Permissions to install Defender for Containers components in AWS and GCP
This article lists the roles and permissions required to install Defender for Containers components in the AWS Elastic Kubernetes Service (EKS) and GCP Google Kubernetes Engine (GKE) environments.
Required permissions
| Defender for Container feature | Component | Required Role |
|---|---|---|
| GKE runtime protection GKE workload hardening Runtime vulnerability assessment (optional) |
GKE Arc provisioning (for Defender agent and Azure policy agent) | Azure Arc role: Defender Kubernetes Agent Operator GCP predefined role: Kubernetes Engine Admin OR Kubernetes Engine Viewer (if only Agentless threat protection and/or Kubernetes API access extension are enabled) |
| EKS runtime protection GKE workload hardening Runtime vulnerability assessment (optional) |
AWS Arc provisioning (for Defender agent and Azure policy agent) | Azure Arc role: Defender Kubernetes Agent Operator AWS role: AzureDefenderKubernetesRole |
| GKE control plane hardening - Agentless threat protection | GKE AuditLogs provisioning | See GCP Agentless threat protection permissions |
| EKS control plane hardening - Agentless threat protection | AWS AuditLogs provisioning | See AWS Agentless threat protection permissions |
Azure Arc provisioning role for EKS and GKE
The Azure Arc built-in role Defender Kubernetes Agent Operator to provision the Defender agent and Azure policy agent has the following permissions:
- Microsoft.Authorization/*/read
- Microsoft.Insights/alertRules/*
- Microsoft.Resources/deployments/*
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
- Microsoft.Resources/subscriptions/operationresults/read
- Microsoft.Resources/subscriptions/read
- Microsoft.KubernetesConfiguration/extensions/write
- Microsoft.KubernetesConfiguration/extensions/read
- Microsoft.KubernetesConfiguration/extensions/delete
- Microsoft.KubernetesConfiguration/extensions/operations/read
- Microsoft.Kubernetes/connectedClusters/Write
- Microsoft.Kubernetes/connectedClusters/read
- Microsoft.OperationalInsights/workspaces/write
- Microsoft.OperationalInsights/workspaces/read
- Microsoft.OperationalInsights/workspaces/listKeys/action
- Microsoft.OperationalInsights/workspaces/sharedkeys/action
- Microsoft.Kubernetes/register/action
- Microsoft.KubernetesConfiguration/register/action
AWS Agentless threat protection permissions
AzureDefenderKubernetesRole:
- sts:AssumeRole
- sts:AssumeRoleWithWebIdentity
- logs:PutSubscriptionFilter
- logs:DescribeSubscriptionFilters
- logs:DescribeLogGroups
- logs:PutRetentionPolicy
- firehose:*
- iam:PassRole
- eks:UpdateClusterConfig
- eks:DescribeCluster
- eks:CreateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:ListAssociatedAccessPolicies
- sqs:*
- s3:*
AzureDefenderKubernetesScubaReaderRole:
- sts:AssumeRole
- sts:AssumeRoleWithWebIdentity
- sqs:ReceiveMessage
- sqs:DeleteMessage
- s3:GetObject
- s3:GetBucketLocation
AzureDefenderCloudWatchToKinesisRole:
- sts:AssumeRole
- firehose:*
AzureDefenderKinesisToS3Role:
- sts:AssumeRole
- s3:AbortMultipartUpload
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
MDCContainersAgentlessDiscoveryK8sRole
- sts:AssumeRoleWithWebIdentity
- eks:UpdateClusterConfig
- eks:DescribeCluster
- eks:CreateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:ListAssociatedAccessPolicies
MDCContainersImageAssessmentRole
- sts:AssumeRoleWithWebIdentity
- The permissions of these assumed roles: AmazonEC2ContainerRegistryPowerUser & AmazonElasticContainerRegistryPublicPowerUser
GCP Agentless threat protection permissions
MicrosoftDefenderContainersDataCollectionRole
- pubsub.subscriptions.consume
- pubsub.subscriptions.get
MicrosoftDefenderContainersRole
- logging.sinks.list
- logging.sinks.get
- logging.sinks.create
- logging.sinks.update
- logging.sinks.delete
- resourcemanager.projects.getIamPolicy
- resourcemanager.organizations.getIamPolicy
- iam.serviceAccounts.get
- iam.workloadIdentityPoolProviders.get (all the logs that go to Pub/Sub)
MDCCustomRole
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.enable
- iam.roles.create
- iam.roles.list
- compute.projects.get
- compute.projects.setCommonInstanceMetadata
MDCCspmCustomRole
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- storage.buckets.getIamPolicy
Permissions granted in cloud environments
Onboarding AWS and GCP cloud environments to Defender for Cloud through the Azure portal creates a connector to your desired cloud environment, and generates a script for you to run in the cloud environment to create the required roles and permissions. The script is created based on the settings you choose when going through the onboarding process.
As part of the onboarding process, you choose between two permission types: Default Access and Least Privileged Access:
Default Access supports all current and future extensions of the selected Defender plans.
Least Privileged Access option only grants the permissions necessary to support the current extensions.
The following tables show the permissions granted to certain Defender for Containers roles, depending on the permission type you choose.
AWS default access
| Role Name | Associated Polices / Permissions | Capabilities |
|---|---|---|
| MDCContainersImageAssessmentRole | AmazonEC2ContainerRegistryPowerUser AWS permissions list AmazonElasticContainerRegistryPublicPowerUser AWS permissions list |
Agentless container vulnerability assessment. |
| MDCContainersAgentlessDiscoveryK8sRole | eks:DescribeCluster eks:UpdateClusterConfig eks:CreateAccessEntry eks:ListAccessEntries eks:AssociateAccessPolicy eks:ListAssociatedAccessPolicies |
Agentless discovery of Kubernetes. Updating EKS clusters to support IP restriction |
AWS least privileged access
| Role Name | Associated Polices / Permissions | Capabilities |
|---|---|---|
| MDCContainersImageAssessmentRole | AmazonEC2ContainerRegistryReadOnly AWS permissions list AmazonElasticContainerRegistryPublicReadOnly AWS permissions list |
Agentless container vulnerability assessment. |
| MDCContainersAgentlessDiscoveryK8sRole | eks:DescribeCluster eks:UpdateClusterConfig |
Agentless discovery of Kubernetes. Updating EKS clusters to support IP restriction |
GCP default access
| Service Account Name | Associated Roles / Permissions | Capabilities |
|---|---|---|
| mdc-containers-artifact-assess | Roles/storage.objectUser GCP permissions list Roles/artifactregistry.writer GCP permissions list |
Agentless container vulnerability assessment. |
| mdc-containers-k8s-operator | Roles/container.viewer GCP permissions list Custom role MDCGkeClusterWriteRole [Custom Role] with permission container.clusters.update |
Agentless discovery of Kubernetes Updating GKE clusters to support IP restriction |
GCP least privileged access
| Service Account Name | Associated Roles / Permissions | Current Capabilities |
|---|---|---|
| mdc-containers-artifact-assess | Roles/artifactregistry.reader GCP permissions list Roles/storage.objectViewer GCP permissions list |
Agentless container vulnerability assessment. |
| mdc-containers-k8s-operator | Roles/container.viewer GCP permissions list Custom role MDCGkeClusterWriteRole with permission container.clusters.update |
Agentless discovery of Kubernetes. Updating GKE clusters to support IP restriction |