You are designing the security standards for containerized applications onboarded to Azure.
You are evaluating the use of Microsoft Defender for Containers.
In which two environments can you use Defender for Containers to scan for known vulnerabilities? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
Microsoft Defender for Containers can be used to scan for known vulnerabilities in container images stored in Azure Container Registry and in running images on Azure Kubernetes Service. Therefore, the environments where it can scan for vulnerabilities include Azure Container Registry, which can store both Linux and Windows container images, and Azure Kubernetes Service, which can run these container images. This means that Linux containers deployed to both Azure Container Registry and Azure Kubernetes Service are valid environments where Defender for Containers operates efficiently.
https://docs.microsoft.com/en-us/learn/modules/design-strategy-for-secure-paas-iaas-saas-services/9-specify-security-requirements-for-containers https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction#view-vulnerabilities-for-running-images
This question outdated. Support for Windows containers added in Aug 2022 release of Defender for Containers. Reference What's new in Microsoft Defender for Cloud? https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes August 2022 Updates in August include: • Vulnerabilities for running images are now visible with Defender for Containers on your Windows containers • Azure Monitor Agent integration now in preview • Deprecated VM alerts regarding suspicious activity related to a Kubernetes cluster Vulnerabilities for running images are now visible with Defender for Containers on your Windows containers Defender for Containers now shows vulnerabilities for running Windows containers. When vulnerabilities are detected, Defender for Cloud generates the following security recommendation listing the detected issues: Running container images should have vulnerability findings resolved
https://docs.microsoft.com/en-us/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds-containers?tabs=azure-aks#registries-and-images Windows is on preview. OS Packages Supported • Alpine Linux 3.12-3.15 • Red Hat Enterprise Linux 6, 7, 8 • CentOS 6, 7 • Oracle Linux 6,6,7,8 • Amazon Linux 1,2 • openSUSE Leap 42, 15 • SUSE Enterprise Linux 11,12, 15 • Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye • Ubuntu 10.10-22.04 • FreeBSD 11.1-13.1 • Fedora 32, 33, 34, 35
As of right now: Operating systems Supported • Alpine Linux 3.12-3.19 • Red Hat Enterprise Linux 6-9 • CentOS 6-9 • Oracle Linux 6-9 • Amazon Linux 1, 2 • openSUSE Leap, openSUSE Tumbleweed • SUSE Enterprise Linux 11-15 • Debian GNU/Linux 7-12 • Google Distroless (based on Debian GNU/Linux 7-12) • Ubuntu 12.04-22.04 • Fedora 31-37 • Mariner 1-2 • Windows Server 2016, 2019, 2022
My bad. Supported host operating systems Defender for Containers relies on the Defender sensor for several features. The Defender sensor is supported on the following host operating systems: Amazon Linux 2 CentOS 8 Debian 10 Debian 11 Google Container-Optimized OS Mariner 1.0 Mariner 2.0 Red Hat Enterprise Linux 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04 Ubuntu 22.04 URL: https://learn.microsoft.com/en-us/azure/defender-for-cloud/support-matrix-defender-for-containers?tabs=azure-aks#registries-and-images
C-D, why, see article https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure#faq "Currently, Defender for Containers can scan images in Azure Container Registry (ACR) and AWS Elastic Container Registry (ECR) only. Docker Registry, Microsoft Artifact Registry/Microsoft Container Registry, and Microsoft Azure Red Hat OpenShift (ARO) built-in container image registry are not supported. Images should first be imported to ACR."
DE is the answer. https://learn.microsoft.com/en-us/azure/defender-for-cloud/support-matrix-defender-for-containers?tabs=azure-aks#azure-aks https://learn.microsoft.com/en-us/azure/defender-for-cloud/support-matrix-defender-for-containers?tabs=azure-aks#registries-and-images-support-aks
Gotten this in May 2023 exam.
