Enable Defender for Containers in Microsoft Defender for Cloud

Sign in to the Azure portal.

Go to Microsoft Defender for Cloud > Environment settings.

Select the subscription where your AKS clusters are located.

On the Defender plans page, find the Containers row and toggle the status to On.

Select Settings in the Containers plan row.

Toggle On or Off the relevant Defender for Containers components:

• Agentless scanning for machines
  Performs agentless vulnerability and secret scanning on Kubernetes nodes.

  • To exclude machines from agentless scanning, add the exclusion tag name and value.

• Defender sensor
  Deploys the Defender sensor to cluster nodes to collect runtime security telemetry used for threat detection.

  • Enable Defender Security Gating: Adds an admission control layer that evaluates deployments against security policies before workloads run in the cluster.
  • Enable Defender Runtime Anti Malware: Enables runtime malware detection for Kubernetes hosts and containers and can optionally block malicious file execution in real time.

• Azure Policy
  Deploys the Azure Policy for Kubernetes add-on to enable Kubernetes security posture assessments and related security recommendations.

• Kubernetes API access
  Allows Defender for Cloud to access the Kubernetes API for cluster inventory, configuration analysis, and capabilities that rely on Kubernetes metadata.

• Registry access
  Enables agentless vulnerability assessment for container images stored in connected registries.

  • Security findings: Generates findings and links them to container images when new images are pushed or existing images are updated.

Select Continue.

Select Save.

Sign in to the Azure portal.

Go to Microsoft Defender for Cloud > Environment settings.

Select the relevant AWS connector.

On the Defender plans page, find the Containers row and toggle the status to On.

Select Settings in the Containers plan row.

Toggle On the relevant Defender for Containers components:

• Agentless threat protection
  Collects Kubernetes control plane audit logs and analyzes them for control plane threat detections. Logs are routed through AWS services (such as CloudWatch, S3, Kinesis, and SQS).

  • If enabled, set the audit log retention period (in days) to control how long control plane audit logs are stored.

• Auto provision Defender's sensor for Azure Arc
  Deploys the Defender sensor as an Azure Arc Kubernetes extension. The sensor runs as a DaemonSet on cluster nodes and provides runtime threat detection based on node and workload telemetry.

  Note

  When automatic provisioning is enabled, the Defender sensor is installed after the cluster is discovered and can take several hours to complete.

• Auto provision Azure Policy extension for Azure Arc
  Deploys the Azure Policy extension to the cluster to enable Kubernetes security posture assessments and related security recommendations.

• Kubernetes API access
  Allows Defender for Cloud to access the Kubernetes API server for cluster inventory, configuration analysis, and capabilities that rely on Kubernetes metadata and state.

• Registry access Enables agentless vulnerability assessment for container images in Amazon ECR. Images pushed to ECR are scanned automatically (typically within 24 hours).

  • Security findings: Generates findings and links them to container images when new images are pushed or existing images are updated.

Select Save.

Select Next : Configure access >.

Regenerate and update the AWS CloudFormation template to apply the required permissions for the enabled components.

Select Next: Review and generate >.

Select Update.

Sign in to the Azure portal.

Go to Microsoft Defender for Cloud > Environment settings.

Select the relevant GCP connector.

On the Defender plans page, find the Containers row and toggle the status to On.

Select Settings in the Containers plan row.

Toggle On the relevant Defender for Containers components:

• Agentless threat protection
  Collects Kubernetes control plane audit logs and analyzes them for control plane threat detections. Logs are exported from GKE to your Google Cloud project.

• Auto provision Defender's sensor for Azure Arc
  Deploys the Defender sensor as an Azure Arc Kubernetes extension. The sensor runs as a DaemonSet on cluster nodes and provides runtime threat detection based on node and workload telemetry.

  • Enable Defender Security Gating
    Adds an admission control layer that evaluates deployments against security policies before workloads run in the cluster.

  Note

  When automatic provisioning is enabled, the Defender sensor is installed after the cluster is discovered and can take several hours to complete.

• Auto provision Azure Policy extension for Azure Arc
  Deploys the Azure Policy extension to the cluster to enable Kubernetes security posture assessments and related security recommendations.

• Kubernetes API access
  Allows Defender for Cloud to access the Kubernetes API server for cluster inventory, configuration analysis, and capabilities that rely on Kubernetes metadata and cluster state.

• Registry access
  Enables agentless vulnerability assessment for container images stored in Google Container Registry (GCR) and Artifact Registry.

  • Security findings: Generates findings and links them to container images when new images are pushed or existing images are updated.

Select Save.

Select Next : Configure access >.

Regenerate and redeploy the onboarding script in your GCP project to apply the required permissions for the enabled components.

Select Next: Review and generate >.

Select Update.

Sign in to the Azure portal.

Go to Microsoft Defender for Cloud > Environment settings.

Select the Azure subscription that contains the Azure Arc-enabled Kubernetes cluster resource.

On the Defender plans page, find the Containers row and toggle the status to On.

Select Settings in the Containers plan row.

Toggle On the relevant Defender for Containers components:

• Agentless scanning for machines
  Performs agentless vulnerability and secret scanning on Kubernetes nodes.

• Defender sensor
  Deploys the Defender sensor to cluster nodes to collect runtime security telemetry used for threat detection.

• Azure Policy
  Deploys the Azure Policy for Kubernetes add-on to enable Kubernetes security posture assessments and related security recommendations.

• Kubernetes API access
  Allows Defender for Cloud to access the Kubernetes API for cluster inventory, configuration analysis, and capabilities that rely on Kubernetes metadata.

• Registry access
  Enables agentless vulnerability assessment for container images stored in connected registries.

Select Save.