Merge pull request #220423 from tspivakms/patch-17

Update defender-for-containers-vulnerability-assessment-elastic.md

Author: prmerger-automator[bot]

articles/defender-for-cloud/defender-for-containers-vulnerability-assessment-elastic.md

@@ -14,7 +14,21 @@ Defender for Containers lets you scan the container images stored in your Amazon
 
 To enable scanning of vulnerabilities in containers, you have to [connect your AWS account to Defender for Cloud](quickstart-onboard-aws.md) and [enable Defender for Containers](defender-for-containers-enable.md). The agentless scanner, powered by the open-source scanner Trivy, scans your ECR repositories and reports vulnerabilities.
 
-Defender for Containers creates resources in your AWS account to build an inventory of the software in your images. The scan then sends only the software inventory to Defender for Cloud. This architecture protects your information privacy and intellectual property, and also keeps the outbound network traffic to a minimum. Defender for Containers creates an ECS cluster in a dedicated VPC, an internet gateway, and an S3 bucket  in the us-east-1 and eu-central-1 regions to build the software inventory.
+Defender for Containers creates resources in your AWS account to build an inventory of the software in your images. The scan then sends only the software inventory to Defender for Cloud. This architecture protects your information privacy and intellectual property, and also keeps the outbound network traffic to a minimum.
+
+These resources are created under us-east-1 and eu-central-1 in each AWS account where container vulnerability assesment is enabled:
+
+- **S3 bucket** with the prefix `defender-for-containers-va`
+- **ECS cluster** with the name `defender-for-containers-va`
+- **VPC** 
+    - Tag `name` with the value `defender-for-containers-va` 
+    - IP subnet CIDR 10.0.0.0/16 
+    - Associated with **default security group** with the tag `name` and the value `defender-for-containers-va` that has one rule of all incoming traffic. 
+    - **Subnet** with the tag `name` and the value `defender-for-containers-va` in the `defender-for-containers-va` VPC with the CIDR 10.0.1.0/24 IP subnet used by the ECS cluster `defender-for-containers-va`
+    - **Internet Gateway** with the tag `name` and the value `defender-for-containers-va`
+    - **Route table** - Route table with the tag `name` and value `defender-for-containers-va`, and with these routes:
+         - Destination: `0.0.0.0/0`; Target: Internet Gateway with the tag `name` and the value `defender-for-containers-va`
+         - Destination: `10.0.0.0/16`; Target: `local`
 
 Defender for Cloud filters and classifies findings from the software inventory that the scanner creates. Images without vulnerabilities are marked as healthy and Defender for Cloud doesn't send notifications about healthy images to keep you from getting unwanted informational alerts.