Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Cloud, as a cloud-native application protection platform (CNAPP), delivers visibility, security, and posture management for serverless workloads across multicloud environments. It extends coverage to Azure Web Apps, Azure Functions, and Amazon Web Services (AWS) Lambda.
Serverless protection automatically discovers and inventories Web Apps, Azure Functions, and AWS Lambda functions in your environment. After discovery, Defender for Cloud identifies misconfigurations, vulnerabilities, and insecure dependencies. It then provides remediation guidance and continuous posture assessment to help organizations reduce risk in dynamic serverless architectures.
Learn more about the cloud availability for this feature.
Serverless protection requirements and availability
Serverless protection is available as part of the Defender cloud security posture management (Defender CSPM) plan.
To enable serverless protection, you must enable the Defender CSPM plan on your subscription and enable the Serverless protection component of that plan.
Currently, the available features vary by portal. The following table shows which features are available in each portal:
| Feature | Defender for Cloud portal | Defender portal |
|---|---|---|
| Onboarding through the Defender CSPM plan | 
|
|
| Review misconfiguration recommendations |
|
|
| Build queries with Cloud Security Explorer |
|
|
| Explore workloads in Cloud Inventory |
|
|
| Investigate attack paths |
|
|
| Vulnerability assessment | - |
|
To view the availability, see cloud support.
See limitations for serverless resources.
Benefits of serverless protection
Defender for Cloud extends its CSPM capabilities to serverless workloads by providing continuous visibility and risk assessment with the following features:
Automatic resource discovery: Detects all serverless resources (Azure Functions, Web Apps, AWS Lambda) and lists them in a unified inventory.
Continuous posture assessment: Evaluates configurations for risks like public endpoints, weak authentication, and missing encryption.
Misconfiguration detection: Highlights risks in:
- Access control: Restricts network exposure and enforces authentication.
- Identity and permissions: Helps prevent lateral movement, data exfiltration, and privilege abuse.
- Code integrity: Helps protect against unauthorized code changes, such as AWS Lambda code signing bypass risks.
Vulnerability assessment: Scans function packages for vulnerable dependencies and provides remediation guidance.
Attack path analysis: Maps potential attack chains that involve serverless resources so you can prioritize high-risk issues.
Defender for Cloud uses these features to help organizations secure serverless workloads in dynamic cloud environments.
Beyond these core benefits, serverless security in Defender for Cloud aligns with the broader CNAPP vision to secure applications throughout their lifecycle.
Serverless protection is also integrated into the Defender portal. This integration provides visibility for misconfiguration detection, attack path analysis, and vulnerability assessment in a single interface.
View the serverless protection security recommendations.
How serverless protection works
Serverless protection in Defender for Cloud works through a combination of automated discovery, continuous monitoring, and risk assessment. When you enable the Defender CSPM plan and activate the serverless protection component, Defender for Cloud scans your cloud environment to identify all serverless resources, including Azure Web Apps, Azure Functions, and AWS Lambda functions.
After Defender for Cloud discovers the resources, it continuously monitors their configurations and runtime environments. It evaluates these resources against a set of security best practices and compliance standards to identify misconfigurations, vulnerabilities, and insecure dependencies. When it detects a risk, Defender for Cloud generates security recommendations with detailed remediation steps to help you address the issues.
Inventory
Defender for Cloud provides a unified inventory of all discovered serverless resources, so you can easily view and manage them. The inventory page includes details such as resource names, types, locations, and associated security findings. Simply filter the results based on resource type to focus on Web Apps, Azure Functions, or AWS Lambda functions.
After you filter your results, select a resource to view details about its security posture, including active security recommendations and their severity levels.
You can also review the security recommendations associated with each resource to prioritize remediation based on finding severity.
Learn how to remediate security recommendations.
Cloud Security Explorer
Defender for Cloud's Cloud Security Explorer provides advanced filtering and query capabilities so you can analyze the security posture of your serverless resources. You can create custom queries to identify specific misconfigurations or vulnerabilities across your serverless workloads.
Learn how to build queries with Cloud Security Explorer.
Limitations
Serverless resources that aren't eligible for vulnerability assessment include:
- Web Apps and function apps that don't have a Running power state.
- Web Apps and function apps that don't have internet access.
- Web Apps and function apps with the following kind values:
app,migrationfunctionapp,botappapp,linux,aspiredashboardapp,container,xenonapp,botappapp,linux,Kubernetesapp,functionapp,windowsfunctionapp,linux,container,Kubernetesapp,linux,container,Kubernetesapp,xenonfunctionapp,linux,Kubernetesapp,functionapp