Cloud security posture management (CSPM)

One of Microsoft Defender for Cloud's main pillars is cloud security posture management (CSPM). CSPM provides detailed visibility into the security state of your assets and workloads, and provides hardening guidance to help you efficiently and effectively improve your security posture.

Defender for Cloud continually assesses your resources against security standards that are defined for your Azure subscriptions, AWS accounts, and GCP projects. Defender for Cloud issues security recommendations based on these assessments.

By default, when you enable Defender for Cloud on an Azure subscription, the Microsoft Cloud Security Benchmark (MCSB) compliance standard is turned on. It provides recommendations. Defender for Cloud provides an aggregated secure score based on some of the MCSB recommendations. The higher the score, the lower the identified risk level.

CSPM features

Defender for Cloud provides the following CSPM offerings:

  • Foundational CSPM - Defender for Cloud offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default for subscriptions and accounts that onboard to Defender for Cloud.

  • Defender Cloud Security Posture Management (CSPM) plan - The optional, paid Defender for Cloud Secure Posture Management plan provides more, advanced security posture features.

Plan availability

Learn more about Defender CSPM pricing.

The following table summarizes each plan and their cloud availability.

Feature Foundational CSPM Defender CSPM Cloud availability
Security recommendations Azure, AWS, GCP, on-premises
Asset inventory Azure, AWS, GCP, on-premises
Secure score Azure, AWS, GCP, on-premises
Data visualization and reporting with Azure Workbooks Azure, AWS, GCP, on-premises
Data exporting Azure, AWS, GCP, on-premises
Workflow automation Azure, AWS, GCP, on-premises
Tools for remediation Azure, AWS, GCP, on-premises
Microsoft Cloud Security Benchmark Azure, AWS, GCP
AI security posture management - Azure, AWS
Agentless VM vulnerability scanning - Azure, AWS, GCP
Agentless VM secrets scanning - Azure, AWS, GCP
Attack path analysis - Azure, AWS, GCP
Risk prioritization - Azure, AWS, GCP
Risk hunting with security explorer - Azure, AWS, GCP
Code-to-cloud mapping for containers - GitHub, Azure DevOps
Code-to-cloud mapping for IaC - Azure DevOps
PR annotations - GitHub, Azure DevOps
Internet exposure analysis - Azure, AWS, GCP
External attack surface management - Azure, AWS, GCP
Permissions Management (CIEM) - Azure, AWS, GCP
Regulatory compliance assessments - Azure, AWS, GCP
ServiceNow Integration - Azure, AWS, GCP
Critical assets protection - Azure, AWS, GCP
Governance to drive remediation at-scale - Azure, AWS, GCP
Data security posture management (DSPM), Sensitive data scanning - Azure, AWS, GCP1
Agentless discovery for Kubernetes - Azure, AWS, GCP
Custom Recommendations - Azure, AWS, GCP
Agentless code-to-cloud containers vulnerability assessment - Azure, AWS, GCP
API security posture management (Preview) - Azure

1: GCP sensitive data discovery only supports Cloud Storage.

Note

Starting March 7, 2024, Defender CSPM must be enabled to have premium DevOps security capabilities that include code-to-cloud contextualization powering security explorer and attack paths and pull request annotations for Infrastructure-as-Code security findings. See DevOps security support and prerequisites to learn more.

Integrations

Microsoft Defender for Cloud now has built-in integrations to help you use third-party systems to seamlessly manage and track tickets, events, and customer interactions. You can push recommendations to a third-party ticketing tool, and assign responsibility to a team for remediation.

Integration streamlines your incident response process, and improves your ability to manage security incidents. You can track, prioritize, and resolve security incidents more effectively.

You can choose which ticketing system to integrate. For preview, only ServiceNow integration is supported. For more information about how to configure ServiceNow integration, see Integrate ServiceNow with Microsoft Defender for Cloud (preview).

Plan pricing

  • Review the Defender for Cloud pricing page to learn about Defender CSPM pricing.

  • From March 7, 2024, advanced DevOps security posture capabilities will only be available through the paid Defender CSPM plan. Free foundational security posture management in Defender for Cloud will continue providing a number of Azure DevOps recommendations. Learn more about DevOps security features.

  • For subscriptions that use both Defender CSPM and Defender for Containers plans, free vulnerability assessment is calculated based on free image scans provided via the Defender for Containers plan, as summarized in the Microsoft Defender for Cloud pricing page.

  • Defender CSPM protects all multicloud workloads, but billing is applied only on specific resources. The following tables list the billable resources when Defender CSPM is enabled on Azure subscriptions, AWS accounts, or GCP projects.

    Azure Service Resource types Exclusions
    Compute Microsoft.Compute/virtualMachines
    Microsoft.Compute/virtualMachineScaleSets/virtualMachines
    Microsoft.ClassicCompute/virtualMachines
    - Deallocated VMs
    - Databricks VMs
    Storage Microsoft.Storage/storageAccounts Storage accounts without blob containers or file shares
    DBs Microsoft.Sql/servers
    Microsoft.DBforPostgreSQL/servers
    Microsoft.DBforMySQL/servers
    Microsoft.Sql/managedInstances
    Microsoft.DBforMariaDB/servers
    Microsoft.Synapse/workspaces
    ---
    AWS Service Resource types Exclusions
    Compute EC2 instances Deallocated VMs
    Storage S3 Buckets ---
    DBs RDS instances ---
    GCP Service Resource types Exclusions
    Compute 1. Google Compute instances
    2. Google Instance Group
    Instances with non-running states
    Storage Storage buckets - Buckets from classes: ‘nearline’, ‘coldline’, ‘archive’
    - Buckets from regions other than: europe-west1, us-east1, us-west1, us-central1, us-east4, asia-south1, northamerica-northeast1
    DBs Cloud SQL Instances ---

Azure cloud support

For commercial and national cloud coverage, review the features supported in Azure cloud environments.

Support for Resource type in AWS and GCP

For multicloud support of resource types (or services) in our foundational multicloud CSPM tier, see the table of multicloud resource and service types for AWS and GCP.

Next steps