You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/just-in-time-access-overview.md
+4-8Lines changed: 4 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,23 +23,19 @@ Your legitimate users also use these ports, so it's not practical to keep them c
23
23
24
24
To solve this dilemma, Microsoft Defender for Cloud offers JIT. With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
25
25
26
-
## How JIT operates with network resources
27
-
28
-
### In Azure
26
+
## How JIT operates with network resources in Azure and AWS
29
27
30
28
In Azure, you can block inbound traffic on specific ports, by enabling just-in-time VM access. Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the [network security group](../virtual-network/network-security-groups-overview.md#security-rules) (NSG) and [Azure Firewall rules](../firewall/rule-processing.md). These rules restrict access to your Azure VMs’ management ports and defend them from attack.
31
29
32
30
If other rules already exist for the selected ports, then those existing rules take priority over the new "deny all inbound traffic" rules. If there are no existing rules on the selected ports, then the new rules take top priority in the NSG and Azure Firewall.
33
31
34
-
When a user requests access to a VM, Defender for Cloud checks that the user has [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) permissions for that VM. If the request is approved, Defender for Cloud configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from the relevant IP address (or range), for the amount of time that was specified. After the time has expired, Defender for Cloud restores the NSGs to their previous states. Connections that are already established are not interrupted.
32
+
In AWS, by enabling JIT-access the relevant rules in the attached EC2 security groups, for the selected ports, are revoked which blocks inbound traffic on those specific ports.
33
+
34
+
When a user requests access to a VM, Defender for Cloud checks that the user has [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) permissions for that VM. If the request is approved, Defender for Cloud configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from the relevant IP address (or range), for the amount of time that was specified. In AWS, Defender for Cloud creates a new EC2 security group that allow inbound traffic to the specified ports. After the time has expired, Defender for Cloud restores the NSGs to their previous states. Connections that are already established are not interrupted.
35
35
36
36
> [!NOTE]
37
37
> JIT does not support VMs protected by Azure Firewalls controlled by [Azure Firewall Manager](../firewall-manager/overview.md). The Azure Firewall must be configured with Rules (Classic) and cannot use Firewall policies.
38
38
39
-
### In AWS
40
-
41
-
In AWS, JIT deletes allow rules and for EC2 Security Groups. When a user requests access, JIT creates a temporary security group with relevant allow rules.
42
-
43
39
## How Defender for Cloud identifies which VMs should have JIT applied
44
40
45
41
The diagram below shows the logic that Defender for Cloud applies when deciding how to categorize your supported VMs:
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/release-notes.md
+8-1Lines changed: 8 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
title: Release notes for Microsoft Defender for Cloud
3
3
description: A description of what's new and changed in Microsoft Defender for Cloud
4
4
ms.topic: reference
5
-
ms.date: 05/12/2022
5
+
ms.date: 05/15/2022
6
6
---
7
7
8
8
# What's new in Microsoft Defender for Cloud?
@@ -22,6 +22,7 @@ Updates in May include:
22
22
23
23
-[General availability (GA) of Defender for SQL for AWS and GCP environments](#general-availability-ga-of-defender-for-sql-for-aws-and-gcp-environments)
24
24
-[Multi-cloud settings of Servers plan are now available in connector level](#multi-cloud-settings-of-servers-plan-are-now-available-in-connector-level)
25
+
- JIT is now available with AWS
25
26
26
27
### General availability (GA) of Defender for SQL for AWS and GCP environments
27
28
@@ -49,6 +50,12 @@ Updates in the UI include a reflection of the selected pricing tier and the requ
49
50
50
51
:::image type="content" source="media/release-notes/auto-provision.png" alt-text="Screenshot of the auto-provision page with the multi-cloud connector enabled.":::
51
52
53
+
### Jit is now available with AWS
54
+
55
+
We would like to announce that Just-in-Time VM access (JIT) is now available to protect your AWS EC2 instances.
56
+
57
+
Learn how to [JIT protects](just-in-time-access-overview.md#how-jit-operates-with-network-resources) your AWS EC2 instances.
0 commit comments