The azure-native:security:SecurityStandard resource, part of the Pulumi Azure Native provider, defines which Defender for Cloud security assessments apply to a given scope: subscription, management group, or security connector. This guide focuses on three capabilities: subscription-level standards, management group hierarchy, and multi-cloud security connector integration.
Security standards reference existing Azure infrastructure and Defender for Cloud assessment catalogs. The examples are intentionally small. Combine them with your own policy definitions and assessment selection logic.
Apply a security standard to a subscription
Organizations often start by applying security standards at the subscription level, defining which assessments run and optionally linking to Azure Policy initiatives for enforcement.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const securityStandard = new azure_native.security.SecurityStandard("securityStandard", {
assessments: [
{
assessmentKey: "1195afff-c881-495e-9bc5-1486211ae03f",
},
{
assessmentKey: "dbd0cb49-b563-45e7-9724-889e799fa648",
},
],
cloudProviders: [azure_native.security.StandardSupportedCloud.GCP],
description: "description of Azure Test Security Standard 1",
displayName: "Azure Test Security Standard 1",
policySetDefinitionId: "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions",
scope: "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
standardId: "8bb8be0a-6010-4789-812f-e4d661c4ed0e",
});
import pulumi
import pulumi_azure_native as azure_native
security_standard = azure_native.security.SecurityStandard("securityStandard",
assessments=[
{
"assessment_key": "1195afff-c881-495e-9bc5-1486211ae03f",
},
{
"assessment_key": "dbd0cb49-b563-45e7-9724-889e799fa648",
},
],
cloud_providers=[azure_native.security.StandardSupportedCloud.GCP],
description="description of Azure Test Security Standard 1",
display_name="Azure Test Security Standard 1",
policy_set_definition_id="/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions",
scope="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
standard_id="8bb8be0a-6010-4789-812f-e4d661c4ed0e")
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewSecurityStandard(ctx, "securityStandard", &security.SecurityStandardArgs{
Assessments: security.PartialAssessmentPropertiesArray{
&security.PartialAssessmentPropertiesArgs{
AssessmentKey: pulumi.String("1195afff-c881-495e-9bc5-1486211ae03f"),
},
&security.PartialAssessmentPropertiesArgs{
AssessmentKey: pulumi.String("dbd0cb49-b563-45e7-9724-889e799fa648"),
},
},
CloudProviders: pulumi.StringArray{
pulumi.String(security.StandardSupportedCloudGCP),
},
Description: pulumi.String("description of Azure Test Security Standard 1"),
DisplayName: pulumi.String("Azure Test Security Standard 1"),
PolicySetDefinitionId: pulumi.String("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions"),
Scope: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
StandardId: pulumi.String("8bb8be0a-6010-4789-812f-e4d661c4ed0e"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var securityStandard = new AzureNative.Security.SecurityStandard("securityStandard", new()
{
Assessments = new[]
{
new AzureNative.Security.Inputs.PartialAssessmentPropertiesArgs
{
AssessmentKey = "1195afff-c881-495e-9bc5-1486211ae03f",
},
new AzureNative.Security.Inputs.PartialAssessmentPropertiesArgs
{
AssessmentKey = "dbd0cb49-b563-45e7-9724-889e799fa648",
},
},
CloudProviders = new[]
{
AzureNative.Security.StandardSupportedCloud.GCP,
},
Description = "description of Azure Test Security Standard 1",
DisplayName = "Azure Test Security Standard 1",
PolicySetDefinitionId = "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions",
Scope = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
StandardId = "8bb8be0a-6010-4789-812f-e4d661c4ed0e",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.SecurityStandard;
import com.pulumi.azurenative.security.SecurityStandardArgs;
import com.pulumi.azurenative.security.inputs.PartialAssessmentPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var securityStandard = new SecurityStandard("securityStandard", SecurityStandardArgs.builder()
.assessments(
PartialAssessmentPropertiesArgs.builder()
.assessmentKey("1195afff-c881-495e-9bc5-1486211ae03f")
.build(),
PartialAssessmentPropertiesArgs.builder()
.assessmentKey("dbd0cb49-b563-45e7-9724-889e799fa648")
.build())
.cloudProviders("GCP")
.description("description of Azure Test Security Standard 1")
.displayName("Azure Test Security Standard 1")
.policySetDefinitionId("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions")
.scope("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23")
.standardId("8bb8be0a-6010-4789-812f-e4d661c4ed0e")
.build());
}
}
resources:
securityStandard:
type: azure-native:security:SecurityStandard
properties:
assessments:
- assessmentKey: 1195afff-c881-495e-9bc5-1486211ae03f
- assessmentKey: dbd0cb49-b563-45e7-9724-889e799fa648
cloudProviders:
- GCP
description: description of Azure Test Security Standard 1
displayName: Azure Test Security Standard 1
policySetDefinitionId: /subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions
scope: subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23
standardId: 8bb8be0a-6010-4789-812f-e4d661c4ed0e
The scope property targets a specific subscription using its resource path. The assessments array lists assessment keys that identify which Defender for Cloud checks to run. The policySetDefinitionId links the standard to an Azure Policy initiative, enabling automatic remediation or enforcement. The standardId provides a unique identifier for this standard configuration.
