This chapter covers Microsoft Defender for Cloud's multi-cloud capabilities for Amazon Web Services (AWS) and Google Cloud Platform (GCP). As organizations increasingly adopt multi-cloud strategies, SC-200 exam candidates must understand how to extend Azure's security posture management and threat protection to workloads in AWS and GCP. This topic typically accounts for 10-15% of exam questions related to cloud security, often appearing as scenario-based questions requiring connector configuration and understanding of supported features.
Jump to a section
Imagine a large corporate headquarters (Azure Defender for Cloud) that manages security for three separate office buildings: one owned by the company (Azure), one leased from a different landlord (AWS), and another leased from yet another landlord (GCP). Each building has its own security guards, cameras, and access logs (native security tools). Corporate security doesn't replace those—instead, they install a standardized monitoring panel in each building that feeds real-time data back to the central headquarters. The panel collects guard reports (security alerts), camera footage (logs), and access badge records (configurations). At headquarters, a single analyst monitors all three buildings from one screen, can dispatch response teams to any building, and enforces consistent security policies (e.g., all exterior doors must have two-factor locks). The key is that the panels speak a common language (CSPM and CWPP connectors) and the headquarters can issue commands back (like locking down a specific floor). Without this central console, each building would require separate monitoring, and attackers could exploit gaps between the different security systems.
What is Multi-Cloud Security in Defender for Cloud?
Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) that natively protects Azure resources. However, many organizations run workloads in AWS and GCP. Defender for Cloud provides a unified view of security across Azure, AWS, and GCP by integrating with native cloud APIs. This allows security teams to assess compliance, detect threats, and manage security policies from a single pane of glass.
Why Multi-Cloud? The Exam Perspective
SC-200 measures your ability to "Manage a security operations environment" and "Configure and manage threat protection" (Objective 3.1). The exam expects you to know:
How to connect AWS and GCP accounts to Defender for Cloud.
Which Defender plans and features are supported for each cloud.
How to configure the necessary connectors and permissions.
The difference in capabilities between CSPM and CWPP across clouds.
How It Works: The Connector Mechanism
Defender for Cloud uses cloud connectors to ingest security data from AWS and GCP. The process involves:
AWS Connector: Uses AWS Security Hub as the primary integration point. You enable Security Hub in AWS, then create a connector in Defender for Cloud. The connector leverages AWS CloudFormation to deploy a stack that includes:
An AWS Identity and Access Management (IAM) role with specific permissions.
An S3 bucket for log collection (if using AWS CloudTrail).
Integration with AWS Security Hub to receive security findings.
Optionally, integration with AWS GuardDuty for threat detection.
GCP Connector: Uses GCP Security Command Center (SCC) as the integration point. You enable SCC in GCP, then create a connector in Defender for Cloud. The connector uses GCP's IAM and service accounts to read findings from SCC. It also uses GCP's Cloud Asset Inventory for CSPM.
Key Components and Defaults
- Connector Name: User-defined, but must be unique within the subscription.
- Permissions: For AWS, the IAM role must have SecurityHub:GetFindings, GuardDuty:ListFindings, CloudTrail:DescribeTrails, etc. For GCP, the service account needs securitycenter.findings.list, cloudasset.assets.list, etc.
- Data Refresh: Findings are pulled every few minutes (typically 5-15 minutes). Real-time streaming is not supported; it's a pull model.
- Supported Defender Plans:
- CSPM: Free (default) provides continuous assessment of security configurations. For AWS/GCP, this includes compliance with standards like CIS, PCI DSS, etc.
- Defender for Cloud (paid): Adds threat detection capabilities (e.g., fileless attack detection, network anomaly detection) for supported resource types.
- For AWS: Supports EC2, Lambda, S3, and containers (EKS).
- For GCP: Supports Compute Engine, Cloud Storage, and GKE.
