Assign access to workload owners

When you onboard your Amazon Web Service (AWS) or Google Cloud Project (GCP) environments, Defender for Cloud automatically creates a security connector as an Azure resource within the connected subscription and resource group. Defender for Cloud also creates the identity provider as an IAM role required during the onboarding process.

To assign permissions to users on a specific connector below the parent connector, you need to determine which AWS accounts or GCP projects you want users to access. You need to identify the security connectors that correspond to the AWS account or GCP project you want to assign users access to.

Prerequisites

• An Azure account. If you don't already have an Azure account, you can create your Azure free account today.

• At least one security connector for Azure, AWS or GCP.

Configure permissions on the security connector

Permissions for security connectors are managed through Azure Role-Based Access Control (RBAC). You can assign roles to users, groups, and applications at a subscription, resource group, or resource level.

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Environment settings.

3. Locate the relevant AWS or GCP connector.

4. Assign permissions to the workload owners with All resources or the Azure Resource Graph option in the Azure portal.

   All resources

   1. Search for and select All resources.

      

   2. Select Manage view > Show hidden types.

      

   3. Select the Types equals all filter.

   4. Enter securityconnector in the value field and add a check to the microsoft.security/securityconnectors.

      

   5. Select Apply.

   6. Select the relevant resource connector.

   Azure Resource Graph

   1. Search for and select Resource Graph Explorer.

      

   2. Copy and paste the following query to locate the security connector:

      AWS

      resources 
      | where type == "microsoft.security/securityconnectors" 
      | extend source = tostring(properties.environmentName)  
      | where source == "AWS" 
      | project name, subscriptionId, resourceGroup, accountId = properties.hierarchyIdentifier, cloud = properties.environmentName  
      

      GCP

      resources 
      | where type == "microsoft.security/securityconnectors" 
      | extend source = tostring(properties.environmentName)  
      | where source == "GCP" 
      | project name, subscriptionId, resourceGroup, projectId = properties.hierarchyIdentifier, cloud = properties.environmentName  
      

   3. Select Run query.

   4. Toggle formatted results to On.

      

   5. Select the relevant subscription and resource group to locate the relevant security connector.

5. Select Access control (IAM).

   

6. Select +Add > Add role assignment.

7. Select the desired role.

8. Select Next.

9. Select + Select members.

   

10. Search for and select the relevant user or group.

11. Select the Select button.

12. Select Next.

13. Select Review + assign.

14. Review the information.

15. Select Review + assign.

After setting the permission for the security connector, workload owners will be able to view recommendations in Defender for Cloud for the AWS and GCP resources associated with the security connector.

Next step

RBAC permissions