Apply a security standard to a management group
Enterprises with multiple subscriptions use management groups to apply security standards hierarchically, ensuring consistent compliance checks across all child subscriptions.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const securityStandard = new azure_native.security.SecurityStandard("securityStandard", {
assessments: [
{
assessmentKey: "1195afff-c881-495e-9bc5-1486211ae03f",
},
{
assessmentKey: "dbd0cb49-b563-45e7-9724-889e799fa648",
},
],
cloudProviders: [azure_native.security.StandardSupportedCloud.GCP],
description: "description of Azure Test Security Standard 1",
displayName: "Azure Test Security Standard 1",
policySetDefinitionId: "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions",
scope: "providers/Microsoft.Management/managementGroups/contoso",
standardId: "8bb8be0a-6010-4789-812f-e4d661c4ed0e",
});
import pulumi
import pulumi_azure_native as azure_native
security_standard = azure_native.security.SecurityStandard("securityStandard",
assessments=[
{
"assessment_key": "1195afff-c881-495e-9bc5-1486211ae03f",
},
{
"assessment_key": "dbd0cb49-b563-45e7-9724-889e799fa648",
},
],
cloud_providers=[azure_native.security.StandardSupportedCloud.GCP],
description="description of Azure Test Security Standard 1",
display_name="Azure Test Security Standard 1",
policy_set_definition_id="/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions",
scope="providers/Microsoft.Management/managementGroups/contoso",
standard_id="8bb8be0a-6010-4789-812f-e4d661c4ed0e")
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewSecurityStandard(ctx, "securityStandard", &security.SecurityStandardArgs{
Assessments: security.PartialAssessmentPropertiesArray{
&security.PartialAssessmentPropertiesArgs{
AssessmentKey: pulumi.String("1195afff-c881-495e-9bc5-1486211ae03f"),
},
&security.PartialAssessmentPropertiesArgs{
AssessmentKey: pulumi.String("dbd0cb49-b563-45e7-9724-889e799fa648"),
},
},
CloudProviders: pulumi.StringArray{
pulumi.String(security.StandardSupportedCloudGCP),
},
Description: pulumi.String("description of Azure Test Security Standard 1"),
DisplayName: pulumi.String("Azure Test Security Standard 1"),
PolicySetDefinitionId: pulumi.String("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions"),
Scope: pulumi.String("providers/Microsoft.Management/managementGroups/contoso"),
StandardId: pulumi.String("8bb8be0a-6010-4789-812f-e4d661c4ed0e"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var securityStandard = new AzureNative.Security.SecurityStandard("securityStandard", new()
{
Assessments = new[]
{
new AzureNative.Security.Inputs.PartialAssessmentPropertiesArgs
{
AssessmentKey = "1195afff-c881-495e-9bc5-1486211ae03f",
},
new AzureNative.Security.Inputs.PartialAssessmentPropertiesArgs
{
AssessmentKey = "dbd0cb49-b563-45e7-9724-889e799fa648",
},
},
CloudProviders = new[]
{
AzureNative.Security.StandardSupportedCloud.GCP,
},
Description = "description of Azure Test Security Standard 1",
DisplayName = "Azure Test Security Standard 1",
PolicySetDefinitionId = "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions",
Scope = "providers/Microsoft.Management/managementGroups/contoso",
StandardId = "8bb8be0a-6010-4789-812f-e4d661c4ed0e",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.SecurityStandard;
import com.pulumi.azurenative.security.SecurityStandardArgs;
import com.pulumi.azurenative.security.inputs.PartialAssessmentPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var securityStandard = new SecurityStandard("securityStandard", SecurityStandardArgs.builder()
.assessments(
PartialAssessmentPropertiesArgs.builder()
.assessmentKey("1195afff-c881-495e-9bc5-1486211ae03f")
.build(),
PartialAssessmentPropertiesArgs.builder()
.assessmentKey("dbd0cb49-b563-45e7-9724-889e799fa648")
.build())
.cloudProviders("GCP")
.description("description of Azure Test Security Standard 1")
.displayName("Azure Test Security Standard 1")
.policySetDefinitionId("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions")
.scope("providers/Microsoft.Management/managementGroups/contoso")
.standardId("8bb8be0a-6010-4789-812f-e4d661c4ed0e")
.build());
}
}
resources:
securityStandard:
type: azure-native:security:SecurityStandard
properties:
assessments:
- assessmentKey: 1195afff-c881-495e-9bc5-1486211ae03f
- assessmentKey: dbd0cb49-b563-45e7-9724-889e799fa648
cloudProviders:
- GCP
description: description of Azure Test Security Standard 1
displayName: Azure Test Security Standard 1
policySetDefinitionId: /subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Authorization/policySetDefinitions/patchorchestration-applicationversions
scope: providers/Microsoft.Management/managementGroups/contoso
standardId: 8bb8be0a-6010-4789-812f-e4d661c4ed0e
When scope targets a management group, the standard applies to all subscriptions within that hierarchy. The cloudProviders array specifies which cloud platforms this standard covers; here, GCP indicates the standard can evaluate resources in Google Cloud via security connectors. This extends the subscription example to organization-wide governance.
Apply a security standard to multi-cloud resources
Organizations with GCP or AWS resources use security connectors to extend Defender for Cloud assessments beyond Azure, applying the same compliance framework across cloud providers.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const securityStandard = new azure_native.security.SecurityStandard("securityStandard", {
assessments: [
{
assessmentKey: "1195afff-c881-495e-9bc5-1486211ae03f",
},
{
assessmentKey: "dbd0cb49-b563-45e7-9724-889e799fa648",
},
],
cloudProviders: [azure_native.security.StandardSupportedCloud.GCP],
description: "description of Azure Test Security Standard 1",
displayName: "Azure Test Security Standard 1",
scope: "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
standardId: "8bb8be0a-6010-4789-812f-e4d661c4ed0e",
});
import pulumi
import pulumi_azure_native as azure_native
security_standard = azure_native.security.SecurityStandard("securityStandard",
assessments=[
{
"assessment_key": "1195afff-c881-495e-9bc5-1486211ae03f",
},
{
"assessment_key": "dbd0cb49-b563-45e7-9724-889e799fa648",
},
],
cloud_providers=[azure_native.security.StandardSupportedCloud.GCP],
description="description of Azure Test Security Standard 1",
display_name="Azure Test Security Standard 1",
scope="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
standard_id="8bb8be0a-6010-4789-812f-e4d661c4ed0e")
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewSecurityStandard(ctx, "securityStandard", &security.SecurityStandardArgs{
Assessments: security.PartialAssessmentPropertiesArray{
&security.PartialAssessmentPropertiesArgs{
AssessmentKey: pulumi.String("1195afff-c881-495e-9bc5-1486211ae03f"),
},
&security.PartialAssessmentPropertiesArgs{
AssessmentKey: pulumi.String("dbd0cb49-b563-45e7-9724-889e799fa648"),
},
},
CloudProviders: pulumi.StringArray{
pulumi.String(security.StandardSupportedCloudGCP),
},
Description: pulumi.String("description of Azure Test Security Standard 1"),
DisplayName: pulumi.String("Azure Test Security Standard 1"),
Scope: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector"),
StandardId: pulumi.String("8bb8be0a-6010-4789-812f-e4d661c4ed0e"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var securityStandard = new AzureNative.Security.SecurityStandard("securityStandard", new()
{
Assessments = new[]
{
new AzureNative.Security.Inputs.PartialAssessmentPropertiesArgs
{
AssessmentKey = "1195afff-c881-495e-9bc5-1486211ae03f",
},
new AzureNative.Security.Inputs.PartialAssessmentPropertiesArgs
{
AssessmentKey = "dbd0cb49-b563-45e7-9724-889e799fa648",
},
},
CloudProviders = new[]
{
AzureNative.Security.StandardSupportedCloud.GCP,
},
Description = "description of Azure Test Security Standard 1",
DisplayName = "Azure Test Security Standard 1",
Scope = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
StandardId = "8bb8be0a-6010-4789-812f-e4d661c4ed0e",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.SecurityStandard;
