Introduction:
Have you ever found yourself in a situation where you enabled GuardDuty or CloudTrail on Amazon Web Service (AWS) and onboarded your AWS environment to Microsoft Defender for Cloud? Have you ever wondered how to minimize costs in AWS associated with having GuardDuty or CloudTrail enabled, while Defender for Cloud makes API calls to your AWS environment?
This article teaches you how to implement proven best practices to ensure you optimize costs if you want to onboard your AWS environment to Defender for Cloud, while having GuardDuty or CloudTrail on AWS enabled.
Just to remind you that after you onboard your AWS environment to Defender for Cloud, Defender for Cloud periodically makes API calls to your AWS environment. The reason for Defender for Cloud making these API calls includes discovery of new resources that have been deployed to AWS, detection of new misconfigurations on your resources, remediation actions that might have been performed, etc.
For general guidance on how to onboard your AWS environment to Defender for Cloud, you can start at https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws.
Imagine if you have GuardDuty or CloudTrail enabled and Defender for Cloud makes API calls to your AWS environment. Due to GuardDuty or CloudTrail logs being enabled, this can incur cost on the AWS side. To minimize this cost, while having CloudTrail enabled, you can leverage the following capabilities:
- Scan interval
- Region selection
These capabilities can be used individually or together depending on your use cases. To start with, I teach you how to use the scan interval to optimize costs on AWS.
When onboarding your AWS environment to Defender for Cloud, one of the configuration settings is called scan interval (figure 1). While the focus of this article is AWS, the scan interval setting is also available when onboarding your GCP environment to Defender for Cloud.
Have you ever wondered if it’s possible to adjust how often Defender for Cloud makes API calls to your AWS environment? With scan interval you can configure this to a value ranging from one hour (minimum) to 24 hours (maximum). Some resources types, albeit are excluded from the scan interval. The list of excluded resource types is available at:
By default, the scan interval settings is set to 12 hours. Prior to the scan interval being introduced the default was four hours, which is why you might see a value of four hours in case you onboarded your AWS environment to Defender for Cloud before this feature was introduced . By configuring the scan interval closer to the minimum value (of one hour), Defender for Cloud in turn makes API calls to your AWS environment more often – including new resources available in the Inventory blade, recommendations. etc. By configuring the scan interval closer to the maximum value (of 24 hours) Defender for Cloud makes API calls to your AWS environment less frequently. By adjusting the value in the scan interval you can optimize how often Defender for Cloud makes API calls to your environment and thereby directly influence the cost in CloudTrail and GuardDuty of those API calls.
The other capability that can help you minimize CloudTrail and GuradDuty costs is called region selection.
Region selection
Have you ever asked yourself if you can specify to which AWS regions, Defender for Cloud should make API calls? With region selections you do exactly that. It allows you to select the regions to which Defender for Cloud makes API calls. Every region that is deselected from the dropdown (figure 2), implies that Defender for Cloud won’t make API calls to those regions. Imagine if your organization has a policy in place in which resources are allowed to be deployed to certain AWS regions only.
With region selection, you can select only those regions to which your organizations deploys resources, preventing Defender for Cloud to make API calls to regions for which you’re certain that no resources are deployed there. Thereby, helping minimize the costs in AWS GuardDuty and CloudTrail.
Conclusion:
This article teaches you how to optimize the cost in AWS GuardDuty or CloudTrail logs when Defender for Cloud makes API calls, by using the scan interval and region selection feature. These features can be used in combination and can ensure that the AWS GuardDuty and CloudTrail costs are minimized.
Reviewers:
Lior Arviv, Senior Product Manager, Microsoft
Inbal Silis, Senior Customer Engineer, Microsoft
Lizet Pena De Sola, Senior Customer Engineer, Microsoft