Update March 31

Author: David Curwin

articles/defender-for-cloud/defender-for-containers-architecture.md

@@ -79,6 +79,9 @@ When you enable the agentless discovery for Kubernetes extension, the following
 - **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
 - **Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation by creating a `ClusterRoleBinding` between the created identity and the Kubernetes `ClusterRole` *aks:trustedaccessrole:defender-containers:microsoft-defender-operator*. The `ClusterRole` is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
 
+> [!NOTE]
+> The copied snapshot remains in the same region as the cluster.
+
 ## [**On-premises / IaaS (Arc)**](#tab/defender-for-container-arch-arc)
 
 ### Architecture diagram of Defender for Cloud and Arc-enabled Kubernetes clusters
@@ -125,6 +128,9 @@ When you enable the agentless discovery for Kubernetes extension, the following
 
 - **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the EKS clusters in your environment using API calls to the API server of EKS.
 
+> [!NOTE]
+> The copied snapshot remains in the same region as the cluster.
+
 ## [**GCP (GKE)**](#tab/defender-for-container-gke)
 
 ### Architecture diagram of Defender for Cloud and GKE clusters
@@ -155,6 +161,9 @@ When you enable the agentless discovery for Kubernetes extension, the following
 
 - **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the GKE clusters in your environment using API calls to the API server of GKE.
 
+> [!NOTE]
+> The copied snapshot remains in the same region as the cluster.
+
 ---
 
 ## Next steps

articles/defender-for-cloud/release-notes.md

@@ -20,6 +20,20 @@ To learn about *planned* changes that are coming soon to Defender for Cloud, see
 
 If you're looking for items older than six months, you can find them in the [Archive for What's new in Microsoft Defender for Cloud](release-notes-archive.md).
 
+## April 2024
+
+|Date | Update |
+|--|--|
+| April 9 | [Runtime threat detection and agentless discovery for AWS and GCP in Defender for Containers now Generally Available (GA)](#runtime-threat-detection-and-agentless-discovery-for-aws-and-gcp-in-defender-for-containers-now-generally-available-ga) |
+
+### Runtime threat detection and agentless discovery for AWS and GCP in Defender for Containers now Generally Available (GA)
+
+April 9, 2024
+
+Runtime threat detection and agentless discovery for AWS and GCP in Defender for Containers are now Generally Available (GA). For more information, see [Containers support matrix in Defender for Cloud](support-matrix-defender-for-containers.md).
+
+In addition, there is a new authentication capability in AWS which simplifies provisioning. For more information, see [Configure Microsoft Defender for Containers components](defender-for-containers-enable.md&pivots=defender-for-container-eks#deploying-the-defender-sensor).
+
 ## March 2024
 
 |Date | Update |
@@ -49,6 +63,7 @@ Learn more about [continuous export](benefits-of-continuous-export.md).
 March 21, 2024
 
 Until now agentless scanning covered CMK encrypted VMs in AWS and GCP. With this release we are completing support for Azure as well. The capability employs a unique scanning approach for CMK in Azure:
+
 - Defender for Cloud does not handle the key or decryption process. Key handling and decryption is seamlessly handled by Azure Compute and is transparent to Defender for Cloud's agentless scanning service.
 - The unencrypted VM disk data is never copied or re-encrypted with another key.
 - The original key is not replicated during the process. Purging it eradicates the data on both your production VM and Defender for Cloud’s temporary snapshot.
@@ -58,14 +73,13 @@ During public preview this capability is not automatically enabled. If you are u
 - [Learn more on agentless scanning for VMs](concept-agentless-data-collection.md)
 - [Learn more on agentless scanning permissions](faq-permissions.yml#which-permissions-are-used-by-agentless-scanning-)
 
-
 ### New endpoint detection and response recommendations
 
 March 18, 2024
 
-We are announcing new endpoint detection and response recommendations that discover and assesses the configuration of supported endpoint detection and response solutions. If issues are found, these recommendations offer remediation steps. 
+We are announcing new endpoint detection and response recommendations that discover and assesses the configuration of supported endpoint detection and response solutions. If issues are found, these recommendations offer remediation steps.
 
