added aws

ElazarK · ElazarK · commit 50de37ff8a9b · 2022-05-12T15:27:01.000+03:00
diff --git a/articles/defender-for-cloud/just-in-time-access-overview.md b/articles/defender-for-cloud/just-in-time-access-overview.md
@@ -1,10 +1,8 @@
 ---
 title: Understanding just-in-time virtual machine access in Microsoft Defender for Cloud
 description: This document explains how just-in-time VM access in Microsoft Defender for Cloud helps you control access to your Azure virtual machines
-author: bmansheim
-ms.author: benmansheim
 ms.topic: how-to
-ms.date: 11/09/2021
+ms.date: 05/12/2022
 ---
 
 # Understanding just-in-time (JIT) VM access
@@ -13,13 +11,10 @@ This page explains the principles behind Microsoft Defender for Cloud's just-in-
 
 To learn how to apply JIT to your VMs using the Azure portal (either Defender for Cloud or Azure Virtual Machines) or programmatically, see [How to secure your management ports with JIT](just-in-time-access-usage.md).
 
-
 ## The risk of open management ports on a virtual machine
 
 Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. All of your virtual machines are potential targets for an attack. When a VM is successfully compromised, it's used as the entry point to attack further resources within your environment.
 
-
-
 ## Why JIT VM access is the solution 
 
 As with all cybersecurity prevention techniques, your goal should be to reduce the attack surface. In this case, that means having fewer open ports, especially management ports.
@@ -28,11 +23,9 @@ Your legitimate users also use these ports, so it's not practical to keep them c
 
 To solve this dilemma, Microsoft Defender for Cloud offers JIT. With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
 
+## How JIT operates with network resources
 
-
-## How JIT operates with network security groups and Azure Firewall
-
-When you enable just-in-time VM access, you can select the ports on the VM to which inbound traffic will be blocked. Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the [network security group](../virtual-network/network-security-groups-overview.md#security-rules) (NSG) and [Azure Firewall rules](../firewall/rule-processing.md). These rules restrict access to your Azure VMs’ management ports and defend them from attack. 
+In Azure, you can block inbound traffic on specific ports, by enabling just-in-time VM access. Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the [network security group](../virtual-network/network-security-groups-overview.md#security-rules) (NSG) and [Azure Firewall rules](../firewall/rule-processing.md). These rules restrict access to your Azure VMs’ management ports and defend them from attack. 
 
 If other rules already exist for the selected ports, then those existing rules take priority over the new "deny all inbound traffic" rules. If there are no existing rules on the selected ports, then the new rules take top priority in the NSG and Azure Firewall.
 
@@ -41,20 +34,22 @@ When a user requests access to a VM, Defender for Cloud checks that the user has
 > [!NOTE]
 > JIT does not support VMs protected by Azure Firewalls controlled by [Azure Firewall Manager](../firewall-manager/overview.md).  The Azure Firewall must be configured with Rules (Classic) and cannot use Firewall policies.
 
-
-
-
 ## How Defender for Cloud identifies which VMs should have JIT applied
 
 The diagram below shows the logic that Defender for Cloud applies when deciding how to categorize your supported VMs: 
 
+### [**Azure**](#tab/defender-for-container-arch-aks)
 [![Just-in-time (JIT) virtual machine (VM) logic flow.](media/just-in-time-explained/jit-logic-flow.png)](media/just-in-time-explained/jit-logic-flow.png#lightbox)
 
+### [**AWS**](#tab/defender-for-container-arch-eks)
+:::image type="content" source="media/just-in-time-explained/aws-jit-logic-flow.png" alt-text="A chart that explains the logic flow for the AWS Just in time (JIT) virtual machine (VM) logic flow.":::
+
+---
+
 When Defender for Cloud finds a machine that can benefit from JIT, it adds that machine to the recommendation's **Unhealthy resources** tab. 
 