Configuration Steps (Verification Commands)
To verify an AWS connector:
# Using Azure CLI
az security connector show --resource-group <rg> --name <connector-name>To list all connectors:
az security connector listIn the Azure portal, navigate to Microsoft Defender for Cloud > Environment settings to see connected AWS/GCP accounts.
Interaction with Related Technologies
Azure Policy: Can extend Azure Policy to AWS/GCP via Azure Arc. This allows you to enforce custom policies on multi-cloud resources.
Microsoft Sentinel: Can ingest security alerts from Defender for Cloud (including multi-cloud findings) for SIEM correlation.
Azure Active Directory: Not directly involved; AWS/GCP connectors use their own identity systems.
Supported Features Per Cloud
| Feature | AWS | GCP | |---------|-----|-----| | CSPM (free) | Yes | Yes | | Regulatory compliance | Yes (CIS, PCI DSS) | Yes (CIS, PCI DSS) | | Threat detection (paid) | EC2, EKS, Lambda, S3 | Compute Engine, GKE, Cloud Storage | | Security alerts | From Security Hub & GuardDuty | From SCC | | Vulnerability assessment | Via Qualys or Microsoft Defender for Cloud (for EC2) | Via Qualys or Microsoft Defender for Cloud (for Compute Engine) | | Just-in-time (JIT) VM access | No | No | | File integrity monitoring (FIM) | No | No | | Adaptive application controls | No | No |
Common Misconfigurations
Insufficient permissions: The IAM role or service account must have the correct permissions. Missing permissions result in "Access Denied" errors.
Security Hub not enabled: For AWS, Security Hub must be enabled and the connector must be configured to read from the correct region.
SCC not enabled: For GCP, Security Command Center must be enabled at the organization level.
Region mismatch: AWS findings are regional; the connector can be configured to pull from all regions or specific ones.
Cost management: The paid Defender plan for AWS/GCP is billed separately per resource (e.g., per EC2 vCPU). Candidates often forget this.
Step-by-Step: Creating an AWS Connector
In Defender for Cloud, go to Environment settings > Add environment > Amazon Web Services.
Provide a connector name and select the Azure subscription.
Choose whether to enable Defender for Cloud (paid) or just CSPM (free).
The portal provides a CloudFormation template URL. Launch this template in the AWS account.
The template creates an IAM role with the required permissions and outputs the external ID and role ARN.
In Defender for Cloud, enter the role ARN and external ID.
Click Create. The connector will start syncing findings within minutes.
Step-by-Step: Creating a GCP Connector
In Defender for Cloud, go to Environment settings > Add environment > Google Cloud Platform (GCP).
Provide a connector name and select the Azure subscription.
Choose whether to enable Defender for Cloud (paid) or just CSPM (free).
The portal provides a service account creation script. Run it in GCP Cloud Shell to create the service account and assign roles.
The script outputs a private key (JSON). Upload this key to Defender for Cloud.
Optionally, specify project IDs to include (or leave blank for all projects).
Click Create.
Monitoring and Troubleshooting
- Connector health: In Defender for Cloud, the connector status shows as Connected, Disconnected, or Error. - Common errors: - *Authorization failed*: Check IAM/service account permissions. - *No findings*: Ensure Security Hub or SCC is enabled and has findings. - *Region not supported*: Only certain regions are supported (e.g., AWS us-east-1, GCP us-central1). - Logs: Connector logs are stored in the Activity log of the Azure subscription. You can also use Azure Monitor to track connector metrics.
Exam Tips
Remember that CSPM is free for all clouds; threat detection requires a paid plan.
The connector uses AWS Security Hub and GCP Security Command Center—not direct API calls to each service.
For AWS, you must enable Security Hub and optionally GuardDuty.
For GCP, you must enable Security Command Center at the organization level.
The CloudFormation template is the recommended deployment method for AWS.
The service account key is required for GCP; it must be stored securely.