Don't waste time! Read this Defender for Container scans ACR in azure, amazone, google.. It does not says AKS.. So only CD options seem correct! https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction#vulnerability-assessment:~:text=plane%20hardening.-,Vulnerability%20assessment,of%20new%20images%2C%20real%2Dworld%20exploit%20insights%2C%20exploitability%20insights%2C%20and%20more.,-Vulnerability%20information%20powered
n every subscription where this capability is enabled, all images stored in ACR that meet the criteria for scan triggers are scanned for vulnerabilities without any extra configuration of users or registries. Recommendations with vulnerability reports are provided for all images in ACR as well as images that are currently running in AKS that were pulled from an ACR registry or any other Defender for Cloud supported registry (ECR, GCR, or GAR). Images are scanned shortly after being added to a registry, and rescanned for new vulnerabilities once every 24 hours.
Defender for Containers scans the container images in Azure Container Registry (ACR),
C. Windows containers deployed to Azure Container Registry D. Linux containers deployed to Azure Container Registry https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction "Vulnerability assessment - Vulnerability assessment and management tools for images stored in Azure Container Registry and Elastic Container Registry"
https://learn.microsoft.com/en-us/azure/defender-for-cloud/support-matrix-defender-for-containers#registries-and-images-support-for-aks---powered-by-qualys
Vulnerability assessment: Vulnerability assessment and management tools for images stored in ACR registries and running in Azure Kubernetes Service. Learn more in Vulnerability assessment.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction https://learn.microsoft.com/en-us/azure/defender-for-cloud/agentless-vulnerability-assessment-aws https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-containers-azure https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-defender-for-containers
The correct environments where you can use Defender for Containers to scan for known vulnerabilities are: A. Linux containers deployed to Azure Container Instances B. Windows containers deployed to Azure Kubernetes Service (AKS) So, the correct selections would be A and B.
D and E are the correct annswers
The two correct options for using Microsoft Defender for Containers to scan for known vulnerabilities are: A. Linux containers deployed to Azure Container Instances D. Linux containers deployed to Azure Container Registry Microsoft Defender for Containers is compatible with Docker containers running on Linux operating systems, so it can scan for known vulnerabilities in Linux containers deployed to Azure Container Instances and Azure Container Registry. However, it cannot scan for known vulnerabilities in Windows containers deployed to Azure Kubernetes Service or Azure Container Registry, as Microsoft Defender for Containers currently only supports Linux operating systems.
Now that Defender for Containers also supports Windows containers running in AKS, BDE should be the answer.
ChatGTP: Microsoft Defender for Containers can be used to scan for known vulnerabilities in the following environments: A. Linux containers deployed to Azure Container Instances B. Windows containers deployed to Azure Kubernetes Service (AKS) C. Windows containers deployed to Azure Container Registry D. Linux containers deployed to Azure Container Registry E. Linux containers deployed to Azure Kubernetes Service (AKS) Therefore, options A, B, C, D, and E are all correct.
Correction: If you choose any of the other options, it would not be the best answer as they are not correct. Option A: This is correct as Microsoft Defender for Containers can scan Linux containers deployed to Azure Container Instances. Option B: This is not correct as Microsoft Defender for Containers can only scan Windows containers if they are deployed to a Windows Server 2019 node in an AKS cluster. Option C: This is not correct as Azure Container Registry is a container registry service, and Microsoft Defender for Containers does not scan container registries. Option D: This is not correct as Microsoft Defender for Containers cannot scan Linux containers deployed to Azure Container Registry. Option E: This is not correct as Microsoft Defender for Containers can only scan Linux containers deployed to AKS if they are deployed to a Linux node pool.
ChatGPT will confuse you more :-)
I vote for DE as windows container scanning is still not supported: Unsupported registries and images: Windows images 'Private' registries (unless access is granted to Trusted Services) Super-minimalist images such as Docker scratch images, or "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS Images with Open Container Initiative (OCI) Image Format Specification https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-container-registries-introduction