Cloud security posture management (CSPM)
One of Microsoft Defender for Cloud's main pillars is cloud security posture management (CSPM). CSPM provides detailed visibility into the security state of your assets and workloads, and provides hardening guidance to help you efficiently and effectively improve your security posture.
Defender for Cloud continually assesses your resources against security standards that are defined for your Azure subscriptions, AWS accounts, and GCP projects. Defender for Cloud issues security recommendations based on these assessments.
By default, when you enable Defender for Cloud on an Azure subscription, the Microsoft Cloud Security Benchmark (MCSB) compliance standard is turned on. It provides recommendations. Defender for Cloud provides an aggregated secure score based on some of the MCSB recommendations. The higher the score, the lower the identified risk level.
CSPM features
Defender for Cloud provides the following CSPM offerings:
Foundational CSPM - Defender for Cloud offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default for subscriptions and accounts that onboard to Defender for Cloud.
Defender Cloud Security Posture Management (CSPM) plan - The optional, paid Defender for Cloud Secure Posture Management plan provides more, advanced security posture features.
Plan availability
Learn more about Defender CSPM pricing.
The following table summarizes each plan and their cloud availability.
Feature | Foundational CSPM | Defender CSPM | Cloud availability |
---|---|---|---|
Security recommendations | Azure, AWS, GCP, on-premises | ||
Asset inventory | Azure, AWS, GCP, on-premises | ||
Secure score | Azure, AWS, GCP, on-premises | ||
Data visualization and reporting with Azure Workbooks | Azure, AWS, GCP, on-premises | ||
Data exporting | Azure, AWS, GCP, on-premises | ||
Workflow automation | Azure, AWS, GCP, on-premises | ||
Tools for remediation | Azure, AWS, GCP, on-premises | ||
Microsoft Cloud Security Benchmark | Azure, AWS, GCP | ||
AI security posture management | - | Azure, AWS | |
Agentless VM vulnerability scanning | - | Azure, AWS, GCP | |
Agentless VM secrets scanning | - | Azure, AWS, GCP | |
Attack path analysis | - | Azure, AWS, GCP | |
Risk prioritization | - | Azure, AWS, GCP | |
Risk hunting with security explorer | - | Azure, AWS, GCP | |
Code-to-cloud mapping for containers | - | GitHub, Azure DevOps | |
Code-to-cloud mapping for IaC | - | Azure DevOps | |
PR annotations | - | GitHub, Azure DevOps | |
Internet exposure analysis | - | Azure, AWS, GCP | |
External attack surface management | - | Azure, AWS, GCP | |
Permissions Management (CIEM) | - | Azure, AWS, GCP | |
Regulatory compliance assessments | - | Azure, AWS, GCP | |
ServiceNow Integration | - | Azure, AWS, GCP | |
Critical assets protection | - | Azure, AWS, GCP | |
Governance to drive remediation at-scale | - | Azure, AWS, GCP | |
Data security posture management (DSPM), Sensitive data scanning | - | Azure, AWS, GCP1 | |
Agentless discovery for Kubernetes | - | Azure, AWS, GCP | |
Custom Recommendations | - | Azure, AWS, GCP | |
Agentless code-to-cloud containers vulnerability assessment | - | Azure, AWS, GCP | |
API security posture management (Preview) | - | Azure |
1: GCP sensitive data discovery only supports Cloud Storage.
Note
Starting March 7, 2024, Defender CSPM must be enabled to have premium DevOps security capabilities that include code-to-cloud contextualization powering security explorer and attack paths and pull request annotations for Infrastructure-as-Code security findings. See DevOps security support and prerequisites to learn more.
Integrations
Microsoft Defender for Cloud now has built-in integrations to help you use third-party systems to seamlessly manage and track tickets, events, and customer interactions. You can push recommendations to a third-party ticketing tool, and assign responsibility to a team for remediation.
Integration streamlines your incident response process, and improves your ability to manage security incidents. You can track, prioritize, and resolve security incidents more effectively.
You can choose which ticketing system to integrate. For preview, only ServiceNow integration is supported. For more information about how to configure ServiceNow integration, see Integrate ServiceNow with Microsoft Defender for Cloud (preview).
Plan pricing
Review the Defender for Cloud pricing page to learn about Defender CSPM pricing.
From March 7, 2024, advanced DevOps security posture capabilities will only be available through the paid Defender CSPM plan. Free foundational security posture management in Defender for Cloud will continue providing a number of Azure DevOps recommendations. Learn more about DevOps security features.
For subscriptions that use both Defender CSPM and Defender for Containers plans, free vulnerability assessment is calculated based on free image scans provided via the Defender for Containers plan, as summarized in the Microsoft Defender for Cloud pricing page.
Defender CSPM protects all multicloud workloads, but billing is applied only on specific resources. The following tables list the billable resources when Defender CSPM is enabled on Azure subscriptions, AWS accounts, or GCP projects.
Azure Service Resource types Exclusions Compute Microsoft.Compute/virtualMachines
Microsoft.Compute/virtualMachineScaleSets/virtualMachines
Microsoft.ClassicCompute/virtualMachines- Deallocated VMs
- Databricks VMsStorage Microsoft.Storage/storageAccounts Storage accounts without blob containers or file shares DBs Microsoft.Sql/servers
Microsoft.DBforPostgreSQL/servers
Microsoft.DBforMySQL/servers
Microsoft.Sql/managedInstances
Microsoft.DBforMariaDB/servers
Microsoft.Synapse/workspaces--- AWS Service Resource types Exclusions Compute EC2 instances Deallocated VMs Storage S3 Buckets --- DBs RDS instances --- GCP Service Resource types Exclusions Compute 1. Google Compute instances
2. Google Instance GroupInstances with non-running states Storage Storage buckets - Buckets from classes: ‘nearline’, ‘coldline’, ‘archive’
- Buckets from regions other than: europe-west1, us-east1, us-west1, us-central1, us-east4, asia-south1, northamerica-northeast1DBs Cloud SQL Instances ---
Azure cloud support
For commercial and national cloud coverage, review the features supported in Azure cloud environments.
Support for Resource type in AWS and GCP
For multicloud support of resource types (or services) in our foundational multicloud CSPM tier, see the table of multicloud resource and service types for AWS and GCP.