Microsoft Defender for Cloud | Environment settings

Question

Microsoft Defender for Cloud | Environment settings

tshering tashi 0

i have enabled the server plan 2. how to select specific AWS instance.rightnow it have by default selected all

VEMULA SRISAI 3,500 Reputation points Microsoft External Staff Moderator

2025-12-03T13:59:34.53+00:00
Hello tshering tashi ,

To apply Microsoft Defender for Servers Plan 2 only to selected AWS EC2 instances:

Plan 2 is enabled at the AWS account (connector) level, not per instance. You can’t turn it on for just one EC2 directly.

Use targeting and exclusions to control which instances get onboarded and billed:

Enable Plan 2: Go to Defender for Cloud → Environment Settings → AWS account and ensure Servers = On (Plan 2).

Target specific EC2s:

Navigate to Defender for Servers → Settings & Monitoring → Auto-provisioning.
- Configure tag-based filters (e.g., `DefenderOn=true` to include, `DefenderOff=true` to exclude). 1. Agentless scanning exclusions: Add tags or identifiers for EC2s you don’t want scanned.

Disable for individual resources: In Inventory, filter for AWS EC2, select the instance, and choose Disable Defender for Servers.

Best practice: Maintain a consistent tag schema in AWS for security scope and verify coverage using the Inventory Coverage workbook in Defender for Cloud.

For your reference:

https://v4.hkg1.meaqua.org/en-us/azure/defender-for-cloud/tutorial-enable-servers-plan
VEMULA SRISAI 3,500 Reputation points Microsoft External Staff Moderator

2025-12-06T09:53:18.6466667+00:00

tshering tashi I’m following up on my previous comment as I haven’t received a response. Please let me know if you need any additional information or assistance from my side.

1 answer

Your answer

VEMULA SRISAI 3,500 Reputation points Microsoft External Staff Moderator

2025-12-03T13:59:34.53+00:00

Hello tshering tashi ,

To apply Microsoft Defender for Servers Plan 2 only to selected AWS EC2 instances:

Plan 2 is enabled at the AWS account (connector) level, not per instance. You can’t turn it on for just one EC2 directly.

Use targeting and exclusions to control which instances get onboarded and billed:

Enable Plan 2: Go to Defender for Cloud → Environment Settings → AWS account and ensure Servers = On (Plan 2).

Target specific EC2s:

Navigate to Defender for Servers → Settings & Monitoring → Auto-provisioning.
- Configure tag-based filters (e.g., `DefenderOn=true` to include, `DefenderOff=true` to exclude). 1. Agentless scanning exclusions: Add tags or identifiers for EC2s you don’t want scanned.

Disable for individual resources: In Inventory, filter for AWS EC2, select the instance, and choose Disable Defender for Servers.

Best practice: Maintain a consistent tag schema in AWS for security scope and verify coverage using the Inventory Coverage workbook in Defender for Cloud.

For your reference:

https://v4.hkg1.meaqua.org/en-us/azure/defender-for-cloud/tutorial-enable-servers-plan
VEMULA SRISAI 3,500 Reputation points Microsoft External Staff Moderator

2025-12-06T09:53:18.6466667+00:00

tshering tashi I’m following up on my previous comment as I haven’t received a response. Please let me know if you need any additional information or assistance from my side.

Answer 1

Follow https://v4.hkg1.meaqua.org/en-us/azure/defender-for-cloud/quickstart-onboard-aws?tabs=Defender-for-Containers

Deploy a CloudFormation template to your AWS account

As part of connecting an AWS account to Microsoft Defender for Cloud, you deploy a CloudFormation template to the AWS account. This template creates all of the required resources for the connection.

Deploy the CloudFormation template by using Stack (or StackSet if you have a management account). When you're deploying the template, the Stack creation wizard offers the following options.

Amazon S3 URL: Upload the downloaded CloudFormation template to your own S3 bucket with your own security configurations. Enter the URL to the S3 bucket in the AWS deployment wizard.

Upload a template file: AWS automatically creates an S3 bucket that the CloudFormation template is saved to. The automation for the S3 bucket has a security misconfiguration that causes the S3 buckets should require requests to use Secure Socket Layer recommendation to appear. You can remediate this recommendation by applying the following policy:

Bash

{ 
  "Id": "ExamplePolicy", 
  "Version": "2012-10-17", 
  "Statement": [ 
    { 
      "Sid": "AllowSSLRequestsOnly", 
      "Action": "s3:*", 
      "Effect": "Deny", 
      "Resource": [ 
        "<S3_Bucket ARN>", 
        "<S3_Bucket ARN>/*" 
      ], 
      "Condition": { 
        "Bool": { 
          "aws:SecureTransport": "false" 
        } 
      }, 
      "Principal": "*" 
    } 
  ] 
}

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

Microsoft Defender for Cloud | Environment settings

1 answer

Your answer