Merge pull request #198565 from MicrosoftDocs/main

ASK Mode Publish: VMSS + Defender Cloud

Author: SyntaxC4

articles/defender-for-cloud/just-in-time-access-overview.md

@@ -1,10 +1,8 @@
 ---
 title: Understanding just-in-time virtual machine access in Microsoft Defender for Cloud
 description: This document explains how just-in-time VM access in Microsoft Defender for Cloud helps you control access to your Azure virtual machines
-author: bmansheim
-ms.author: benmansheim
 ms.topic: how-to
-ms.date: 11/09/2021
+ms.date: 05/15/2022
 ---
 
 # Understanding just-in-time (JIT) VM access
@@ -13,13 +11,10 @@ This page explains the principles behind Microsoft Defender for Cloud's just-in-
 
 To learn how to apply JIT to your VMs using the Azure portal (either Defender for Cloud or Azure Virtual Machines) or programmatically, see [How to secure your management ports with JIT](just-in-time-access-usage.md).
 
-
 ## The risk of open management ports on a virtual machine
 
 Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. All of your virtual machines are potential targets for an attack. When a VM is successfully compromised, it's used as the entry point to attack further resources within your environment.
 
-
-
 ## Why JIT VM access is the solution 
 
 As with all cybersecurity prevention techniques, your goal should be to reduce the attack surface. In this case, that means having fewer open ports, especially management ports.
@@ -28,33 +23,35 @@ Your legitimate users also use these ports, so it's not practical to keep them c
 
 To solve this dilemma, Microsoft Defender for Cloud offers JIT. With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
 
+## How JIT operates with network resources in Azure and AWS
 
-
-## How JIT operates with network security groups and Azure Firewall
-
-When you enable just-in-time VM access, you can select the ports on the VM to which inbound traffic will be blocked. Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the [network security group](../virtual-network/network-security-groups-overview.md#security-rules) (NSG) and [Azure Firewall rules](../firewall/rule-processing.md). These rules restrict access to your Azure VMs’ management ports and defend them from attack. 
+In Azure, you can block inbound traffic on specific ports, by enabling just-in-time VM access. Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the [network security group](../virtual-network/network-security-groups-overview.md#security-rules) (NSG) and [Azure Firewall rules](../firewall/rule-processing.md). These rules restrict access to your Azure VMs’ management ports and defend them from attack. 
 
 If other rules already exist for the selected ports, then those existing rules take priority over the new "deny all inbound traffic" rules. If there are no existing rules on the selected ports, then the new rules take top priority in the NSG and Azure Firewall.
 
-When a user requests access to a VM, Defender for Cloud checks that the user has [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) permissions for that VM. If the request is approved, Defender for Cloud configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from the relevant IP address (or range), for the amount of time that was specified. After the time has expired, Defender for Cloud restores the NSGs to their previous states. Connections that are already established are not interrupted.
+In AWS, by enabling JIT-access the relevant rules in the attached EC2 security groups, for the selected ports, are revoked which blocks inbound traffic on those specific ports.
+
+When a user requests access to a VM, Defender for Cloud checks that the user has [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) permissions for that VM. If the request is approved, Defender for Cloud configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from the relevant IP address (or range), for the amount of time that was specified. In AWS, Defender for Cloud creates a new EC2 security group that allow inbound traffic to the specified ports. After the time has expired, Defender for Cloud restores the NSGs to their previous states. Connections that are already established are not interrupted.
 
 > [!NOTE]
 > JIT does not support VMs protected by Azure Firewalls controlled by [Azure Firewall Manager](../firewall-manager/overview.md).  The Azure Firewall must be configured with Rules (Classic) and cannot use Firewall policies.
 
-
-
-
 ## How Defender for Cloud identifies which VMs should have JIT applied
 
 The diagram below shows the logic that Defender for Cloud applies when deciding how to categorize your supported VMs: 
 
+### [**Azure**](#tab/defender-for-container-arch-aks)
 [![Just-in-time (JIT) virtual machine (VM) logic flow.](media/just-in-time-explained/jit-logic-flow.png)](media/just-in-time-explained/jit-logic-flow.png#lightbox)
 
+### [**AWS**](#tab/defender-for-container-arch-eks)
+:::image type="content" source="media/just-in-time-explained/aws-jit-logic-flow.png" alt-text="A chart that explains the logic flow for the AWS Just in time (J I T) virtual machine (V M) logic flow.":::
+
+---
+
 When Defender for Cloud finds a machine that can benefit from JIT, it adds that machine to the recommendation's **Unhealthy resources** tab. 
 