Multi-cloud support is read-only for CSPM; you cannot remediate resources in AWS/GCP directly from Defender for Cloud (except via Azure Arc).
Limitations
No support for Just-in-time (JIT) VM access or File Integrity Monitoring (FIM) on AWS/GCP.
Adaptive application controls are not available.
Network map only shows Azure resources.
Alerts from AWS/GCP appear in Defender for Cloud but cannot be suppressed using Azure suppression rules; you must suppress at the source (Security Hub/SCC).
Compliance standards for AWS/GCP are limited to CIS and PCI DSS; Azure has more.
Summary
Defender for Cloud's multi-cloud capability is a powerful tool for organizations that want a unified security view. For the SC-200 exam, focus on connector setup, permissions, supported features, and the distinction between free CSPM and paid threat detection. Remember that the integration is through Security Hub (AWS) and Security Command Center (GCP), not direct service APIs.
Enable Security Hub in AWS
Before connecting to Defender for Cloud, you must enable AWS Security Hub in the AWS account. Security Hub aggregates security findings from AWS services like GuardDuty, Inspector, and IAM Access Analyzer. To enable, go to AWS Management Console > Security Hub > Enable now. It may take a few minutes to activate. Security Hub must be enabled in the region where you want to collect findings. Defender for Cloud can collect from multiple regions, but each region must have Security Hub enabled. This step is mandatory; without Security Hub, the connector will have no data to ingest.
Create IAM role via CloudFormation
Defender for Cloud provides a CloudFormation template that automates the creation of an IAM role with the required permissions. The template creates a role named 'MicrosoftDefenderForCloud' (or similar) with a trust policy that allows Azure to assume it. The role includes permissions to read Security Hub findings, GuardDuty findings, and CloudTrail logs. The template also generates an external ID that must be provided during connector creation. This external ID is a security measure to prevent confused deputy attacks. You launch the template in the AWS account via the CloudFormation console.
Configure connector in Defender for Cloud
In the Azure portal, navigate to Microsoft Defender for Cloud > Environment settings. Click 'Add environment' and select 'Amazon Web Services'. Provide a connector name and select the Azure subscription. Then, choose whether to enable the paid Defender plan or just CSPM. You must enter the IAM role ARN and the external ID from the CloudFormation output. Optionally, you can select specific AWS regions to monitor. Click 'Create' to establish the connection. The connector will appear in the list; its status will change to 'Connected' once the initial sync completes.
Verify connector status and findings
After creation, the connector status should show as 'Connected'. If it shows 'Error', check the IAM role permissions and external ID. You can view findings from AWS in Defender for Cloud under 'Security alerts' and 'Recommendations'. The findings are tagged with the cloud provider (AWS) and account ID. To verify data flow, look for AWS-specific recommendations like 'EC2 instances should be configured with IMDSv2' or 'S3 buckets should have block public access enabled'. The sync interval is typically 5-15 minutes.
Enable GCP Security Command Center
For GCP, you must enable Security Command Center (SCC) at the organization level. SCC provides visibility into GCP resources and threat findings. To enable, go to GCP Console > Security > Security Command Center. You need at least Organization Administrator role. SCC provides a free tier (Security Health Analytics) and a paid tier (Event Threat Detection). Defender for Cloud uses SCC's findings. Enable SCC and ensure it is collecting data from the projects you want to monitor.
Create service account and connector in GCP
Defender for Cloud provides a script to create a service account in GCP with the necessary roles (Security Center Admin, Cloud Asset Viewer, etc.). Run the script in GCP Cloud Shell. It outputs a JSON private key. In Defender for Cloud, go to Environment settings > Add environment > Google Cloud Platform. Provide a connector name, select the subscription, and upload the JSON key. Optionally, specify project IDs. Click 'Create'. The connector will start syncing findings.
