MicrosoftDocs
diff --git a/‎articles/defender-for-cloud/TOC.yml
Lines changed: 7 additions & 1 deletion b/‎articles/defender-for-cloud/TOC.yml
Lines changed: 7 additions & 1 deletion
diff --git a/‎articles/defender-for-cloud/defender-for-databases-introduction.md
Lines changed: 20 additions & 16 deletions b/‎articles/defender-for-cloud/defender-for-databases-introduction.md
Lines changed: 20 additions & 16 deletions
diff --git a/‎articles/defender-for-cloud/defender-for-databases-usage.md
Lines changed: 18 additions & 14 deletions b/‎articles/defender-for-cloud/defender-for-databases-usage.md
Lines changed: 18 additions & 14 deletions
diff --git a/‎articles/defender-for-cloud/enable-defender-for-databases-aws.md
Lines changed: 146 additions & 0 deletions b/‎articles/defender-for-cloud/enable-defender-for-databases-aws.md
Lines changed: 146 additions & 0 deletions
@@ -764,7 +764,13 @@
           - name: Overview
             displayName: PG, PostgreSQL, MySQL, MariaDB, Azure Defender, OS RDBs, OSRDB
             href: defender-for-databases-introduction.md
-          - name: Enable Defender for OSS RDBs and respond to alerts
+          - name: Enable on Azure
+            displayName: PG, PostgreSQL, MySQL, MariaDB, Azure Defender, OS RDBs, OSRDB
+            href: enable-defender-for-databases-azure.md
+          - name: Enable on AWS (Preview)
+            displayName: PG, PostgreSQL, MySQL, MariaDB, Azure Defender, OS RDBs, OSRDB
+            href: enable-defender-for-databases-aws.md
+          - name: Respond to Defender open-source database alerts
             displayName: PG, PostgreSQL, MySQL, MariaDB, open-source relational databases,
               Azure Defender, OS RDBs, OSRDB
             href: defender-for-databases-usage.md
 
@@ -1,7 +1,7 @@
 ---
 title: What is Defender for open-source databases
 description: Learn about the benefits and features of Microsoft Defender for open-source relational databases such as PostgreSQL, MySQL, and MariaDB
-ms.date: 04/02/2024
+ms.date: 05/01/2024
 ms.topic: overview
 ms.author: dacurwin
 author: dcurwin
@@ -10,61 +10,65 @@ author: dcurwin
 
 # What is Microsoft Defender for open-source relational databases
 
-This plan brings threat protections for the following open-source relational databases:
-
-- [Azure Database for PostgreSQL](../postgresql/index.yml)
-- [Azure Database for MySQL](../mysql/index.yml)
-- [Azure Database for MariaDB](../mariadb/index.yml)
-
 Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. The plan makes it simple to address potential threats to databases without the need to be a security expert or manage advanced security monitoring systems.
 
 ## Availability
 
 Check out the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/) for pricing information for Microsoft Defender for open-source relational databases.
 
-Defender for open-source relational database is supported on PaaS environments and not on Azure Arc-enabled machines.
+Defender for open-source relational database is supported on PaaS environments for Azure and AWS and not on Azure Arc-enabled machines.
+
+This plan brings threat protections for the following open-source relational databases on Azure:
 
-**Protected versions of PostgreSQL include**:
+**Protected versions of [Azure Database for PostgreSQL](../postgresql/index.yml) include**:
 
 - Single Server - General Purpose and Memory Optimized. Learn more in [PostgreSQL Single Server pricing tiers](../postgresql/concepts-pricing-tiers.md).
 - Flexible Server - all pricing tiers.
 
-**Protected versions of MySQL include**:
+**Protected versions of [Azure Database for MySQL](../mysql/index.yml) include**:
 
 - Single Server - General Purpose and Memory Optimized. Learn more in [MySQL pricing tiers](../mysql/concepts-pricing-tiers.md).
 - Flexible Server - all pricing tiers.
 
-**Protected versions of MariaDB include**:
+**Protected versions of [Azure Database for MariaDB](../mariadb/index.yml) include**:
 
 - General Purpose and Memory Optimized. Learn more in [MariaDB pricing tiers](../mariadb/concepts-pricing-tiers.md).
 
+For RDS instances on AWS (Preview):
+
+- Aurora PostgreSQL
+- Aurora MySQL
+- PostgreSQL
+- MySQL
+- MariaDB
+
 View [cloud availability](support-matrix-cloud-environment.md#cloud-support) for Defender for open-source relational databases
 
 ## What are the benefits of Microsoft Defender for open-source relational databases?
 
-Defender for Cloud provides security alerts on anomalous activities so that you can detect potential threats and respond to them as they occur.
+Defender for Cloud provides multicloud alerts on anomalous activities so that you can detect potential threats and respond to them as they occur.
 
 When you enable this plan, Defender for Cloud will provide alerts when it detects anomalous database access and query patterns as well as suspicious database activities.
 
-These alerts appear in Defender for Cloud's security alerts page and include:
+These alerts appear in Defender for Cloud's multicloud alerts page and include:
 
 - details of the suspicious activity that triggered them
 - the associated MITRE ATT&CK tactic
 - recommended actions for how to investigate and mitigate the threat
 - options for continuing your investigations with Microsoft Sentinel
 
-:::image type="content" source="media/defender-for-databases-introduction/defender-alerts.png" alt-text="Some of the security alerts you might see with your databases protected by Microsoft Defender for open-source relational databases." lightbox="./media/defender-for-databases-introduction/defender-alerts.png":::
+:::image type="content" source="media/defender-for-databases-introduction/defender-alerts.png" alt-text="Some of the multicloud alerts you might see with your databases protected by Microsoft Defender for open-source relational databases." lightbox="./media/defender-for-databases-introduction/defender-alerts.png":::
 
 ## What kind of alerts does Microsoft Defender for open-source relational databases provide?
 
-Threat intelligence enriched security alerts are triggered when there are:
+Threat intelligence enriched multicloud alerts are triggered when there are:
 
 - **Anomalous database access and query patterns** - For example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt).
 - **Suspicious database activities** - For example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server.
 - **Brute-force attacks** – With the ability to separate simple brute force or a successful brute force.
 
 > [!TIP]
-> View the full list of security alerts for database servers [in the alerts reference page](alerts-reference.md#alerts-for-open-source-relational-databases).
+> View the full list of multicloud alerts for database servers [in the alerts reference page](alerts-reference.md#alerts-for-open-source-relational-databases).
 
 ## Related articles
 
 
@@ -1,45 +1,49 @@
 ---
-title: Microsoft Defender for open-source relational databases
+title: Respond to Defender open-source database alerts
 description: Configure Microsoft Defender for open-source relational databases to detect potential security threats.
-ms.date: 04/02/2024
+ms.date: 05/01/2024
 ms.topic: how-to
 ms.author: dacurwin
 author: dcurwin
 #customer intent: As a reader, I want to learn how to configure Microsoft Defender for open-source relational databases to enhance the security of my databases.
 ---
 
-# Enable Microsoft Defender for open-source relational databases and respond to alerts
+# Respond to Defender open-source database alerts
 
 Microsoft Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases for the following services:
 
 - [Azure Database for PostgreSQL](../postgresql/index.yml)
 - [Azure Database for MySQL](../mysql/index.yml)
 - [Azure Database for MariaDB](../mariadb/index.yml)
 
-To get alerts from the Microsoft Defender plan you'll first need to enable it as [shown below](#enable-enhanced-security).
+and for RDS instances on AWS (Preview):
 
-Learn more about this Microsoft Defender plan in [Overview of Microsoft Defender for open-source relational databases](defender-for-databases-introduction.md).
+- Aurora PostgreSQL
+- Aurora MySQL
+- PostgreSQL
+- MySQL
+- MariaDB
 
-## Enable enhanced security
+To get alerts from the Microsoft Defender plan you'll first need to enable Defender for open-source relational databases on your [Azure](enable-defender-for-databases-azure.md) or [AWS](enable-defender-for-databases-aws.md) account.
 
-1. From [the Azure portal](https://portal.azure.com), open the configuration page of the database server you want to protect.
+Learn more about this Microsoft Defender plan in [Overview of Microsoft Defender for open-source relational databases](defender-for-databases-introduction.md).
 
-1. From the security menu on the left, select **Microsoft Defender for Cloud**.
+## Prerequisites
 
-1. If enhanced security isn't enabled, you'll see a button as shown in the following screenshot. Select **Enable Microsoft Defender for [Database type]** (for example, "Microsoft Defender for MySQL") and select **Save**.
+- You need a Microsoft Azure subscription. If you don't have an Azure subscription, you can [sign up for a free subscription](https://azure.microsoft.com/pricing/free-trial/).
 
-    :::image type="content" source="media/defender-for-databases-usage/enable-defender-for-mysql.png" alt-text="Enable Microsoft Defender for MySQL." lightbox="media/defender-for-databases-usage/enable-defender-for-mysql.png":::
+- You must [enable Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) on your Azure subscription.
 
-    > [!TIP]
-    > This page in the portal will be the same regardless of the database type (PostgreSQL, MySQL, or MariaDB).
+- **AWS users only** - Connect your [AWS account](quickstart-onboard-aws.md).
 