 ![Just-in-time (JIT) virtual machine (VM) access recommendation.](./media/just-in-time-explained/unhealthy-resources.png)
 
-
 ## FAQ - Just-in-time virtual machine access
 
 ### What permissions are needed to configure and use JIT?
@@ -65,6 +62,8 @@ JIT Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introd
 
 If you want to create custom roles that can work with JIT, you'll need the details from the table below.
 
+If you are setting up JIT on your Amazon Web Service (AWS) VM, you will need to [connect your AWS account](quickstart-onboard-aws.md) to Microsoft Defender for Cloud.
+
 > [!TIP]
 > To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages.
 
@@ -74,7 +73,8 @@ If you want to create custom roles that can work with JIT, you'll need the detai
 |Request JIT access to a VM | *Assign these actions to the user:*  <ul><li> `Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action` </li><li> `Microsoft.Security/locations/jitNetworkAccessPolicies/*/read` </li><li> `Microsoft.Compute/virtualMachines/read` </li><li> `Microsoft.Network/networkInterfaces/*/read` </li> <li> `Microsoft.Network/publicIPAddresses/read` </li></ul> |
 |Read JIT policies| *Assign these actions to the user:*  <ul><li>`Microsoft.Security/locations/jitNetworkAccessPolicies/read`</li><li>`Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action`</li><li>`Microsoft.Security/policies/read`</li><li>`Microsoft.Security/pricings/read`</li><li>`Microsoft.Compute/virtualMachines/read`</li><li>`Microsoft.Network/*/read`</li>|
 
-
+> [!Note]
+> Only the `Microsoft.Security` permissions are relevant for AWS.
 
 ## Next steps
 

articles/defender-for-cloud/just-in-time-access-usage.md

@@ -2,7 +2,7 @@
 title: Just-in-time virtual machine access in Microsoft Defender for Cloud | Microsoft Docs
 description: Learn how just-in-time VM access (JIT) in Microsoft Defender for Cloud helps you control access to your Azure virtual machines.
 ms.topic: how-to
-ms.date: 01/06/2022
+ms.date: 05/17/2022
 ---
 # Secure your management ports with just-in-time access
 
@@ -14,19 +14,18 @@ For a full explanation of the privilege requirements, see [What permissions are
 
 This page teaches you how to include JIT in your security program. You'll learn how to: 
 
-- **Enable JIT on your VMs** - You can enable JIT with your own custom options for one or more VMs using Defender for Cloud, PowerShell, or the REST API. Alternatively, you can enable JIT with default, hard-coded parameters, from Azure virtual machines. When enabled, JIT locks down inbound traffic to your Azure VMs by creating a rule in your network security group.
+- **Enable JIT on your VMs** - You can enable JIT with your own custom options for one or more VMs using Defender for Cloud, PowerShell, or the REST API. Alternatively, you can enable JIT with default, hard-coded parameters, from Azure virtual machines. When enabled, JIT locks down inbound traffic to your Azure and AWS VMs by creating a rule in your network security group.
 - **Request access to a VM that has JIT enabled** - The goal of JIT is to ensure that even though your inbound traffic is locked down, Defender for Cloud still provides easy access to connect to VMs when needed. You can request access to a JIT-enabled VM from Defender for Cloud, Azure virtual machines, PowerShell, or the REST API.
 - **Audit the activity** - To ensure your VMs are secured appropriately, review the accesses to your JIT-enabled VMs as part of your regular security checks.   
 