-The following new agentless endpoint protection recommendations are now available if you have Defender for Servers Plan 2 or the Defender CSPM plan enabled on your subscription with the agentless machine scanning feature enabled. The recommendations support Azure and multicloud machines. On-premises machines are not supported. 
+The following new agentless endpoint protection recommendations are now available if you have Defender for Servers Plan 2 or the Defender CSPM plan enabled on your subscription with the agentless machine scanning feature enabled. The recommendations support Azure and multicloud machines. On-premises machines are not supported.
 
 | Recommendation name | Description | Severity |
 |--|

articles/defender-for-cloud/support-matrix-defender-for-containers.md

@@ -105,9 +105,9 @@ Learn how to [use Azure Private Link to connect networks to Azure Monitor](../az
 | Security posture management | Kubernetes data plane hardening | EKS | GA| - | Azure Policy for Kubernetes | Defender for Containers |
 | [Vulnerability assessment](agentless-vulnerability-assessment-aws.md) | Agentless registry scan (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-aws---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| ECR | Preview | Preview | Agentless | Defender for Containers or Defender CSPM |
 | [Vulnerability assessment](agentless-vulnerability-assessment-aws.md) | Agentless/sensor-based runtime (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-aws---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| EKS | Preview | Preview | Agentless **OR/AND** Defender sensor | Defender for Containers or Defender CSPM |
-| Runtime protection| Control plane | EKS | Preview | Preview | Agentless | Defender for Containers |
-| Runtime protection| Workload | EKS | Preview | - | Defender sensor | Defender for Containers |
-| Deployment & monitoring | Discovery of unprotected clusters | EKS | Preview | - | Agentless | Free |
+| Runtime protection| Control plane | EKS | GA | Preview | Agentless | Defender for Containers |
+| Runtime protection| Workload | EKS | GA | - | Defender sensor | Defender for Containers |
+| Deployment & monitoring | Discovery of unprotected clusters | EKS | GA | - | Agentless | Defender for Containers |
 | Deployment & monitoring | Auto provisioning of Defender sensor | - | - | - | - | - |
 | Deployment & monitoring | Auto provisioning of Azure Policy for Kubernetes | - | - | - | - | - |
 
@@ -149,9 +149,9 @@ Outbound proxy without authentication and outbound proxy with basic authenticati
 | Security posture management | Kubernetes data plane hardening | GKE | GA| - | Azure Policy for Kubernetes | Defender for Containers |
 | [Vulnerability assessment](agentless-vulnerability-assessment-gcp.md) | Agentless registry scan (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-gcp---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| GAR, GCR | Preview | Preview | Agentless | Defender for Containers or Defender CSPM |
 | [Vulnerability assessment](agentless-vulnerability-assessment-gcp.md) | Agentless/sensor-based runtime (powered by Microsoft Defender Vulnerability Management) [supported packages](#registries-and-images-support-for-gcp---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management)| GKE | Preview | Preview | Agentless **OR/AND** Defender sensor | Defender for Containers or Defender CSPM |
-| Runtime protection| Control plane | GKE | Preview | Preview | Agentless | Defender for Containers |
-| Runtime protection| Workload | GKE | Preview | - | Defender sensor | Defender for Containers |
-| Deployment & monitoring | Discovery of unprotected clusters | GKE | Preview | - | Agentless | Free |
+| Runtime protection| Control plane | GKE | GA | Preview | Agentless | Defender for Containers |
+| Runtime protection| Workload | GKE | GA | - | Defender sensor | Defender for Containers |
+| Deployment & monitoring | Discovery of unprotected clusters | GKE | GA | - | Agentless | Defender for Containers |
 | Deployment & monitoring | Auto provisioning of Defender sensor | GKE | Preview | - | Agentless | Defender for Containers |
 | Deployment & monitoring | Auto provisioning of Azure Policy for Kubernetes | GKE | Preview | - | Agentless | Defender for Containers |