Skip to content

Commit 40dc8d6

Browse files
committed
AWS CSPM CloudTrail note
1 parent 829283d commit 40dc8d6

File tree

1 file changed

+8
-13
lines changed

1 file changed

+8
-13
lines changed

articles/security-center/quickstart-onboard-aws.md

Lines changed: 8 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ title: Connect your AWS account to Microsoft Defender for Cloud
33
description: Defend your AWS resources with Microsoft Defender for Cloud
44
author: memildin
55
ms.author: memildin
6-
ms.date: 11/02/2021
6+
ms.date: 11/07/2021
77
ms.topic: quickstart
88
ms.service: security-center
99
manager: rkarlin
@@ -49,20 +49,12 @@ This screenshot shows AWS accounts displayed in Defender for Cloud's [overview d
4949
- To connect an AWS account to your Azure subscription, you'll obviously need access to an AWS account.
5050

5151
- **To enable the Defender for Kubernetes plan**, you'll need:
52-
- At least one Amazon EKS cluster with permission to access to the EKS K8s API server.
52+
- At least one Amazon EKS cluster with permission to access to the EKS K8s API server. If you need to create a new EKS cluster, follow the instructions in [Getting started with Amazon EKS – eksctl](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html).
5353
- The resource capacity to create a new SQS queue, Kinesis Fire Hose delivery stream, and S3 bucket in the cluster's region.
54-
55-
> [!TIP]
56-
> To create a new EKS cluster follow guidance in [Getting started with Amazon EKS – eksctl](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html)
5754

5855
- **To enable the Defender for servers plan**, you'll need:
59-
- Microsoft Defender for servers enabled (see [Quickstart: Enable enhanced security features](enable-enhanced-security.md)
60-
- An active AWS account with EC2 instances managed by AWS Systems Manager (SSM) and using SSM agent
61-
62-
> [!TIP]
63-
> Some Amazon Machine Images (AMIs) have the SSM agent pre-installed, their AMIs are listed in [AMIs with SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html#ami-preinstalled-agent).
64-
65-
- If your EC2 instances don't have the SSM Agent, follow the relevant instructions from Amazon:
56+
- Microsoft Defender for servers enabled (see [Quickstart: Enable enhanced security features](enable-enhanced-security.md).
57+
- An active AWS account with EC2 instances managed by AWS Systems Manager (SSM) and using SSM agent. Some Amazon Machine Images (AMIs) have the SSM agent pre-installed, their AMIs are listed in [AMIs with SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html#ami-preinstalled-agent). If your EC2 instances don't have the SSM Agent, follow the relevant instructions from Amazon:
6658
- [Install SSM Agent for a hybrid environment (Windows)](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-win.html)
6759
- [Install SSM Agent for a hybrid environment (Linux)](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-linux.html)
6860

@@ -82,11 +74,14 @@ Follow the steps below to create your AWS cloud connector.
8274

8375
1. The select plans tab is where you choose which Defender for Cloud capabilities to enable for this AWS account.
8476

85-
> [!IMPORTANT]
77+
> [!NOTE]
8678
> Each capability has its own requirements for permissions and might incur charges.
8779
8880
:::image type="content" source="media/quickstart-onboard-aws/add-aws-account-plans-selection.png" alt-text="The select plans tab is where you choose which Defender for Cloud capabilities to enable for this AWS account.":::
8981

82+
> [!IMPORTANT]
83+
> To present the current status of your recommendations, the CSPM plan queries the AWS resource APIs several times a day. These read-only API calls incur no charges, but they *are* registered in CloudTrail if you've enabled a trail for read events. As explained in [the AWS documentation](https://aws.amazon.com/cloudtrail/pricing/), there are no additional charges for keeping one trail. If you're exporting the data out of AWS (for example, to an external SIEM), this increased volume of calls might also increase ingestion costs. In such cases, We recommend filtering out the read-only calls from the Defender for Cloud user or role ARN: arn:aws:iam::[accountId]:role/CspmMonitorAws (this is the default role name, confirm the role name configured on your account).
84+
9085
- To extend Defender for Servers coverage to your AWS EC2, set the **Servers** plan to **On** and edit the configuration as required.
9186

9287
- To extend Defender for Kubernetes coverage to your AWS EKS Linux clusters, set the **Containers** plan to **On** and edit the configuration as required.

0 commit comments

Comments
 (0)