Ensure that Defender for Containers security components are automatically provisioned for your Azure containers using Microsoft Defender for Cloud in order to monitor, improve, and maintain the security of your containers and their applications. The components that can be currently used for your containers are Defender DaemonSet – a component required for runtime protection and security capabilities provided by Defender for Containers, and Azure Policy for Kubernetes – a security component required to enforce organizational standards and implement compliance at-scale for Azure Kubernetes Service (AKS) clusters.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
To protect against threats and vulnerabilities and ensure safe and secure operations for your Azure containers, the components provided by Microsoft Defender for Containers can assist you with vulnerability assessment, runtime threat protection for container resources, and overall security hardening for container environments.
Note: To use the automatic provisioning of security components, Microsoft Defender for Cloud must be enabled for your container resources at the account/subscription level.
Audit
To determine if the automatic provisioning of Microsoft Defender for Containers components is enabled in your Azure account, perform the following operations:
Note: Getting the configuration status for the automatic provisioning feature in Microsoft Defender for Cloud using Azure CLI/PowerShell is not currently supported.Remediation / Resolution
To ensure that all the Microsoft Defender for Containers components are enabled for your Azure containers, perform the following operations:
Note: Enabling the automatic provisioning of the Defender for Containers components using Azure CLI/PowerShell is not currently supported.