The azure-native:security:SecurityConnector resource, part of the Pulumi Azure Native provider, bridges Azure Defender for Cloud with external cloud accounts to enable unified security monitoring across AWS and GCP. This guide focuses on one capability: AWS account integration.
Security connectors require an Azure resource group and an IAM role in the target cloud account with appropriate trust relationships. The example is intentionally minimal. Extend it with additional offerings like DefenderForContainers or DefenderForServers for comprehensive protection.
Connect AWS accounts for security monitoring
Organizations running workloads across Azure and AWS need unified security posture management. Security connectors enable centralized compliance scanning and threat detection from Azure Defender for Cloud.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const securityConnector = new azure_native.security.SecurityConnector("securityConnector", {
environmentData: {
environmentType: "AwsAccount",
scanInterval: 4,
},
environmentName: azure_native.security.CloudName.AWS,
hierarchyIdentifier: "exampleHierarchyId",
location: "Central US",
offerings: [{
nativeCloudConnection: {
cloudRoleArn: "arn:aws:iam::00000000:role/ASCMonitor",
},
offeringType: "CspmMonitorAws",
}],
resourceGroupName: "exampleResourceGroup",
securityConnectorName: "exampleSecurityConnectorName",
tags: {},
});
import pulumi
import pulumi_azure_native as azure_native
security_connector = azure_native.security.SecurityConnector("securityConnector",
environment_data={
"environment_type": "AwsAccount",
"scan_interval": 4,
},
environment_name=azure_native.security.CloudName.AWS,
hierarchy_identifier="exampleHierarchyId",
location="Central US",
offerings=[{
"native_cloud_connection": {
"cloud_role_arn": "arn:aws:iam::00000000:role/ASCMonitor",
},
"offering_type": "CspmMonitorAws",
}],
resource_group_name="exampleResourceGroup",
security_connector_name="exampleSecurityConnectorName",
tags={})
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewSecurityConnector(ctx, "securityConnector", &security.SecurityConnectorArgs{
EnvironmentData: &security.AwsEnvironmentDataArgs{
EnvironmentType: pulumi.String("AwsAccount"),
ScanInterval: pulumi.Float64(4),
},
EnvironmentName: pulumi.String(security.CloudNameAWS),
HierarchyIdentifier: pulumi.String("exampleHierarchyId"),
Location: pulumi.String("Central US"),
Offerings: pulumi.Array{
security.CspmMonitorAwsOffering{
NativeCloudConnection: security.CspmMonitorAwsOfferingNativeCloudConnection{
CloudRoleArn: "arn:aws:iam::00000000:role/ASCMonitor",
},
OfferingType: "CspmMonitorAws",
},
},
ResourceGroupName: pulumi.String("exampleResourceGroup"),
SecurityConnectorName: pulumi.String("exampleSecurityConnectorName"),
Tags: pulumi.StringMap{},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var securityConnector = new AzureNative.Security.SecurityConnector("securityConnector", new()
{
EnvironmentData = new AzureNative.Security.Inputs.AwsEnvironmentDataArgs
{
EnvironmentType = "AwsAccount",
ScanInterval = 4,
},
EnvironmentName = AzureNative.Security.CloudName.AWS,
HierarchyIdentifier = "exampleHierarchyId",
Location = "Central US",
Offerings = new[]
{
new AzureNative.Security.Inputs.CspmMonitorAwsOfferingArgs
{
NativeCloudConnection = new AzureNative.Security.Inputs.CspmMonitorAwsOfferingNativeCloudConnectionArgs
{
CloudRoleArn = "arn:aws:iam::00000000:role/ASCMonitor",
},
OfferingType = "CspmMonitorAws",
},
},
ResourceGroupName = "exampleResourceGroup",
SecurityConnectorName = "exampleSecurityConnectorName",
Tags = null,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.SecurityConnector;
import com.pulumi.azurenative.security.SecurityConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var securityConnector = new SecurityConnector("securityConnector", SecurityConnectorArgs.builder()
.environmentData(AwsEnvironmentDataArgs.builder()
.environmentType("AwsAccount")
.scanInterval(4.0)
.build())
.environmentName("AWS")
.hierarchyIdentifier("exampleHierarchyId")
.location("Central US")
.offerings(CspmMonitorAwsOfferingArgs.builder()
.nativeCloudConnection(CspmMonitorAwsOfferingNativeCloudConnectionArgs.builder()
.cloudRoleArn("arn:aws:iam::00000000:role/ASCMonitor")
.build())
.offeringType("CspmMonitorAws")
.build())
.resourceGroupName("exampleResourceGroup")
.securityConnectorName("exampleSecurityConnectorName")
.tags(Map.ofEntries(
))
.build());
}
}
resources:
securityConnector:
type: azure-native:security:SecurityConnector
properties:
environmentData:
environmentType: AwsAccount
scanInterval: 4
environmentName: AWS
hierarchyIdentifier: exampleHierarchyId
location: Central US
offerings:
- nativeCloudConnection:
cloudRoleArn: arn:aws:iam::00000000:role/ASCMonitor
offeringType: CspmMonitorAws
resourceGroupName: exampleResourceGroup
securityConnectorName: exampleSecurityConnectorName
tags: {}
The environmentData property specifies the cloud type (AwsAccount) and scan frequency. The offerings array defines which security capabilities to enable; here, CspmMonitorAws provides cloud security posture management. The cloudRoleArn points to an IAM role in your AWS account that grants Azure permission to scan resources. The hierarchyIdentifier tracks the AWS account ID for organizational reporting.
Beyond these examples
This snippet focuses on AWS account integration with Azure security monitoring. It’s intentionally minimal rather than a full multi-cloud security deployment.
The example requires pre-existing infrastructure such as an Azure resource group and an AWS IAM role with trust relationship to Azure. It focuses on connector configuration rather than provisioning the surrounding infrastructure.
To keep things focused, common connector patterns are omitted, including:
- GCP connector configuration (environmentType: GcpProject)
- Multiple offerings (DefenderForContainers, DefenderForServers)
- Custom scan intervals and scheduling
- Tag-based organization and cost tracking
These omissions are intentional: the goal is to illustrate how the security connector is wired, not provide a drop-in multi-cloud security module. See the SecurityConnector resource reference for all available configuration options.
Let's configure Azure Security Connectors
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
environmentData with environmentType set to AwsAccount, set environmentName to AWS, provide your AWS account ID as hierarchyIdentifier, and include offerings like CspmMonitorAws with the appropriate cloudRoleArn (e.g., arn:aws:iam::00000000:role/ASCMonitor).offerings array accepts security offerings like CspmMonitorAws, which requires a nativeCloudConnection with cloudRoleArn pointing to your IAM role.scanInterval property in environmentData controls scanning frequency. The example shows a value of 4, though the schema doesn’t specify the unit.Multi-Cloud Support
environmentName property, with cloud-specific configuration in environmentData.Immutability & Updates
resourceGroupName and securityConnectorName are immutable. Changing either property will force replacement of the security connector.hierarchyIdentifierTrialEndDate output property.API Versions
pulumi package add azure-native security [ApiVersion] to access versions like 2023-03-01-preview or 2024-07-01-preview. See the version guide for details.