When connecting an Am azon Web Services (AWS) account to Microsoft Defender for Cloud using the native cloud connector , the very first requirement is to allow Defender for Cloud to access AWS resources securely. According to official Microsoft Defender for Cloud documentation, this is accomplished by creating an AWS Identity and Access Management (IAM) role that grants Microsoft Defender for Cloud the necessary permissions to read configuration and security data from the AWS environment.
Here’s the detailed process based on Micr osoft documentation:
1️ ⃣ Create an IAM Role in AWS:
In the AWS console, you create an IAM role that establishes a trust relationship with Microsoft Defender for Cloud’s AWS connector . The trust policy allows Azure’s Defender for Cloud service principal to assume the role securely.
2️ ⃣ Attach the Required Policies:
The IAM role is then granted read-only permissions by attaching the Microsoft-provided policy template. This policy enables Defender for Cloud to assess AWS resources, collect security configurati on data, and generate security recommendations.
3️ ⃣ Connect the AWS Account in Defender for Cloud:
After the IAM role is in place, you return to Azure and complete the connector setup by providing the Role ARN (Amazon Resource Name). Defender for Cloud the n uses this role to continuously monitor and assess the AWS environment.
Options such as creating an AWS user or configuring AWS Security Hub are subsequent integration or enhancement steps, not the first action in setting up the native connector. Deployin g the SSM agent is only required for enabling Defender for Servers on AWS EC2 instances, not for the initial connector setup.
✅ Therefore, the correct answer is B. Create an Access control (IAM) role for Defender for Cloud.