 ## Availability
 
-|Aspect|Details|
-|----|:----|
-| Release state:                  | General availability (GA)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| Supported VMs:                  | :::image type="icon" source="./media/icons/yes-icon.png"::: VMs deployed through Azure Resource Manager.<br>:::image type="icon" source="./media/icons/no-icon.png"::: VMs deployed with classic deployment models. [Learn more about these deployment models](../azure-resource-manager/management/deployment-models.md).<br>:::image type="icon" source="./media/icons/no-icon.png"::: VMs protected by Azure Firewalls<sup>[1](#footnote1)</sup> controlled by [Azure Firewall Manager](../firewall-manager/overview.md). |
+| Aspect | Details |
+|--|:-|
+| Release state: | General availability (GA) |
+| Supported VMs: | :::image type="icon" source="./media/icons/yes-icon.png"::: VMs deployed through Azure Resource Manager.<br>:::image type="icon" source="./media/icons/no-icon.png"::: VMs deployed with classic deployment models. [Learn more about these deployment models](../azure-resource-manager/management/deployment-models.md).<br>:::image type="icon" source="./media/icons/no-icon.png"::: VMs protected by Azure Firewalls<sup>[1](#footnote1)</sup> controlled by [Azure Firewall Manager](../firewall-manager/overview.md). <br> :::image type="icon" source="./media/icons/yes-icon.png"::: AWS EC2 instances (Preview) |
 | Required roles and permissions: | **Reader** and **SecurityReader** roles can both view the JIT status and parameters.<br>To create custom roles that can work with JIT, see [What permissions are needed to configure and use JIT?](just-in-time-access-overview.md#what-permissions-are-needed-to-configure-and-use-jit).<br>To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages. |
-| Clouds:                         | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)<br>:::image type="icon" source="./media/icons/no-icon.png"::: Connected AWS accounts                                                                                                                                                                                                                                                                                                                                                     |
-
+| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts (Preview) |
 
 <sup><a name="footnote1"></a>1</sup> For any VM protected by Azure Firewall, JIT will only fully protect the machine if it's in the same VNET as the firewall. VMs using VNET peering will not be fully protected.
 
@@ -88,8 +87,6 @@ From Defender for Cloud, you can enable and configure the JIT VM access.
 
 1. Select **Save**.
 
-
-
 ### Edit the JIT configuration on a JIT-enabled VM using Defender for Cloud <a name="jit-modify"></a>
 
 You can modify a VM's just-in-time configuration by adding and configuring a new port to protect for that VM, or by changing any other setting related to an already protected port.
@@ -106,8 +103,6 @@ To edit the existing JIT rules for a VM:
 
 1. When you've finished editing the ports, select **Save**.
 
-
-
 ### [**Azure virtual machines**](#tab/jit-config-avm)
 
 ### Enable JIT on your VMs from Azure virtual machines
@@ -239,8 +234,6 @@ When a VM has a JIT enabled, you have to request access to connect to it. You ca
 > [!NOTE]
 > If a user who is requesting access is behind a proxy, the option **My IP** may not work. You may need to define the full IP address range of the organization.
 
-
-
 ### [**Azure virtual machines**](#tab/jit-request-avm)
 
 ### Request access to a JIT-enabled VM from the Azure virtual machine's connect page
@@ -265,8 +258,6 @@ To request access from Azure virtual machines:
 > [!NOTE]
 > After a request is approved for a VM protected by Azure Firewall, Defender for Cloud provides the user with the proper connection details (the port mapping from the DNAT table) to use to connect to the VM.
 
-
-
 ### [**PowerShell**](#tab/jit-request-powershell)
 
 ### Request access to a JIT-enabled VM using PowerShell
@@ -300,8 +291,6 @@ Run the following in PowerShell:
 
 Learn more in the [PowerShell cmdlet documentation](/powershell/scripting/developer/cmdlet/cmdlet-overview).
 
-
-
 ### [**REST API**](#tab/jit-request-api)
 
 ### Request access to a JIT-enabled VMs using the REST API
@@ -328,8 +317,6 @@ You can gain insights into VM activities using log search. To view the logs:
 
 1. To download the log information, select **Download as CSV**.
 
-
-
 ## Next steps
 
 In this article, you learned _how_ to configure and use just-in-time VM access. To learn _why_ JIT should be used, read the concept article explaining the threats it defends against:

articles/defender-for-cloud/media/just-in-time-explained/aws-jit-logic-flow.png

@@ -2,7 +2,7 @@
 title: Release notes for Microsoft Defender for Cloud
 description: A description of what's new and changed in Microsoft Defender for Cloud
 ms.topic: reference
-ms.date: 05/16/2022
+ms.date: 05/17/2022
 ---
 
 # What's new in Microsoft Defender for Cloud?
@@ -21,6 +21,7 @@ To learn about *planned* changes that are coming soon to Defender for Cloud, see
 Updates in May include:
 
 - [Multi-cloud settings of Servers plan are now available in connector level](#multi-cloud-settings-of-servers-plan-are-now-available-in-connector-level)
+- [JIT is now available for AWS (Preview)](#jit-is-now-available-for-aws-preview)
 
 ### Multi-cloud settings of Servers plan are now available in connector level
 
@@ -36,6 +37,12 @@ Updates in the UI include a reflection of the selected pricing tier and the requ
 