Monitor multi-cloud security posture
Once both connectors are active, you can view a unified dashboard in Defender for Cloud. The 'Inventory' page shows resources from all clouds. The 'Recommendations' page includes cloud-agnostic and cloud-specific recommendations. The 'Security alerts' page shows threats from AWS GuardDuty, GCP SCC, and Azure Defender. You can filter by cloud provider. Note that you cannot remediate AWS/GCP resources directly from Defender for Cloud; you must go to the native console. However, you can create workbooks and reports that combine data from all clouds.
Enterprise Scenario 1: Financial Services Compliance
A large bank runs workloads in Azure, AWS, and GCP. The compliance team must ensure all workloads meet PCI DSS requirements. Defender for Cloud's multi-cloud CSPM provides a single compliance dashboard. The bank connects all three clouds via connectors. They enable the free CSPM tier for AWS and GCP, which automatically assesses resources against the PCI DSS benchmark. The bank's security team receives a unified compliance score and can track non-compliant resources across clouds. However, they discover that AWS recommendations for PCI DSS are limited compared to Azure. For example, Azure has 40+ PCI DSS controls, while AWS has only 20. The bank must supplement with AWS Config rules. The connector pulls findings from Security Hub, which includes AWS Config evaluations. The team learns that they must enable AWS Config and set up rules to get full coverage.
Enterprise Scenario 2: E-commerce Threat Detection
An e-commerce company uses AWS for compute (EC2) and GCP for storage (Cloud Storage). They subscribe to Defender for Cloud's paid plan for AWS and GCP. For AWS, they enable threat detection on EC2 instances. Defender for Cloud deploys the Microsoft Defender for Endpoint agent on supported EC2 instances (Windows and Linux) to detect fileless attacks, network anomalies, and credential theft. On GCP, they enable threat detection for Cloud Storage, monitoring for anomalous access patterns. The company's SOC team uses Defender for Cloud's single alert queue. They receive an alert about a suspicious EC2 instance communicating with a known malicious IP. The alert includes the AWS instance ID and region. The SOC analyst uses the AWS console to isolate the instance. They also receive an alert about a public GCP storage bucket with sensitive data. The analyst uses GCP console to make the bucket private. The integration works well, but the team notes that alerts from AWS and GCP cannot be suppressed in Defender for Cloud; they must suppress at the source (Security Hub or SCC).
Enterprise Scenario 3: Multi-Cloud Container Security
A technology startup runs containers in Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE). They use Defender for Cloud's container security features. For AKS, Defender for Cloud provides native threat detection and vulnerability assessment. For EKS and GKE, they enable the paid Defender plan. Defender for Cloud integrates with AWS Security Hub to receive EKS findings (e.g., pod security policy violations) and with GCP SCC for GKE findings. The startup's security team uses the 'Container registry vulnerabilities' recommendation to scan images in Amazon ECR and GCP Container Registry. However, they find that image scanning for AWS and GCP is only available if they use the Defender for Cloud container registry integration (via Azure Container Registry or third-party). For ECR, they must enable AWS Inspector and forward findings to Security Hub. For GCR, they use SCC's vulnerability scanning. The team learns that Defender for Cloud does not directly scan images in ECR or GCR; it relies on native scanning services.
Common Pitfalls
Cost Overruns: Organizations enable paid Defender plan for all AWS/GCP resources without realizing that billing is per resource (e.g., per EC2 vCPU per hour). For large fleets, costs can escalate.
Permission Drift: IAM roles or service accounts may be modified, causing connectors to fail. Regular audits are needed.
Region Gaps: For AWS, if Security Hub is not enabled in a region where resources exist, those resources are not monitored. For GCP, SCC must be enabled at the organization level, not just project level.
Alert Fatigue: Multi-cloud can double the number of alerts. Use filtering and severity tuning in Security Hub and SCC before ingestion.
Remediation Limitations: Many assume they can remediate AWS/GCP resources from Defender for Cloud, but only Azure resources can be remediated directly. For AWS/GCP, you must use native consoles or automation scripts (e.g., via Azure Automation runbooks that call AWS APIs).