import com.pulumi.azurenative.security.SecurityStandardArgs;
import com.pulumi.azurenative.security.inputs.PartialAssessmentPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var securityStandard = new SecurityStandard("securityStandard", SecurityStandardArgs.builder()
.assessments(
PartialAssessmentPropertiesArgs.builder()
.assessmentKey("1195afff-c881-495e-9bc5-1486211ae03f")
.build(),
PartialAssessmentPropertiesArgs.builder()
.assessmentKey("dbd0cb49-b563-45e7-9724-889e799fa648")
.build())
.cloudProviders("GCP")
.description("description of Azure Test Security Standard 1")
.displayName("Azure Test Security Standard 1")
.scope("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector")
.standardId("8bb8be0a-6010-4789-812f-e4d661c4ed0e")
.build());
}
}
resources:
securityStandard:
type: azure-native:security:SecurityStandard
properties:
assessments:
- assessmentKey: 1195afff-c881-495e-9bc5-1486211ae03f
- assessmentKey: dbd0cb49-b563-45e7-9724-889e799fa648
cloudProviders:
- GCP
description: description of Azure Test Security Standard 1
displayName: Azure Test Security Standard 1
scope: subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector
standardId: 8bb8be0a-6010-4789-812f-e4d661c4ed0e
The scope property targets a security connector resource rather than a subscription or management group. Security connectors bridge Defender for Cloud to other cloud platforms, allowing the same assessment framework to evaluate GCP or AWS resources. Note that policySetDefinitionId is omitted; policy enforcement typically applies only to Azure resources.
Beyond these examples
These snippets focus on specific security standard features: scope targeting, assessment selection and policy linking, and multi-cloud support. They’re intentionally minimal rather than full compliance frameworks.
The examples reference pre-existing infrastructure such as Azure subscriptions or management groups, Azure Policy set definitions, security connectors for multi-cloud scenarios, and valid Defender for Cloud assessment keys. They focus on configuring the standard rather than provisioning the underlying governance infrastructure.
To keep things focused, common standard patterns are omitted, including:
- Custom standard creation (standardType property)
- Standard metadata configuration
- Assessment filtering or conditional logic
- Standard lifecycle management (updates, versioning)
These omissions are intentional: the goal is to illustrate how each standard scope is wired, not provide drop-in compliance modules. See the SecurityStandard resource reference for all available configuration options.
Let's configure Azure Security Standards
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Scope & Configuration
What scopes can I apply a security standard to?
You can apply security standards to three scope types: management groups (
providers/Microsoft.Management/managementGroups/{managementGroup}), subscriptions (subscriptions/{subscriptionId}), or security connectors (subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}).When do I need to specify policySetDefinitionId?
Include
policySetDefinitionId when applying standards to management group or subscription scopes. Security connector scopes don’t require this property.What cloud providers can I specify for a security standard?
Use the
cloudProviders array to specify supported clouds. The examples demonstrate GCP as a supported value.Assessments & Standards
How do I add assessments to a security standard?
Provide an
assessments array where each object contains an assessmentKey property with the assessment’s unique identifier (e.g., 1195afff-c881-495e-9bc5-1486211ae03f).What's the difference between standardId and displayName?
standardId is the unique key for the standard type, while displayName is the human-readable name. Both can have the same value for clarity.Immutability & Updates
What properties can't I change after creating a security standard?
Both
scope and standardId are immutable. Changing either requires recreating the resource.