- Newest
- Most votes
- Most comments
It sounds like you're encountering an issue with the integration between Microsoft Defender for Cloud and AWS, specifically around the creation of the identity provider and roles/policies at the AWS master account level.
Here are a few things you can try to resolve this issue:
-
Verify the CloudFormation StackSet deployment:
- Ensure that the CloudFormation StackSet was deployed successfully at the master account level.
- Check the CloudFormation StackSet events and logs for any errors or issues during the deployment.
- Verify that the StackSet was deployed to the correct AWS Organization and that the master account is part of the target accounts.
-
Check the IAM identity provider and roles/policies:
- Manually check the IAM console in the AWS master account to see if the identity provider and the necessary roles/policies have been created.
- Ensure that the identity provider is of the correct type (e.g., SAML) and that it's configured correctly.
- Verify that the roles and policies are named and configured as expected by Defender for Cloud.
-
Troubleshoot the StackSet deployment process:
- Review the AWS CloudFormation documentation on StackSets and ensure that you've followed the correct steps for deploying the StackSet.
- Check if there are any IAM-related permissions or configurations that might be preventing the StackSet deployment from creating the necessary resources in the master account.
- Try deploying the StackSet manually in the master account, instead of using the StackSet, to see if the issue is specific to the StackSet deployment process.
-
Validate the AWS Organization and member accounts:
- Ensure that the AWS Organization is configured correctly and that the master account and member accounts are properly set up.
- Check if the member accounts are properly linked to the master account in the AWS Organization.
- Verify that the CloudFormation StackSet is being deployed to the correct target accounts, including the master account.
-
Engage with AWS and Microsoft support:
- Continue to work with the Microsoft support team, as they may be able to provide more insights or escalate the issue to the appropriate engineering teams.
- Reach out to AWS support as well, as they may be able to help troubleshoot any AWS-specific issues or configurations that could be causing the problem.
It's important to note that the identity provider and roles/policies should be created at the master account level, and then propagated to the member accounts through the AWS Organization. If this is not happening as expected, there may be an underlying issue that needs to be addressed.
By following these troubleshooting steps and working closely with both AWS and Microsoft support, you should be able to identify and resolve the issue, allowing Defender for Cloud to successfully monitor your AWS master account and member accounts.
Relevant content
- asked 6 months ago
- asked 14 days ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago