last of Oded's changes

Author: rayne-wiselman

articles/defender-for-cloud/concept-data-security-posture-prepare.md

@@ -28,14 +28,15 @@ The table summarizes support for data-aware posture management.
 
 **Support** | **Details**
 --- | ---
-What Azure data resources can I discover? | [Block blob](../storage/blobs/storage-blobs-introduction.md) storage accounts in Azure Storage v1/v2<br/><br/> Azure Data Lake Storage Gen2<br/><br/>Storage accounts behind private networks are supported.<br/><br/>  Storage account encrypted with a customer-managed server-side key are supported.<br/><br/> Accounts aren't supported if any of these settings are enabled: [Public network access is disabled](../storage/common/storage-network-security?tabs=azure-portal#change-the-default-network-access-rule); Storage account endpoint types is set to [Azure DNS Zone](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-create-additional-5000-azure-storage-accounts/ba-p/3465466); The storage account endpoint has a [custom domain mapped to it](../storage/blobs/storage-custom-domain-name.md).
+What Azure data resources can I discover? | [Block blob](../storage/blobs/storage-blobs-introduction.md) storage accounts in Azure Storage v1/v2<br/><br/> Azure Data Lake Storage Gen2<br/><br/>Storage accounts behind private networks are supported.<br/><br/>  Storage account encrypted with a customer-managed server-side key are supported.<br/><br/> Accounts aren't supported if any of these settings are enabled: [Public network access is disabled](../storage/common/storage-network-security?tabs=azure-portal#change-the-default-network-access-rule); Storage account is defined as [Azure DNS Zone](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-create-additional-5000-azure-storage-accounts/ba-p/3465466); The storage account endpoint has a [custom domain mapped to it](../storage/blobs/storage-custom-domain-name.md).
 What AWS data resources can I discover? | AWS S3 buckets<br/><br/> Defender for Cloud can discover KMS-encrypted data, but not data encrypted with a customer-managed key.
 What permissions do I need for discovery? | Storage account: Subscription Owner or Microsoft.Storage/storageaccounts/{read/write} and Microsoft.Authorization/roleAssignments/{read/write/delete}<br/><br/> Amazon S3 buckets: AWS account permission to run Cloud Formation (to create a role).
 What file types are supported for sensitive data discovery? | Supported file types (you can't select a subset) - .doc, .docm, .docx, .dot, .odp, .ods, .odt, .pdf, .pot, .pps, .ppsx, .ppt, .pptm, .pptx, .xlc, .xls, .xlsb, .xlsm, .xlsx, .xlt, .csv, .json, .psv, .ssv, .tsv, .txt., xml, .parquet, .avro, .orc.
 What Azure regions are supported? | You can discover Azure storage accounts in:<br/><br/> Australia Central; Australia Central 2; Australia East; Australia Southeast; Brazil South; Canada Central; Canada East; Central India; Central US; East Asia; East US; East US 2; France Central; Germany West Central; Japan East; Japan West: Jio India West: North Central US; North Europe; Norway East; South Africa North: South Central US; South India; Sweden Central; Switzerland North; UAE North; UK South; UK West: West Central US; West Europe; West US, West US3.<br/><br/> Discovery is done locally in the region.
 What AWS regions are supported? | Asia Pacific (Mumbai); Asia Pacific (Singapore); Asia Pacific (Sydney); Asia Pacific (Tokyo); Canada (Central); Europe (Frankfurt); Europe (Ireland); Europe (London); Europe (Paris); South America (São Paulo); US East (Ohio); US East (N. Virginia); US West (N. California): US West (Oregon).<br/><br/> Discovery is done locally in the region.
 Do I need to install an agent? | No, discovery is agentless.
 What's the cost? | The feature is included with the Defender CSPM and Defender for Storage plans, and doesn’t include other costs except for the respective plan costs.
+What permissions do I need to edit data sensitivity settings? | You need one of these permissions: Global Administrator,  Compliance Administrator, Compliance Data Administrator, Security Administrator, Security Operator.
 
 
 ## Configuring data sensitivity settings
@@ -65,16 +66,14 @@ In order to protect AWS resources in Defender for Cloud, you set up an AWS conne
 - To connect AWS accounts, you need Administrator permissions on the account.
 - The role allows these permissions: S3 read only; KMS decrypt.
 
-## What does internet-exposed/publicly accessible mean?
+## Exposed to the internet/allows public access
 
-Defender CSPM attack paths and cloud security graph insights include information about storage resources that are exposed to the internet. The following table provides more details.
+Defender CSPM attack paths and cloud security graph insights include information about storage resources that are exposed to the internet and allow public access. The following table provides more details.
 
