5.2.3. Multi-Cloud and Hybrid Security (AWS, GCP)
💡 First Principle: Defender for Cloud extends security management beyond Azure to AWS, GCP, and on-premises environments. True security parity requires a "single pane of glass" that standardizes posture assessment and threat detection across heterogeneous cloud infrastructures.
Supported Environments
| Environment | Support |
|---|---|
| Azure | Full native support |
| AWS | Connect via CSPM connector |
| GCP | Connect via CSPM connector |
| Azure DevOps | DevOps security connector |
| GitHub | DevOps security connector |
| GitLab | DevOps security connector |
| Alibaba Cloud | Not supported |
| Oracle Cloud | Not supported |
Cloud Infrastructure Entitlement Management (CIEM)
💡 First Principle: In multi-cloud environments, identities are the most frequent vector for lateral movement. CIEM focuses on managing the "identity explosion" by discovering all identities across Azure, AWS, and GCP and enforcing the principle of least privilege through automated permissions analysis.
Why CIEM Matters: As organizations scale across clouds, the gap between granted permissions and used permissions (Permissions Creep) grows. CIEM detects this delta and provides remediation steps to remove unused high-risk entitlements.
| Feature | Pre-2026 Approach | 2026 Update (Current Exam Focus) |
|---|---|---|
| Detection Trigger | Based primarily on sign-in activity | Based on unused role assignments and API usage |
| Lookback Window | Typically 30-60 days | Extended to 90 days for higher accuracy |
| Cross-Cloud Scope | Siloed reporting | Unified visibility across AWS IAM, GCP IAM, and Entra ID |
Scenario: A service account in AWS has AdministratorAccess but hasn't performed an administrative action in 100 days. CIEM identifies this as a "high-risk unused entitlement" and recommends downgrading the role to match actual usage.
Multi-Cloud CIEM Architecture
Multi-Cloud Policy Enforcement
Multi-cloud security isn't just about detection; it's about enforcing a consistent security posture across providers.
- Unified Visibility: Defender for Cloud provides a single Secure Score that incorporates recommendations from AWS Foundational Security Best Practices and GCP Security Health Analytics.
- Cross-Cloud Posture Comparison: Comparing the compliance of an S3 bucket in AWS against a Blob container in Azure using the same high-level security requirements (e.g., encryption at rest).
- Common Misconfigurations per Platform:
- Azure: Publicly accessible Storage Accounts or open NSGs.
- AWS: S3 buckets with public "Read" access or overly permissive IAM trust policies.
- GCP: Default Service Accounts with "Editor" roles or broad VPC firewall rules.
⚠️ Exam Trap: Relying solely on native cloud tools (like AWS Config or GCP Security Command Center) for a multi-cloud strategy. This creates "security silos" where it is impossible to get a holistic view of organizational risk. Defender for Cloud centralizes these findings.
