Skip to content

Commit 6a7805e

Browse files
ElazarKElazarK
committed
added sections for Azure and AWS
1 parent 6232a08 commit 6a7805e

File tree

1 file changed

+7
-1
lines changed

1 file changed

+7
-1
lines changed

articles/defender-for-cloud/just-in-time-access-overview.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
title: Understanding just-in-time virtual machine access in Microsoft Defender for Cloud
33
description: This document explains how just-in-time VM access in Microsoft Defender for Cloud helps you control access to your Azure virtual machines
44
ms.topic: how-to
5-
ms.date: 05/12/2022
5+
ms.date: 05/15/2022
66
---
77

88
# Understanding just-in-time (JIT) VM access
@@ -25,6 +25,8 @@ To solve this dilemma, Microsoft Defender for Cloud offers JIT. With JIT, you ca
2525

2626
## How JIT operates with network resources
2727

28+
### In Azure
29+
2830
In Azure, you can block inbound traffic on specific ports, by enabling just-in-time VM access. Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the [network security group](../virtual-network/network-security-groups-overview.md#security-rules) (NSG) and [Azure Firewall rules](../firewall/rule-processing.md). These rules restrict access to your Azure VMs’ management ports and defend them from attack.
2931

3032
If other rules already exist for the selected ports, then those existing rules take priority over the new "deny all inbound traffic" rules. If there are no existing rules on the selected ports, then the new rules take top priority in the NSG and Azure Firewall.
@@ -34,6 +36,10 @@ When a user requests access to a VM, Defender for Cloud checks that the user has
3436
> [!NOTE]
3537
> JIT does not support VMs protected by Azure Firewalls controlled by [Azure Firewall Manager](../firewall-manager/overview.md). The Azure Firewall must be configured with Rules (Classic) and cannot use Firewall policies.
3638
39+
### In AWS
40+
41+
In AWS, JIT deletes allow rules and for EC2 Security Groups. When a user requests access, JIT creates a temporary security group with relevant allow rules.
42+
3743
## How Defender for Cloud identifies which VMs should have JIT applied
3844

3945
The diagram below shows the logic that Defender for Cloud applies when deciding how to categorize your supported VMs:

0 commit comments

Comments
 (0)