SC-200 Exam Focus: Defender for Cloud Multi-Cloud
Objective Code: 3.1 – Configure and manage threat protection, specifically "Connect AWS and GCP accounts to Microsoft Defender for Cloud" and "Manage multi-cloud security posture."
What the Exam Tests:
The ability to configure connectors for AWS and GCP.
Understanding of which Defender plans are available for each cloud.
Knowledge of prerequisites: Security Hub (AWS) and Security Command Center (GCP).
The difference between CSPM (free) and CWPP (paid) capabilities.
How to interpret multi-cloud security findings in Defender for Cloud.
Common Wrong Answers and Why Candidates Choose Them:
1. "You need to install an agent on AWS EC2 instances to get CSPM." - *Why wrong*: CSPM is agentless; it uses API calls to assess configurations. Agents are only needed for threat detection (paid plan) on specific workloads. - *Trap*: Candidates confuse CSPM with CWPP.
2. "The connector directly reads CloudTrail logs." - *Why wrong*: The connector integrates with Security Hub, not directly with CloudTrail. Security Hub aggregates findings from CloudTrail, GuardDuty, etc. - *Trap*: Candidates assume direct API integration.
3. "You can apply Azure Policy to AWS resources." - *Why wrong*: Azure Policy can only be extended via Azure Arc, which is not part of the standard multi-cloud connector. The connector does not allow policy enforcement. - *Trap*: Overestimation of capabilities.
4. "GCP connector requires a service account with Owner role." - *Why wrong*: The required roles are Security Center Admin and Cloud Asset Viewer, not Owner. Owner is excessive and violates least privilege. - *Trap*: Candidates assume full admin rights are needed.
Specific Numbers and Terms That Appear on the Exam: - AWS Connector: Uses CloudFormation template, IAM role with external ID. - GCP Connector: Uses service account JSON key. - Supported regions: For AWS, all commercial regions; for GCP, all regions. - Data refresh: Every 5-15 minutes. - Cost: CSPM free; paid plan billed per resource (e.g., $15/vCPU/month for AWS EC2 – exact amounts may vary, but concept is tested).
Edge Cases and Exceptions:
If Security Hub is not enabled in a region, that region's resources are not assessed.
For GCP, SCC must be enabled at the organization level, not project level.
If the IAM role or service account is deleted, the connector fails silently.
Findings from AWS/GCP appear in Defender for Cloud but cannot be suppressed using Azure suppression rules; must suppress at source.
How to Eliminate Wrong Answers:
If the question mentions "agentless assessment" or "configuration scanning," it's CSPM (free).
If the question mentions "threat detection" or "malware," it's the paid plan.
If the question mentions "AWS Security Hub" or "GCP Security Command Center," it's about the connector.
If the question mentions "remediation" or "policy enforcement," it's likely not supported for AWS/GCP (except via Azure Arc).
Always check if the prerequisite service is enabled (Security Hub or SCC).
Exam Tip: Memorize the connector flow: CloudFormation (AWS) or service account (GCP) -> Security Hub/SCC -> Defender for Cloud. Know that CSPM is free and includes compliance assessment. Paid plan adds threat detection but not all Azure features (e.g., no JIT, no FIM).
Defender for Cloud multi-cloud support requires AWS Security Hub (AWS) and GCP Security Command Center (GCP) as prerequisites.
CSPM (free) is available for all clouds; threat detection (paid) is optional and billed per resource.
AWS connector uses CloudFormation to create an IAM role; GCP connector uses a service account with a JSON key.
Data refreshes every 5-15 minutes; no real-time streaming.
You cannot remediate AWS/GCP resources from Defender for Cloud; use native consoles.
Supported AWS resources for paid plan: EC2, EKS, Lambda, S3. Supported GCP resources: Compute Engine, GKE, Cloud Storage.