 ![Just-in-time (JIT) virtual machine (VM) access recommendation.](./media/just-in-time-explained/unhealthy-resources.png)
 
-
 ## FAQ - Just-in-time virtual machine access
 
 ### What permissions are needed to configure and use JIT?
@@ -65,6 +60,8 @@ JIT Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introd
 
 If you want to create custom roles that can work with JIT, you'll need the details from the table below.
 
+If you are setting up JIT on your Amazon Web Service (AWS) VM, you will need to [connect your AWS account](quickstart-onboard-aws.md) to Microsoft Defender for Cloud.
+
 > [!TIP]
 > To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages.
 
@@ -74,7 +71,8 @@ If you want to create custom roles that can work with JIT, you'll need the detai
 |Request JIT access to a VM | *Assign these actions to the user:*  <ul><li> `Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action` </li><li> `Microsoft.Security/locations/jitNetworkAccessPolicies/*/read` </li><li> `Microsoft.Compute/virtualMachines/read` </li><li> `Microsoft.Network/networkInterfaces/*/read` </li> <li> `Microsoft.Network/publicIPAddresses/read` </li></ul> |
 |Read JIT policies| *Assign these actions to the user:*  <ul><li>`Microsoft.Security/locations/jitNetworkAccessPolicies/read`</li><li>`Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action`</li><li>`Microsoft.Security/policies/read`</li><li>`Microsoft.Security/pricings/read`</li><li>`Microsoft.Compute/virtualMachines/read`</li><li>`Microsoft.Network/*/read`</li>|
 
-
+> [!Note]
+> Only the `Microsoft.Security` permissions are relevant for AWS.
 
 ## Next steps
 
diff --git a/articles/defender-for-cloud/just-in-time-access-usage.md b/articles/defender-for-cloud/just-in-time-access-usage.md
@@ -2,7 +2,7 @@
 title: Just-in-time virtual machine access in Microsoft Defender for Cloud | Microsoft Docs
 description: Learn how just-in-time VM access (JIT) in Microsoft Defender for Cloud helps you control access to your Azure virtual machines.
 ms.topic: how-to
-ms.date: 01/06/2022
+ms.date: 05/12/2022
 ---
 # Secure your management ports with just-in-time access
 
@@ -14,19 +14,18 @@ For a full explanation of the privilege requirements, see [What permissions are
 
 This page teaches you how to include JIT in your security program. You'll learn how to: 
 
-- **Enable JIT on your VMs** - You can enable JIT with your own custom options for one or more VMs using Defender for Cloud, PowerShell, or the REST API. Alternatively, you can enable JIT with default, hard-coded parameters, from Azure virtual machines. When enabled, JIT locks down inbound traffic to your Azure VMs by creating a rule in your network security group.
+- **Enable JIT on your VMs** - You can enable JIT with your own custom options for one or more VMs using Defender for Cloud, PowerShell, or the REST API. Alternatively, you can enable JIT with default, hard-coded parameters, from Azure virtual machines. When enabled, JIT locks down inbound traffic to your Azure and AWS VMs by creating a rule in your network security group.
 - **Request access to a VM that has JIT enabled** - The goal of JIT is to ensure that even though your inbound traffic is locked down, Defender for Cloud still provides easy access to connect to VMs when needed. You can request access to a JIT-enabled VM from Defender for Cloud, Azure virtual machines, PowerShell, or the REST API.
 - **Audit the activity** - To ensure your VMs are secured appropriately, review the accesses to your JIT-enabled VMs as part of your regular security checks.   
 
