Microsoft Defender Extends Open‑Source Database Protection to AWS RDS – What It Means for Multicloud Security

What changed

Microsoft announced the general availability (GA) of Microsoft Defender for open‑source relational databases on Amazon Relational Database Service (RDS). The service now covers the most common AWS‑hosted engines – Aurora PostgreSQL, Aurora MySQL, RDS PostgreSQL, RDS MySQL and RDS MariaDB – and integrates the same security signals that have been available for Azure‑hosted databases. From June 1 2026 onward, customers can enable the protection from the Azure portal and see the additional charges on the July 2026 bill.

Provider comparison

Feature	Azure‑only Defender (pre‑GA)	Defender with AWS RDS support (GA)
Coverage	Open‑source DBs on Azure (PostgreSQL, MySQL, MariaDB)	Same Azure coverage plus Aurora PostgreSQL, Aurora MySQL, RDS PostgreSQL, RDS MySQL, RDS MariaDB
Pricing model	Per‑database licensing, billed through Azure subscription	Same per‑database licensing, now billed for AWS‑hosted instances as well
Sensitive data discovery	Agentless scans of Azure DBs, custom discovery rules	Agentless scans extended to supported AWS RDS instances; no extra agents required
Threat detection	Brute‑force, anomalous login, credential‑theft patterns on Azure	Identical detection logic applied to AWS logs (CloudTrail, RDS events)
Attack‑path analysis	Correlates Azure resources (VMs, identities, storage) with DB alerts	Includes AWS resources in the graph, showing cross‑cloud paths that combine Azure and AWS misconfigurations
Unified investigation	Alerts appear in Microsoft Defender portal, can be linked to Azure Sentinel	Same portal experience; AWS alerts are displayed side‑by‑side with Azure alerts, enabling a single investigation workflow
CSPM integration	Defender for Cloud ( posture management) for Azure	Defender CSPM now ingests AWS Config and Security Hub data, providing a consolidated compliance view

Migration considerations

1. Enablement – Turn on the feature in the Azure portal under Defender for Cloud → Database protection. The UI now lists both Azure and AWS instances, so you can select the RDS databases you want to protect.
2. Permissions – Grant the Microsoft‑managed identity read access to AWS Config and CloudTrail logs, and write access to the Security Hub integration. This is a one‑time IAM policy change; Microsoft provides a CloudFormation template that automates the role creation.
3. Cost estimation – The per‑database charge is identical to the Azure price (USD $15 per month per protected instance as of GA). Use the Pricing Calculator in the Azure portal to model mixed‑cloud spend before enabling production workloads.
4. Data residency – Sensitive‑data discovery runs in the Microsoft cloud, but the scan data never leaves the customer’s VPC; results are transmitted over TLS to the Defender service. Organizations with strict residency requirements should review the data‑processing agreement linked in the documentation.
5. Compliance mapping – Because Defender now pulls AWS Config rules, you can map findings to PCI‑DSS, HIPAA, and ISO 27001 controls across both clouds from a single compliance dashboard.

Business impact

Prioritized risk across clouds

Security teams no longer have to maintain separate tooling stacks for Azure and AWS databases. By feeding AWS RDS signals into the same risk engine that scores Azure resources, organizations can rank database findings by real‑world impact – for example, a brute‑force attempt on a PostgreSQL instance that stores payment card numbers will surface higher than a low‑severity configuration drift on a dev‑only MySQL instance.

Faster response through unified investigation

When an alert fires, the Defender portal shows the full context: the compromised credential, the originating IP, related Azure AD sign‑in events, and any linked AWS IAM role usage. Analysts can launch a playbook that automatically isolates the offending RDS instance, revokes the compromised IAM credentials, and creates a ticket in the ticketing system – all without switching consoles.

Cost‑effective CNAPP adoption

The extension aligns with Microsoft’s broader Cloud‑Native Application Protection Platform (CNAPP) strategy. Companies that have already invested in Defender for Cloud for workload protection now gain database security as a natural extension, avoiding the need for a separate third‑party database‑specific product. This reduces license sprawl and simplifies audit trails.

Example scenario

A financial services firm runs a PostgreSQL instance on Azure for core transaction processing and a MySQL Aurora cluster on AWS for analytics. An attacker gains access to an AWS IAM user with limited read permissions and initiates a series of rapid login attempts on the Aurora cluster. Defender detects the brute‑force pattern, enriches the alert with the IAM user’s recent activity in AWS CloudTrail, and correlates it with a suspicious Azure AD sign‑in from the same IP address. The unified attack‑path view shows the potential pivot from the compromised AWS user to the Azure database via a shared VPN tunnel. The security team can immediately quarantine the Aurora instance, rotate IAM credentials, and harden the VPN configuration, preventing lateral movement.

Getting started

1. Open the Azure portal and navigate to Microsoft Defender for Cloud → Database protection.
2. Select the AWS RDS instances you want to protect and click Enable.
3. Follow the guided IAM role creation to grant Microsoft read access to CloudTrail, Config, and Security Hub.
4. Review the sensitive‑data discovery settings to define any custom data patterns (e.g., national ID formats) you want the scanner to flag.
5. Monitor the new Database risk score on the Defender dashboard and integrate alerts with Microsoft Sentinel or your preferred SIEM.

For detailed steps, see the official documentation: Defender for open‑source relational databases – AWS RDS support.

---

This article reflects the strategic shift toward a unified, risk‑based approach to multicloud database security. By extending Defender’s capabilities to AWS RDS, Microsoft enables enterprises to protect the data stores that power modern applications without fragmenting their security operations.