L15. Defender for Cloud: CSPM and CWP Fundamentals
Video generating
Check back soon for the video lesson on Defender for Cloud: CSPM and CWP Fundamentals
Microsoft Defender for Cloud provides Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) across Azure, AWS, and GCP. This lesson covers the free versus paid tiers, CSPM capabilities, and multi-cloud architecture for the SC-200 exam.
What Is Defender for Cloud?
Microsoft Defender for Cloud is a Cloud-Native Application Protection Platform (CNAPP) that combines:
- CSPM (Cloud Security Posture Management): Continuous assessment of security configuration
- CWP (Cloud Workload Protection): Runtime threat detection for cloud resources
It covers Azure natively and extends to AWS and GCP through multi-cloud connectors.
Free vs Paid Tiers
Defender for Cloud offers two tiers:
| Capability | Free (Foundational CSPM) | Paid (Defender Plans) |
|---|---|---|
| Security recommendations | Yes | Yes |
| Secure Score | Yes | Yes |
| Azure security benchmark | Yes | Yes |
| Asset inventory | Yes | Yes |
| Workload protection | No | Yes (per plan) |
| Advanced threat detection | No | Yes |
| Vulnerability scanning | No | Yes |
| Regulatory compliance | Limited | Full |
| Attack path analysis | No | Yes (Defender CSPM) |
| Cloud security graph | No | Yes (Defender CSPM) |
Defender CSPM (Paid)
The paid Defender CSPM plan adds:
- Attack path analysis: Visualizes exploitable paths from internet exposure to sensitive data
- Cloud security graph: Queries relationships between resources, identities, and configurations
- Agentless scanning: Discovers vulnerabilities and secrets without installing agents
- Data-aware security posture: Classifies sensitive data in storage and databases
- Governance rules: Assign remediation owners with deadlines
Attack path analysis is one of the most exam-relevant features. It identifies combinations of misconfigurations that create exploitable attack chains (e.g., an internet-facing VM with a known vulnerability that has access to a storage account containing sensitive data).
Multi-Cloud Architecture
Defender for Cloud extends to AWS and GCP: AWS integration:
- Uses an AWS connector configured through CloudFormation or Terraform
- Deploys an IAM role for read access to AWS configuration
- Supports CSPM assessments and Defender plans for AWS workloads
- Uses a GCP connector configured through a service account
- Supports CSPM assessments and Defender plans for GCP workloads
Both cloud providers support:
- Security recommendations (mapped to Microsoft Cloud Security Benchmark)
- Workload protection (Servers, Containers, Databases)
- Regulatory compliance assessments
Defender Plans Overview
Individual Defender plans protect specific workload types:
| Plan | Protects |
|---|---|
| Defender for Servers | Windows and Linux VMs (Azure, AWS, GCP, on-premises) |
| Defender for Containers | AKS, EKS, GKE clusters and container registries |
| Defender for Databases | Azure SQL, Cosmos DB, open-source databases |
| Defender for Storage | Blob, File, Data Lake storage accounts |
| Defender for App Service | Azure App Service web applications |
| Defender for Key Vault | Azure Key Vault operations |
| Defender for Resource Manager | Azure management layer operations |
| Defender for DNS | Azure DNS query anomalies |
| Defender for APIs | API security posture and threat detection |
Architecture Pillars
Defender for Cloud operates on three pillars:
- Assess: Continuously evaluate security posture
- Secure: Harden resources with recommendations
- Defend: Detect and respond to threats in real time
- ✓Foundational CSPM (free) provides security recommendations and Secure Score for all Azure subscriptions.
- ✓Defender CSPM (paid) adds attack path analysis, cloud security graph, agentless scanning, and governance rules.
- ✓Attack path analysis identifies exploitable chains combining misconfigurations, vulnerabilities, and data exposure.
- ✓Multi-cloud support covers AWS (CloudFormation connector) and GCP (service account connector).
- ✓Each Defender plan is enabled independently per subscription and billed per resource.
- ✓Agentless scanning discovers vulnerabilities and secrets without installing agents on VMs.
1. Which Defender for Cloud capability is available in the free Foundational CSPM tier?
2. An organization wants to connect their AWS environment to Defender for Cloud. What deployment mechanism is used?
3. What does attack path analysis in Defender CSPM identify?