-## Respond to security alerts
+## Respond to alerts in Defender for Cloud
 
 When Microsoft Defender for Cloud is enabled on your database, it detects anomalous activities and generates alerts. These alerts are available from multiple locations, including:
 
 - In the Azure portal:
   - **Microsoft Defender for Cloud's security alerts page** - Shows alerts for all resources protected by Defender for Cloud in the subscriptions you've got permissions to view.
-  - The resource's **Microsoft Defender for Cloud** page - Shows alerts and recommendations for one specific resource, as shown above in [Enable enhanced security](#enable-enhanced-security).
+  - The resource's **Microsoft Defender for Cloud** page - Shows alerts and recommendations for one specific resource.
+
 - In the inbox of whoever in your organization has been [designated to receive email alerts](configure-email-notifications.md).  
 
 > [!TIP]
 
@@ -0,0 +1,146 @@
+---
+title: Enable Defender for open-source relational databases on AWS
+description: Learn how to enable Microsoft Defender for open-source relational databases to detect potential security threats on AWS environments.
+ms.date: 05/01/2024
+ms.topic: how-to
+ms.author: dacurwin
+author: dcurwin
+#customer intent: As a reader, I want to learn how to configure Microsoft Defender for open-source relational databases to enhance the security of my AWS databases.
+---
+
+# Enable Defender for open-source relational databases on AWS (Preview)
+
+Microsoft Defender for Cloud detects anomalous activities in your AWS environment indicating unusual and potentially harmful attempts to access or exploit databases for the following RDS instance types:
+
+- Aurora PostgreSQL
+- Aurora MySQL
+- PostgreSQL
+- MySQL
+- MariaDB
+
+To get alerts from the Microsoft Defender plan, you need to follow the instructions on this page to enable Defender for open-source relational databases on AWS.
+
+The Defender for open-source relational databases on AWS plan also includes the ability to discover sensitive data within your account and enrich the Defender for Cloud experience with the findings. This is feature is also included with Defender CSPM.
+
+Learn more about this Microsoft Defender plan in [Overview of Microsoft Defender for open-source relational databases](defender-for-databases-introduction.md).
+
+## Prerequisites
+
+- You need a Microsoft Azure subscription. If you don't have an Azure subscription, you can [sign up for a free subscription](https://azure.microsoft.com/pricing/free-trial/).
+
+- You must [enable Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) on your Azure subscription.
+
+- At least one connected [AWS account](quickstart-onboard-aws.md) with the required access and permissions.
+
+- Region availability: All public AWS regions (excluding Tel Aviv, Milan, Jakarta, Spain and Bahrain).
+
+## Enable Defender for open-source relational databases
+
+1. Sign in to [the Azure portal](https://portal.azure.com)
+
+1. Search for and select **Microsoft Defender for Cloud**.
+
+1. Select **Environment settings**.
+
+1. Select the relevant AWS account.
+
+1. Locate the Databases plan and select **Settings**.
+
+    :::image type="content" source="media/enable-defender-for-databases-aws/databases-settings.png" alt-text="Screenshot of the AWS environment settings page that shows where the settings button is located." lightbox="media/enable-defender-for-databases-aws/databases-settings.png":::
+
+1. Toggle open-source relation databases to **On**.  
+
+    :::image type="content" source="media/enable-defender-for-databases-aws/toggle-open-source-on.png" alt-text="Screenshot that shows how to toggle the open-source relational databases to on." lightbox="media/enable-defender-for-databases-aws/toggle-open-source-on.png":::
+
+    > [!NOTE]
+    > Toggling the open-source relational databases to on will also enable sensitive data discovery to on, which is a shared feature with Defender CSPM's sensitive data discovery for relation database service (RDS).
+    >
+    > :::image type="content" source="media/enable-defender-for-databases-aws/cspm-shared.png" alt-text="Screenshot that shows the settings page for Defender CSPM and the sensitive data turned on with the protected resources." lightbox="media/enable-defender-for-databases-aws/cspm-shared.png":::
+    >
+    > Learn more about [sensitive data discovery in AWS RDS instances](concept-data-security-posture-prepare.md#discovering-aws-rds-instances).
+
+1. Select **Configure access**.
+
+1. In the deployment method section, select **Download**.
+
+1. Follow the update stack in AWS instructions. This process will create or update the CloudFormation template with the [required permissions](#required-permissions-for-defenderforcloud-datathreatprotectiondb-role).
+
+1. Check the box confirming the CloudFormation template has been updated on AWS environment (Stack).
+
+1. Select **Review and generate**.