-**State** | **Azure resources** | **AWS resources**
+**State** | **Azure storage accounts** | **AWS S3 Buckets**
 --- | --- | ---
-**Exposed to the internet** | An Azure storage account is considered exposed if public network access is enabled, with either of these settings enabled<br/><br/> Storage_account_name **Networking** > **Public network access** > **Enabled from all networks**<br/><br/> or<br/><br/>  Storage_account_name **Networking** > **Public network access** > **Enable from selected virtual networks and IP addresses**. | An AWS S3 bucket is consider exposed if the AWS account and AWS S3 bucket don't have a condition set for IP addresses.
-**Publicly accessible** | An Azure storage account is considered to be publicly accessible if both these settings are configured on the Azure storage account container:<br/><br/> Storage account name **Configuration** > **Allow blob public access**<br/><br/>and either of these settings:<br/><br/> - Storage account name > **Containers** > container_name > **Public access level** set to **Blob (anonymous read access for blobs only)**<br/><br/> - Or, storage account name > **Containers** > container_name > **Public access level** set to **Container (anonymous read access for containers and blobs)**. | An AWS S2 bucket is considered publicly available if both the AWS account and the AWS S3 bucket have **Block all public access** set to **Off**, and the policy has **either** of these settings:<br/><br/> - In the policy, **RestrictPublicBuckets isn't allowed**, and **Principal is** and **Effect** are set to **Allow**.<br/><br/> - Or, in the access control list, **IgnorePublicAcl** isn't enabled, and permission is allowed for **Everyone**, or for **Authenticated users**.
-
-
+**Exposed to the internet** | An Azure storage account is considered exposed to the internet if either of these settings enabled:<br/><br/> Storage_account_name > **Networking** > **Public network access** > **Enabled from all networks**<br/><br/> or<br/><br/>  Storage_account_name > **Networking** > **Public network access** > **Enable from selected virtual networks and IP addresses**. | An AWS S3 bucket is considered exposed to the internet if the AWS account/AWS S3 bucket policies don't have a condition set for IP addresses.
+**Allows public access** | An Azure storage account container is considered as allowing public access if these settings are enabled on the storage account:<br/><br/> Storage_account_name > **Configuration** > **Allow blob public access** > **Enabled**.<br/><br/>and **either** of these settings:<br/><br/> Storage_account_name > **Containers** > container_name > **Public access level** set to **Blob (anonymous read access for blobs only)**<br/><br/> Or, storage_account_name > **Containers** > container_name > **Public access level** set to **Container (anonymous read access for containers and blobs)**. | An AWS S3 bucket is considered to allow public access if both the AWS account and the AWS S3 bucket have **Block all public access** set to **Off**, and **either** of these settings is set:<br/><br/> In the policy, **RestrictPublicBuckets** isn't enabled, and the **Principal** setting is set to * and **Effect** is set to **Allow**.<br/><br/> Or, in the access control list, **IgnorePublicAcl** isn't enabled, and permission is allowed for **Everyone**, or for **Authenticated users**.
 
 
 ## Next steps

articles/defender-for-cloud/data-security-review-risks.md

@@ -51,7 +51,7 @@ Explore data risks and exposure in cloud security graph insights using a query t
 
 ### Use query templates
 
-As an alternative to creating your own query, you can use predefined query templates. These sensitive data query templates are available:
+As an alternative to creating your own query, you can use predefined query templates. A number of sensitive data query templates are available. For example:
 
 - Internet exposed storage containers with sensitive data that allow public access.
 - Internet exposed S3 buckets with sensitive data that allow public access

articles/defender-for-cloud/data-sensitivity-settings.md

@@ -8,7 +8,7 @@ ms.date: 03/22/2023
 ---
 # Customize data sensitivity settings
 
-This article describes how to customize data sensitivity settings in Microsoft Defender for Cloud. 
+This article describes how to customize data sensitivity settings in Microsoft Defender for Cloud.
 
 Data sensitivity settings are used to identify and focus on managing the critical sensitive data in your organization.
 
@@ -20,16 +20,14 @@ This configuration helps you focus on your critical sensitive resources and impr
 
 ## Before you start
 
-You need one of these permissions in order to sign in and edit sensitivity settings: Global Administrator,  Compliance Administrator, Compliance Data Administrator, Security Administrator, Security Operator.
-
-- [Review the prerequisites](concept-data-security-posture-prepare.md#configuring-data-sensitivity-settings) for customizing data sensitivity settings.
+- Make sure that you [review the prerequisites and requirements](concept-data-security-posture-prepare.md#configuring-data-sensitivity-settings) for customizing data sensitivity settings.
 - In Defender for Cloud, enable sensitive data discovery capabilities in the [Defender CSPM](data-security-posture-enable.md) and/or [Defender for Storage](defender-for-storage-data-sensitivity.md) plans.
 
 Changes in sensitivity settings take effect the next time that resources are discovered.
 
-## Import custom sensitive info types/labels from Microsoft Purview compliance portal
+## Import custom sensitive info types/labels
 
-Defender for Cloud uses built-in sensitive info types. You can optionally import your own custom sensitive info types and labels from Microsoft Purview compliance portal to align with your organization's needs. 
+Defender for Cloud uses built-in sensitive info types. You can optionally import your own custom sensitive info types and labels from Microsoft Purview compliance portal to align with your organization's needs.
 
 Import as follows (Import only once):