 ## Availability
 
-|Aspect|Details|
-|----|:----|
-| Release state:                  | General availability (GA)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| Supported VMs:                  | :::image type="icon" source="./media/icons/yes-icon.png"::: VMs deployed through Azure Resource Manager.<br>:::image type="icon" source="./media/icons/no-icon.png"::: VMs deployed with classic deployment models. [Learn more about these deployment models](../azure-resource-manager/management/deployment-models.md).<br>:::image type="icon" source="./media/icons/no-icon.png"::: VMs protected by Azure Firewalls<sup>[1](#footnote1)</sup> controlled by [Azure Firewall Manager](../firewall-manager/overview.md). |
+| Aspect | Details |
+|--|:-|
+| Release state: | General availability (GA) |
+| Supported VMs: | :::image type="icon" source="./media/icons/yes-icon.png"::: VMs deployed through Azure Resource Manager.<br>:::image type="icon" source="./media/icons/no-icon.png"::: VMs deployed with classic deployment models. [Learn more about these deployment models](../azure-resource-manager/management/deployment-models.md).<br>:::image type="icon" source="./media/icons/no-icon.png"::: VMs protected by Azure Firewalls<sup>[1](#footnote1)</sup> controlled by [Azure Firewall Manager](../firewall-manager/overview.md). <br> :::image type="icon" source="./media/icons/yes-icon.png"::: AWS EC2 instances |
 | Required roles and permissions: | **Reader** and **SecurityReader** roles can both view the JIT status and parameters.<br>To create custom roles that can work with JIT, see [What permissions are needed to configure and use JIT?](just-in-time-access-overview.md#what-permissions-are-needed-to-configure-and-use-jit).<br>To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages. |
-| Clouds:                         | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)<br>:::image type="icon" source="./media/icons/no-icon.png"::: Connected AWS accounts                                                                                                                                                                                                                                                                                                                                                     |
-
+| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts (Preview) |
 
 <sup><a name="footnote1"></a>1</sup> For any VM protected by Azure Firewall, JIT will only fully protect the machine if it's in the same VNET as the firewall. VMs using VNET peering will not be fully protected.
 
@@ -88,8 +87,6 @@ From Defender for Cloud, you can enable and configure the JIT VM access.
 
 1. Select **Save**.
 
-
-
 ### Edit the JIT configuration on a JIT-enabled VM using Defender for Cloud <a name="jit-modify"></a>
 
 You can modify a VM's just-in-time configuration by adding and configuring a new port to protect for that VM, or by changing any other setting related to an already protected port.
@@ -106,8 +103,6 @@ To edit the existing JIT rules for a VM:
 
 1. When you've finished editing the ports, select **Save**.
  
-
-
 ### [**Azure virtual machines**](#tab/jit-config-avm)
 
 ### Enable JIT on your VMs from Azure virtual machines
@@ -239,8 +234,6 @@ When a VM has a JIT enabled, you have to request access to connect to it. You ca
 > [!NOTE]
 > If a user who is requesting access is behind a proxy, the option **My IP** may not work. You may need to define the full IP address range of the organization.
 
-
-
 ### [**Azure virtual machines**](#tab/jit-request-avm)
 
 ### Request access to a JIT-enabled VM from the Azure virtual machine's connect page
@@ -265,8 +258,6 @@ To request access from Azure virtual machines:
 > [!NOTE]
 > After a request is approved for a VM protected by Azure Firewall, Defender for Cloud provides the user with the proper connection details (the port mapping from the DNAT table) to use to connect to the VM.
 
-
-
 ### [**PowerShell**](#tab/jit-request-powershell)
 
 ### Request access to a JIT-enabled VM using PowerShell
@@ -300,8 +291,6 @@ Run the following in PowerShell:
 
 Learn more in the [PowerShell cmdlet documentation](/powershell/scripting/developer/cmdlet/cmdlet-overview).
 
-
-
 ### [**REST API**](#tab/jit-request-api)
 
 ### Request access to a JIT-enabled VMs using the REST API
@@ -328,8 +317,6 @@ You can gain insights into VM activities using log search. To view the logs:
 
 1. To download the log information, select **Download as CSV**.
 
-
-
 ## Next steps
 
 In this article, you learned _how_ to configure and use just-in-time VM access. To learn _why_ JIT should be used, read the concept article explaining the threats it defends against:
diff --git a/articles/defender-for-cloud/media/just-in-time-explained/aws-jit-logic-flow.png b/articles/defender-for-cloud/media/just-in-time-explained/aws-jit-logic-flow.png
