
+
+A notification message pops up in the top right corner that will verify that the settings were saved successfully.
+
+## Agentless Container Posture extensions
+
+### Container registries vulnerability assessments
+
+For container registries vulnerability assessments, recommendations are available based on the vulnerability assessment timeline.
+
+Learn more about [image scanning](defender-for-containers-vulnerability-assessment-azure.md).
+
+### Agentless discovery for Kubernetes
+
+The system’s architecture is based on a snapshot mechanism at intervals.
+
+:::image type="content" source="media/concept-agentless-containers/diagram-permissions-architecture.png" alt-text="Diagram of the permissions architecture." lightbox="media/concept-agentless-containers/diagram-permissions-architecture.png":::
+
+By enabling the Agentless discovery for Kubernetes extension, the following process occurs:
+
+- **Create**: MDC (Microsoft Defender for Cloud) creates an identity in customer environments called CloudPosture/securityOperator/DefenderCSPMSecurityOperator.
+
+- **Assign**: MDC assigns 1 built-in role called **Kubernetes Agentless Operator** to that identity on subscription scope.
+
+    The role contains the following permissions:
+    - AKS read (Microsoft.ContainerService/managedClusters/read)
+    - AKS Trusted Access with the following permissions:
+        - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write
+        - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read
+        - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete
+
+        Learn more about [AKS Trusted Access](/azure/aks/trusted-access-feature).
+
+- **Discover**: Using the system assigned identity, MDC performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
+
+- **Bind**: Upon discovery of an AKS cluster, MDC performs an AKS bind operation between the created identity and the Kubernetes role “Microsoft.Security/pricings/microsoft-defender-operator”. The role is visible via API and gives MDC data plane read permission inside the cluster.
+
+### Refresh intervals
+
+Agentless information in Defender CSPM is updated once an hour through a snapshot mechanism. It can take up to **24 hours** to see results in Cloud Security Explorer and Attack Path.
+
+## FAQs
+
+### Why don't I see results from my clusters?
+
+If you don't see results from your clusters, check the following:
+
+- Do you have [stopped clusters](#what-do-i-do-if-i-have-stopped-clusters)?
+- Are your clusters [Read only (locked)](#what-do-i-do-if-i-have-read-only-clusters-locked)?
+
+### What do I do if I have stopped clusters?
+
+We suggest that you rerun the cluster to solve this issue.
+
+### What do I do if I have Read only clusters (locked)?
+
+We suggest that you do one of the following:
+
+- Remove the lock.
+- Perform the bind operation manually by doing an API request.
+
+Learn more about [locked resources](/azure/azure-resource-manager/management/lock-resources?tabs=json).
+
+## Next steps
+
+Learn more about [Cloud Security Posture Management](concept-cloud-security-posture-management.md).

articles/defender-for-cloud/concept-cloud-security-posture-management.md

@@ -63,8 +63,8 @@ The following table summarizes each plan and their cloud availability.
 | [Cloud security explorer](how-to-manage-cloud-security-explorer.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |
 | [Attack path analysis](how-to-manage-attack-path.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |
 | [Agentless scanning for machines](concept-agentless-data-collection.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |
-| Agentless discovery for Kubernetes | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure |
-| Agentless vulnerability assessments for container images, including registry scanning (\* Up to 20 unique images per billable resource) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure |
+| [Agentless discovery for Kubernetes](concept-agentless-containers.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure |
+| [Agentless vulnerability assessments for container images](defender-for-containers-vulnerability-assessment-azure.md), including registry scanning (\* Up to 20 unique images per billable resource) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure |
 | Sensitive data discovery | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |
 | Data flows discovery | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |
 | EASM insights in network exposure | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |

articles/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure.md

@@ -8,11 +8,11 @@ ms.topic: how-to
 ms.custom: ignite-2022
 ---
 
-# Use Defender for Containers to scan your Azure Container Registry images for vulnerabilities
+# Scan your Azure Container Registry images for vulnerabilities
 
-This article explains how to use Defender for Containers to scan the container images stored in your Azure Resource Manager-based Azure Container Registry, as part of the protections provided within Microsoft Defender for Cloud.
+As part of the protections provided within Microsoft Defender for Cloud, you can scan the container images that are stored in your Azure Resource Manager-based Azure Container Registry.
 
