Edit

Share via

Configure Defender for Containers on AWS

After deploying Defender for Containers on your EKS clusters, configure various settings to customize the security coverage to meet your needs. This article also explains how to add or remove components after initial deployment.

Configuration areas

Jump to the configuration you need:

Component management

Core settings

Tip

Most organizations start with configuring plan components. If you need to add or remove components after initial deployment, see Add or remove components.

Add or remove components

After initial deployment, you might need to add components that you skipped or remove unnecessary ones.

Check component deployment status

  1. Go to Inventory and filter by AWS resources.

  2. Check each EKS cluster for:

    • Arc connectivity status
    • Defender extension status
    • Policy extension status

Add missing components

Connect EKS clusters to Azure Arc

If clusters aren't connected to Arc:

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Look for recommendations about EKS clusters that need Arc connection.

  3. Follow the recommendation to connect your clusters.

  4. Use the provided scripts to connect each cluster to Azure Arc.

Or use CLI:

# Connect cluster to Arc
az connectedk8s connect \
    --name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP \
    --location $REGION

Deploy Defender sensor to existing clusters

After connecting your EKS clusters to Azure Arc:

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Look for recommendations about installing the Defender extension on Arc-enabled clusters.

  3. Select the recommendation and follow the remediation steps.

Or deploy using CLI:

# Install Defender extension
az k8s-extension create \
    --name microsoft-defender \
    --extension-type microsoft.azuredefender.kubernetes \
    --cluster-type connectedClusters \
    --cluster-name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP

Add Azure Policy extension

To add policy assessment to existing deployments:

# Install Azure Policy extension
az k8s-extension create \
    --name azurepolicy \
    --extension-type Microsoft.PolicyInsights \
    --cluster-type connectedClusters \
    --cluster-name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP

Remove specific components

To remove components but keep others:

  1. Go to your Arc-enabled Kubernetes cluster.

  2. Under Settings, select Extensions.

  3. Select the extension to remove (Microsoft Defender or Azure Policy).

  4. Select Uninstall.

Or use CLI:

# Remove Defender sensor only
az k8s-extension delete \
    --name microsoft-defender \
    --cluster-type connectedClusters \
    --cluster-name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP

# Remove Policy extension only
az k8s-extension delete \
    --name azurepolicy \
    --cluster-type connectedClusters \
    --cluster-name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP

Deploy components selectively

Deploy to specific clusters only

To deploy the sensor only to selected EKS clusters:

  1. Connect specific clusters to Azure Arc (not all clusters).

  2. Go to Recommendations and find "Arc-enabled Kubernetes clusters should have Defender extension installed".

  3. Select only the clusters where you want the sensor.

  4. Follow the remediation steps for the selected clusters.

Configure plan components

You can enable or disable specific Defender for Containers components:

  1. Go to Microsoft Defender for Cloud > Environment settings.

  2. Select your AWS connector.

  3. Select Settings for the Containers plan.

  4. Turn components on or off:

    • Defender sensor
    • Azure Policy for Kubernetes
    • K8s API access
    • Registry access

    Screenshot that shows turning on components.

  5. Select Continue and Save.

Troubleshooting component issues

Fix Arc connectivity issues

For clusters that show as disconnected:

  1. Rerun the Arc connection script.

  2. Verify network connectivity from the cluster to Azure.

  3. Check Arc agent logs: kubectl logs -n azure-arc -l app.kubernetes.io/component=cluster-agent

Fix sensor deployment issues

For clusters missing the Defender sensor:

  1. Verify Arc connection is healthy.

  2. Check for conflicting policies or admission controllers.

  3. Deploy manually if needed: Use remediation from the recommendation.

Sensor pods not starting

# Check pod status
kubectl describe pods -n kube-system -l app=microsoft-defender

# Common issues:
# - Image pull errors: Check network connectivity
# - Permission denied: Verify RBAC settings
# - Resource constraints: Check node resources

Best practices

  1. Regular reviews: Review configuration monthly.
  2. Test changes: Test configuration changes in non-production environments first.
  3. Document settings: Maintain documentation of custom configurations.
  4. Monitor impact: Watch for performance impact after changes.
  5. Back up settings: Export configurations before major changes.
  6. Track exclusions: Document why certain clusters or components are excluded.

Related content

  • Last updated on