An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?
The connector automatically discovers and monitors EC2 instances.
Why this answer
Option C is correct because the AWS connector in Microsoft Defender for Cloud is the native integration that enables automatic discovery and onboarding of AWS resources, including EC2 instances, into Defender for Cloud. Once configured, the connector uses AWS IAM roles and APIs to continuously sync EC2 inventory and apply Defender plans (e.g., Defender for Servers) without requiring manual agent installation on each instance.
Exam trap
The trap here is that candidates confuse the AWS connector (a cloud-to-cloud integration) with Azure Arc (a hybrid management tool), assuming Arc is required for any non-Azure workload, when in fact the connector handles automatic onboarding without per-instance configuration.
How to eliminate wrong answers
Option A is wrong because deploying Azure Arc on each EC2 instance is an alternative method for managing non-Azure servers, but it is not the automatic onboarding mechanism for Defender for Cloud; it requires manual installation and does not leverage the native AWS connector. Option B is wrong because AWS Systems Manager is an AWS-native management service and cannot directly push Defender workloads; Defender for Cloud relies on its own agents (e.g., Azure Monitor Agent or Microsoft Defender for Endpoint) deployed via the AWS connector integration, not via Systems Manager. Option D is wrong because AWS Config rules are used for compliance auditing and resource configuration tracking, not for onboarding EC2 instances to Defender for Cloud; they lack the capability to install security agents or enable Defender plans.