Edit

Assign access to workload owners

When you onboard your Amazon Web Service (AWS) or Google Cloud Platform (GCP) environments, Defender for Cloud automatically creates a security connector as an Azure resource in the connected subscription and resource group. Defender for Cloud also creates the identity provider as an Identity and Access Management (IAM) role required during onboarding.

To assign permissions on a specific connector under the parent connector, first decide which AWS accounts or GCP projects users need to access. Then identify the security connectors that map to those accounts or projects.

Prerequisites

Configure permissions on the security connector

Permissions for security connectors are managed through Azure role-based access control (RBAC).

You can assign roles to users, groups, and applications at the subscription, resource group, or resource level.

To configure connector permissions:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment settings.

  3. Locate the relevant AWS or GCP connector.

  4. Assign permissions to workload owners by using All resources or Azure Resource Graph in the Azure portal.

    1. Search for and select All resources.

      Screenshot that shows you how to search for and select all resources.

    2. Select Manage view > Show hidden types.

      Screenshot that shows you where on the screen to find the show hidden types option.

    3. Select the Types equals all filter.

    4. Enter securityconnector in the value field and add a check to the microsoft.security/securityconnectors.

      Screenshot that shows where the field is located and where to enter the value on the screen.

    5. Select Apply.

    6. Select the relevant resource connector.

  5. Select Access control (IAM).

    Screenshot of a security connector resource page with Access control (IAM) highlighted in the left navigation.

  6. Select +Add > Add role assignment.

  7. Select the desired role.

  8. Select Next.

  9. Select + Select members.

    Screenshot that shows where the button is on the screen to select the + select members button.

  10. Search for and select the relevant user or group.

  11. Select the Select button.

  12. Select Next.

  13. Select Review + assign.

  14. Review the information.

  15. Select Review + assign.

After you set permissions on the security connector, workload owners can view Defender for Cloud recommendations for associated AWS and GCP resources.

Next step

RBAC permissions

  • Last updated on