You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have an Amazon Web Services (AWS) implementation.
You plan to extend the Azure security strategy to the AWS implementation. The solution will NOT use Azure Arc.
Which three services can you use to provide security for the AWS resources? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
In extending Azure's security strategy to AWS without using Azure Arc, you need services that do not depend on Azure Arc for their functionality. Microsoft Defender for Containers can be used to secure containerized environments like Amazon EKS by providing threat detection and defense mechanisms. Azure AD Conditional Access allows for secure access policies based on user conditions, which can also help protect AWS environments. Azure AD Privileged Identity Management helps manage, control, and monitor privileged access, adding another layer of security for AWS resources. Microsoft Defender for Servers and Azure Policy both require Azure Arc for deployment onto AWS resources, thus they cannot be used in this scenario.
I would go for ACE. That being said, this link covers Azure Policy Extension in hardening Kubernetes data plane. https://docs.microsoft.com/en-us/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds-containers?tabs=aws-eks
Not B (servers require Arc). Not D: PIM is more of the kind nice-to-have.
PIM is privilege identity management.. I wouldn’t say its nice to have..its a must
Yes, it's a must for protecting identity but not the answer for this requirement.
its only a security feature if you use 4-eyes principle. JIT access is no security feature if u can give roles by urself
No, Microsoft Defender for servers does not require Azure Arc to extend protection to hybrid cloud workloads, including servers running on AWS. Azure Arc is a separate Azure service that enables you to manage servers, Kubernetes clusters, and applications on-premises, at the edge, and in multi-cloud environments from a single control plane. It provides a centralized management experience and enables you to apply policies, update servers, and deploy applications across your hybrid cloud environment. However, if you want to use Azure Arc to manage your servers running on AWS, you can do so by using the Azure Arc enabled servers feature. This feature allows you to onboard your AWS instances to Azure Arc and manage them through the Azure portal or Azure APIs. In this case, you can also use Microsoft Defender for servers to extend protection to those AWS instances.
False, it's required: https://learn.microsoft.com/fr-fr/azure/defender-for-cloud/plan-defender-for-servers
E can not be an answer, because in-order to apply Azure Policy on AWS based resources, you must need to use Azure Arc, which can not be the case based on requirements. So, ACD can be the possible answers.
Microsoft Defender for Server: requires Arc in AWS Azure Policy for Kubernetes: requires Arc in AWS
E Kubernetes data plane hardening, but based on doc, "To deploy the Azure Policy for Kubernetes to specified clusters: From the recommendations page, search for the relevant recommendation: .... AWS and On-premises - "Azure Arc-enabled Kubernetes clusters should have the Azure policy extension for Kubernetes extension installed"." https://learn.microsoft.com/en-us/azure/defender-for-cloud/kubernetes-workload-protections#deploy-azure-policy-for-kubernetes-on-existing-clusters
For extending Azure security strategies to AWS resources without using Azure Arc, the three services you can use are: B. Microsoft Defender for servers C. Azure Active Directory (Azure AD) Conditional Access D. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
These services can provide security for AWS resources by offering protection for servers (Defender), managing access based on conditions (Conditional Access), and controlling and monitoring privileged access (PIM).
MDS and Azure Policy both require arc.
No, Defender for Servers can work by just installing the Log analytics Agent - Azure Arc is not necessary. So imo the answer is BCD.
ACE seems right as per the following: https://learn.microsoft.com/en-us/defender-cloud-apps/protect-aws Policy / Sign-in / containers
Microsoft Entra ID offers several capabilities for direct integration with AWS: SSO across legacy, traditional, and modern authentication solutions. MFA, including integration with several third-party solutions from Microsoft Intelligent Security Association (MISA) partners. Powerful Conditional Access features for strong authentication and strict governance. Microsoft Entra ID uses Conditional Access policies and risk-based assessments to authenticate and authorize user access to the AWS Management Console and AWS resources. Large-scale threat detection and automated response. Microsoft Entra ID processes over 30 billion authentication requests per day, along with trillions of signals about threats worldwide. Privileged Access Management (PAM) to enable Just-In-Time (JIT) provisioning to specific resources.
A, C, E are correct choices
from ChatGPT No, Azure Policy cannot directly manage or enforce policies on AWS resources without Azure Arc. Azure Policy is designed to work natively within the Azure ecosystem, and to extend its governance capabilities to other cloud environments like AWS, Azure Arc is required. How Azure Policy Works with Azure Arc: Azure Arc for Servers: By connecting your AWS virtual machines to Azure Arc, they become Azure resources. You can then apply Azure Policy to these AWS VMs as if they were native Azure VMs. Azure Arc for Kubernetes: Similarly, you can connect your Kubernetes clusters running on AWS to Azure Arc. This allows you to apply Azure Policy to manage and enforce compliance on these Kubernetes clusters. Azure Arc for Data Services: This allows managing SQL Servers and other data services running on AWS using Azure Policy through Azure Arc.
Microsoft Defender for Containers (Option A): This service provides runtime protection for containers, including threat detection, vulnerability assessment, and security recommendations. It helps secure containerized workloads running in AWS by identifying and mitigating risks. Microsoft Defender for Servers (Option B): This service offers endpoint protection for servers, including real-time threat detection, behavioral analysis, and automated response. By deploying it to your AWS instances, you can monitor and protect against malicious activities. Azure Active Directory (Azure AD) Conditional Access (Option C): Azure AD Conditional Access allows you to define policies that control access to your AWS resources based on conditions such as user location, device health, and risk level. You can enforce multi-factor authentication (MFA) or restr
For designing security for Azure landing zones and looking to implement preventive controls to increase the secure score, the two options that would be most relevant are: A. Azure Web Application Firewall (WAF) - It provides centralized protection of your web applications from common exploits and vulnerabilities. B. Azure Active Directory (Azure AD) Privileged Identity Management (PIM) - It manages, controls, and monitors access within Azure AD, Azure, and other Microsoft Online Services.
E: Kubernetes data plane hardening. For a bundle of recommendations to protect the workloads of your Kubernetes containers, install the Azure Policy for Kubernetes. You can also auto deploy this component as explained in enable auto provisioning of agents and extensions. With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure to enforce the best practices and mandate them for future workloads.
ACD, Policy requires Axure Policy
C. Azure Active Directory (Azure AD) Conditional Access Most VotedMost Voted D. Azure Active Directory (Azure AD) Privileged Identity Management (PIM) Most Voted E. Azure Policy Most Voted Both MS Defender for servers and containers need Arc - you could simply google it and it would pull into MS documentation.
I dont see any references anywhere to using Azure Policy in AWS
ACD is OK