Edit

Discovery and posture for serverless container workloads (Preview)

Discovery and posture for serverless container workloads in Microsoft Defender for Cloud helps you assess and prioritize risk in serverless container environments where host-level agents aren't available.

In Defender cloud security posture management (Defender CSPM), this capability extends posture coverage to supported serverless container resources and surfaces findings in the same experiences you already use. These experiences include inventory, recommendations, and attack path analysis. This visibility helps your team find exposed workloads, understand broader risk, and focus remediation on the issues that matter most.

Note

In preview, posture for serverless containers supports:

  • Azure Container Apps (ACA)
  • Azure Container Instances (ACI)
  • Amazon Elastic Container Service (ECS) on AWS Fargate

What is discovery and posture for serverless container workloads?

Discovery and posture for serverless container workloads extends Defender CSPM capabilities to serverless container platforms. It gives you a unified view of discovered resources, misconfiguration findings, vulnerability assessment findings, and attack path context for supported workloads.

This capability is discovery and posture focused in preview. It is designed for serverless container environments where runtime and host telemetry are limited by the platform abstraction.

Requirements and availability

To use discovery and posture for serverless container workloads:

  • Enable Defender CSPM.
  • Make sure supported workloads are present in your connected environments.
  • Use a role with the required permissions:
    • Security Reader to view findings and posture state.
    • Security Admin to change settings and manage exemptions.
  • Use commercial clouds only. This preview supports Azure and AWS and isn't available in sovereign or national clouds.

For cloud and platform availability details, see:

Key capabilities

Posture for Serverless Containers provides these capabilities in preview:

  • Inventory visibility for supported serverless container resources.
  • Security recommendations for misconfiguration findings and vulnerability assessment findings derived from image and control-plane context.
  • Attack path analysis that helps prioritize high-risk relationships and exposure paths.

How posture for serverless containers works

When you enable the Serverless Containers component in Defender CSPM settings, Defender for Cloud begins evaluating supported serverless container resources. Initial coverage can take up to 24 hours.

For enablement steps, see Protect resources with Defender CSPM.

Inventory

Defender for Cloud discovers supported serverless container resources and shows them in inventory views so you can understand resource presence and coverage.

Screenshot showing the cloud asset inventory view filtered to serverless containers, including Azure Container Apps, Azure Container Instances, and Amazon ECS on AWS Fargate resources.

After you filter your results, select a resource to view details about its security posture, including active security recommendations and their severity levels.

Screenshot showing the resource details page for a serverless container workload, including posture state, active recommendations, and severity indicators.

Recommendations

Defender for Cloud generates posture recommendations based on control-plane configuration signals and container image metadata, including vulnerability assessment findings where applicable.

Screenshot showing the recommendations page filtered to serverless container resources, with recommendation names, severity levels, and affected resource counts.

To remediate findings, see Remediate security recommendations in Microsoft Defender for Cloud.

Attack path analysis

Defender for Cloud correlates supported findings into attack paths to help you prioritize remediation based on likely risk propagation.

Screenshot showing the attack path analysis view filtered to serverless containers, including connected exposed resources and risk propagation paths.

To learn how to investigate attack paths, see How to manage attack path analysis.

Cloud security explorer

Defender for Cloud's Cloud Security Explorer provides advanced filtering and querying capabilities that allow you to analyze the security posture of your serverless containers. You can create custom queries to identify specific misconfigurations or vulnerabilities across your workloads.

Screenshot showing the Cloud Security Explorer query view with filters and query results for serverless container posture findings.

Learn how to build queries with Cloud Security Explorer.

Limitations

In preview, posture for serverless containers has the following limitations:

  • Posture-only coverage. Runtime threat detection and active response aren't included.
  • Insights are based on control-plane signals and image metadata. Host and runtime process telemetry isn't used.
  • Availability is limited to supported workloads in Azure and AWS clouds.

Related content

  • Last updated on