Compliance standards for AWS/GCP: CIS and PCI DSS only (Azure has more).
Alerts from AWS/GCP cannot be suppressed in Defender for Cloud; suppress at source (Security Hub or SCC).
These come up on the exam all the time. Here's how to tell them apart.
AWS Connector
Uses AWS Security Hub as the integration point.
Deployed via CloudFormation template.
Requires IAM role with external ID.
Supports threat detection for EC2, EKS, Lambda, S3.
Can collect findings from multiple AWS regions.
GCP Connector
Uses GCP Security Command Center as the integration point.
Deployed via a script that creates a service account.
Requires service account JSON key.
Supports threat detection for Compute Engine, GKE, Cloud Storage.
Can collect findings from all GCP projects in an organization.
Mistake
Defender for Cloud can directly scan AWS EC2 instances for vulnerabilities without any agent.
Correct
For vulnerability assessment on AWS EC2, Defender for Cloud requires integration with Qualys or Microsoft Defender for Cloud's built-in scanner, which deploys an agent on the instance. It does not perform agentless vulnerability scanning on AWS.
Mistake
The multi-cloud connector for AWS uses Azure Automation to deploy resources.
Correct
The connector uses AWS CloudFormation to deploy the necessary IAM role and S3 bucket. It does not use Azure Automation. The CloudFormation template is provided by Microsoft and launched in the AWS account.
Mistake
You can manage AWS and GCP resources directly from the Azure portal using Defender for Cloud.
Correct
Defender for Cloud provides visibility and alerts, but you cannot manage or modify AWS/GCP resources from Azure. You must use the native consoles (AWS Management Console, GCP Console) for any configuration changes.
Mistake
The GCP connector requires a service account with the Owner role.
Correct
The required roles are Security Center Admin (roles/securitycenter.admin) and Cloud Asset Viewer (roles/cloudasset.viewer). The Owner role is too permissive and not recommended.
Mistake
CSPM for AWS and GCP is a paid feature.
Correct
CSPM (Cloud Security Posture Management) is free for all clouds. Only threat detection (Defender for Cloud paid plan) incurs additional costs. The exam often tests this distinction.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You must enable AWS Security Hub in the account and region you want to monitor. Additionally, you need an IAM role with permissions to read Security Hub findings, GuardDuty findings, and CloudTrail logs. Defender for Cloud provides a CloudFormation template that creates this role automatically. The template also generates an external ID for secure cross-account access.
Yes, but only if you enable the paid Defender plan for AWS and deploy the vulnerability assessment solution (Qualys or Microsoft Defender for Cloud's built-in scanner) on the EC2 instances. The scanner requires an agent. CSPM alone does not perform vulnerability scanning; it only assesses configurations.
Findings are synced every 5 to 15 minutes. There is no real-time streaming. The sync interval is not configurable. If you need faster updates, consider using Microsoft Sentinel with the AWS/GCP connectors for near real-time ingestion.
As of the current exam objectives, Defender for Cloud connectors support commercial AWS and GCP regions only. Government clouds (AWS GovCloud, GCP Assured Workloads) are not supported. Always check the latest documentation for changes.
No, the standard multi-cloud connector does not support Azure Policy enforcement. However, you can use Azure Arc to project AWS/GCP resources into Azure and then apply Azure Policy. This is a separate feature and not part of the basic connector setup.
The connector will fail and its status will change to 'Disconnected' or 'Error'. To restore connectivity, you must recreate the IAM role (AWS) or service account (GCP) and update the connector with the new credentials. Defender for Cloud will not automatically recover.
No, CSPM (Cloud Security Posture Management) is free for all clouds. You only pay if you enable the paid Defender plan for threat detection on specific resource types. The paid plan is billed per resource (e.g., per vCPU for VMs).
You've just covered Defender for Cloud Multi-Cloud (AWS, GCP) — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?