+
+1. Review the presented information and select **Update**.
+
+Defender for Cloud will automatically [make changes to your parameter and option group settings](#affected-parameter-and-option-group-settings).
+
+### Required permissions for DefenderForCloud-DataThreatProtectionDB Role
+
+The following table shows a list of the required permissions that were given to the role that was created or updated, when you downloaded the CloudFormation template and updated the AWS Stack.
+
+| Permission added | Description |
+|--|--|
+| rds:AddTagsToResource | to add tag on option group and parameter group created |
+| rds:DescribeDBClusterParameters | describe the parameters inside the cluster group |
+| rds:CreateDBParameterGroup | create database parameter group |
+| rds:ModifyOptionGroup | modify option inside the option group |
+| rds:DescribeDBLogFiles | describe the log file |
+| rds:DescribeDBParameterGroups | describe the database parameter group |
+| rds:CreateOptionGroup | create option group |
+| rds:ModifyDBParameterGroup | modify parameter inside the databases parameter group |
+| rds:DownloadDBLogFilePortion | download log file |
+| rds:DescribeDBInstances | describe the database |
+| rds:ModifyDBClusterParameterGroup | modify cluster parameter inside the cluster parameter group |
+| rds:ModifyDBInstance | modify databases to assign parameter group or option group if needed |
+| rds:ModifyDBCluster | modify cluster to assign cluster parameter group if needed |
+| rds:DescribeDBParameters | describe the parameters inside the database group |
+| rds:CreateDBClusterParameterGroup | create cluster parameter group |
+| rds:DescribeDBClusters | describe the cluster |
+| rds:DescribeDBClusterParameterGroups | describe the cluster parameter group |
+| rds:DescribeOptionGroups | describe the option group |
+
+## Affected parameter and option group settings
+
+When you enable Defender for open-source relational databases on your RDS instances, Defender for Cloud automatically enables auditing by using audit logs in order to be able to consume and analyze access patterns to your database.
+
+Each relational database management system or service type has its own requirements. The following table describes the requirements for each type.
+
+| Type | Parameter | Value |
+|--|--|--|
+| PostgreSQL and Aurora PostgreSQL | log_connections | 1| 
+| PostgreSQL and Aurora PostgreSQL | log_disconnections | 1 |
+| Aurora MySQL instance and cluster parameter group | server_audit_logging | 1 | 
+| Aurora MySQL instance and cluster parameter group | server_audit_events | - If it exists, expand the value to include CONNECT, QUERY, <br> - If it doesn't exist, add it with the value CONNECT, QUERY. |
+| Aurora MySQL instance and cluster parameter group | server_audit_excl_users | If it exists, expand it to include rdsadmin. |
+| Aurora MySQL instance and cluster parameter group | server_audit_incl_users | - If it exists with a value and rdsadmin as part of the include, then it won't be present in SERVER_AUDIT_EXCL_USER, and the value of include is empty. |
+
+An option group is required for MySQL and MariaDB with the following options for the MARIADB_AUDIT_PLUGIN (If the option doesn’t exist, add the option. If the option exists expand the values in the option):
+
+| Option name | Value |
+|--|--|
+| SERVER_AUDIT_EVENTS | If it exists, expand the value to include CONNECT <br> If it doesn't exist, add it with value CONNECT. |
+| SERVER_AUDIT_EXCL_USER | If it exists, expand it to include rdsadmin. |
+| SERVER_AUDIT_INCL_USERS | If it exists with a value and rdsadmin is part of the include, then it won't be present in SERVER_AUDIT_EXCL_USER, and the value of include is empty. |
+
+> [!IMPORTANT]
+> You may need to reboot your instances to apply the changes.
+>
+> If you are using the default parameter group, a new parameter group will be created that includes the required parameter changes with the prefix `defenderfordatabases*`.
+>
+> If a new parameter group was created or if static parameters were updated, they won't take effect until the instance is restarted.
+
+> [!NOTE]
+> - If a parameter group already exists it will be updated accordingly. 
+>
+> - MARIADB_AUDIT_PLUGIN is supported in MariaDB 10.2 and higher, MySQL 8.0.25 and higher 8.0 versions and All MySQL 5.7 versions.
+>
+> - Changes to [MARIADB_AUDIT_PLUGIN are added to the next maintenance window](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.MySQL.Options.AuditPlugin.html#Appendix.MySQL.Options.AuditPlugin.Add).
+
+## Related content
+
+- [What's supported in Sensitive Data Discovery](concept-data-security-posture-prepare.md#whats-supported).
+- [Discovering sensitive data on AWS RDS instances](concept-data-security-posture-prepare.md#discovering-aws-rds-instances).
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Respond to Defender OSS alerts](defender-for-databases-usage.md)