 :::image type="content" source="media/release-notes/auto-provision.png" alt-text="Screenshot of the auto-provision page with the multi-cloud connector enabled.":::
 
+### JIT is now available for AWS (Preview)
+
+We would like to announce that Just-in-Time VM access (JIT) is now available (in preview) to protect your AWS EC2 instances.
+
+Learn how to [JIT protects](just-in-time-access-overview.md#how-jit-operates-with-network-resources-in-azure-and-aws) your AWS EC2 instances.
+
 ## April 2022
 
 Updates in April include:

articles/defender-for-cloud/release-notes.md

@@ -27,7 +27,7 @@ This article compares the API differences between Uniform and [Flexible orchestr
 | Uniform API | Flexible alternative |
 |-|-|
 | [Deallocate](/rest/api/compute/virtualmachinescalesetvms/deallocate)  | [Invoke Single VM API - Deallocate](/rest/api/compute/virtualmachines/deallocate)   |
-| [Delete](/rest/api/compute/virtualmachinescalesetvms/delete)  | [Invoke Single VM API -Delete](/rest/api/compute/virtualmachines/delete)  |
+| [Delete](/rest/api/compute/virtualmachinescalesetvms/delete)  | VMSS Batch delete API supported by VMSS in Flexible Orchestration Mode |
 | [Get Instance View](/rest/api/compute/virtualmachinescalesetvms/getinstanceview)  | [Invoke Single VM API - Instance View](/rest/api/compute/virtualmachines/instanceview)  |
 | [Perform Maintenance](/rest/api/compute/virtualmachinescalesetvms/performmaintenance)  | [Invoke Single VM API - Perform Maintenance](/rest/api/compute/virtualmachines/performmaintenance)  |
 | [Power Off](/rest/api/compute/virtualmachinescalesetvms/poweroff)  | [Invoke Single VM API - Power Off](/rest/api/compute/virtualmachines/poweroff)  |

articles/virtual-machine-scale-sets/orchestration-modes-api-comparison.md

@@ -104,14 +104,15 @@ The following table compares the Flexible orchestration mode, Uniform orchestrat
 | Spot instances and pricing   | Yes, you can have both Spot and Regular priority instances  | Yes, instances must either be all Spot or all Regular  | No, Regular priority instances only |
 | Mix operating systems  | Yes, Linux and Windows can reside in the same Flexible scale set  | No, instances are the same operating system  | Yes, Linux and Windows can reside in the same availability set |
 | Disk Types  | Managed disks only, all storage types  | Managed and unmanaged disks, all storage types  | Managed and unmanaged disks, Ultradisk not supported |
+| Disk Server Side Encryption with Customer Managed Keys | Yes | Yes | Yes |
 | Write Accelerator   | No  | Yes  | Yes |
 | Proximity Placement Groups   | Yes, read [Proximity Placement Groups documentation](../virtual-machine-scale-sets/proximity-placement-groups.md) | Yes, read [Proximity Placement Groups documentation](../virtual-machine-scale-sets/proximity-placement-groups.md) | Yes |
 | Azure Dedicated Hosts   | No  | Yes  | Yes |
 | Managed Identity  | User Assigned Identity Only  | System Assigned or User Assigned  | N/A (can specify Managed Identity on individual instances) |
 | Add/remove existing VM to the group  | No  | No  | No |
 | Service Fabric  | No  | Yes  | No |
 | Azure Kubernetes Service (AKS) / AKE  | No  | Yes  | No |
-| UserData  | Partial, UserData can be specified for individual VMs | Yes  | UserData can be specified for individual VMs |
+| UserData  | Yes | Yes  | UserData can be specified for individual VMs |
 
 
 ### Autoscaling and instance orchestration
@@ -129,7 +130,7 @@ The following table compares the Flexible orchestration mode, Uniform orchestrat
 | Instance Protection | No, use [Azure resource lock](../azure-resource-manager/management/lock-resources.md) | Yes | No |
 | Scale In Policy | No | Yes | No |
 | VMSS Get Instance View | No | Yes | N/A |
-| VM Batch Operations (Start all, Stop all, delete subset, etc.) | No (can trigger operations on each instance using VM API) | Yes | No |
+| VM Batch Operations (Start all, Stop all, delete subset, etc.) | Partial, Batch delete is supported. Other operations can be triggered on each instance using VM API) | Yes | No |
 
 ### High availability