-To enable scanning of vulnerabilities in containers, you have to [enable Defender for Containers](defender-for-containers-enable.md). When the scanner, powered by Qualys, reports vulnerabilities, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.
+When the scanner, powered by Qualys, reports vulnerabilities, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.
 
 Defender for Cloud filters and classifies findings from the scanner. Images without vulnerabilities are marked as healthy and Defender for Cloud doesn't send notifications about healthy images to keep you from getting unwanted informational alerts.
 
@@ -29,25 +29,28 @@ The triggers for an image scan are:
   - A continuous scan based on an image pull.  This scan is performed every seven days after an image was pulled, and only for 30 days after the image was pulled. This mode doesn't require the security profile, or extension.
 
   - Continuous scan for running images. This scan is performed every seven days for as long as the image runs. This mode runs instead of  the above mode when the Defender profile, or extension is running on the cluster.
-    
+
 When a scan is triggered, findings are available as Defender for Cloud recommendations from 2 minutes up to 15 minutes after the scan is complete.
 
 ## Prerequisites
 
 Before you can scan your ACR images:
 
-- [Enable Defender for Containers](defender-for-containers-enable.md) for your subscription. Defender for Containers is now ready to scan images in your registries.
+- You must enable one of the following plans on your subscription:
+
+    - [Defender CSPM](concept-cloud-security-posture-management.md). When you enable this plan, ensure you enable the **Container registries vulnerability assessments (preview)** extension.
+    - [Defender for Containers](defender-for-containers-enable.md).
 
-    >[!NOTE]
-    > This feature is charged per image.
+        >[!NOTE]
+        > This feature is charged per image. Learn more about the [pricing](https://azure.microsoft.com/pricing/details/defender-for-cloud/)
 
-- If you want to find vulnerabilities in images stored in other container registries, you can import the images into ACR and scan them.
+To find vulnerabilities in images stored in other container registries, you can import the images into ACR and scan them.
 
-    Use the ACR tools to bring images to your registry from Docker Hub or Microsoft Container Registry. When the import completes, the imported images are scanned by the built-in vulnerability assessment solution.
+Use the ACR tools to bring images to your registry from Docker Hub or Microsoft Container Registry. When the import completes, the imported images are scanned by the built-in vulnerability assessment solution.
 
-    Learn more in [Import container images to a container registry](../container-registry/container-registry-import-images.md)
+Learn more in [Import container images to a container registry](../container-registry/container-registry-import-images.md)
 
-    You can also [scan images in Amazon AWS Elastic Container Registry](defender-for-containers-vulnerability-assessment-elastic.md) directly from the Azure portal.
+You can also [scan images in Amazon AWS Elastic Container Registry](defender-for-containers-vulnerability-assessment-elastic.md) directly from the Azure portal.
 
 For a list of the types of images and container registries supported by Microsoft Defender for Containers, see [Availability](supported-machines-endpoint-solutions-clouds-containers.md?tabs=azure-aks#registries-and-images).
 

articles/defender-for-cloud/how-to-manage-cloud-security-explorer.md

@@ -19,13 +19,12 @@ Learn more about [the cloud security graph, attack path analysis, and the cloud
 
 ## Prerequisites
 
-- You must [enable agentless scanning](enable-vulnerability-assessment-agentless.md).
-
 - You must [enable Defender CSPM](enable-enhanced-security.md).
+    - For Agentless Container Posture, you must enable the following extensions:
+        - Agentless discovery for Kubernetes (preview)
+        - Container registries vulnerability assessments (preview)
 
-- You must [enable Defender for Containers](defender-for-containers-enable.md), and install the relevant agents in order to view attack paths that are related to containers. 
-
-    When you enable Defender for Containers, you also gain the ability to [query](how-to-manage-cloud-security-explorer.md#build-a-query-with-the-cloud-security-explorer) containers data plane workloads in the security explorer. 
+- You must [enable agentless scanning](enable-vulnerability-assessment-agentless.md).
 
 - Required roles and permissions: 
     - Security Reader