AWS Control Tower vs. Microsoft Defender for Cloud Apps

We were wanting to prove the concept of a low touch process for quickly spinning up boilerplate AWS environments. We were able to get started quickly and to ensure that the AWS Well-Architected Framework principles were followed - at least upfront - however, we found that for our use case and expertise level it ultimately wasn't a fit. We have the skills on our team to manage more of this on our own. My recommendation would be contingent on what skills are already available on your team: if you can "do it yourself" you might as well so that you don't pay for resources you don't need and you have finer grain control over what's created.

Incentivized

It is well suited if your team is working with Microsoft tools and Azure services. but if you are using other cloud service providers and don't want to spend efforts in learning integration with third-party software then this is not a great fit for you. overall we are very satisfied with the product. If your corporation with Microsoft tools then I would recommend it.

Incentivized

• Easily create new AWS accounts.
• Easily secure and manage AWS accounts.
• Landing zone with SSO is a huge win for larger teams.

Incentivized

• Detect threats based on user activity logs.
• Set manual and automatic alert remediation.
• Implement activity policies.
• Detect threats based on user activity logs.

Incentivized

• The AWS SSO GUI is not very intuitive and determining how to apply policies to users without creating redundant logins has been a challenge.
• The default guardrails do not fully encompass all the security checks that we needed.
• There does not appear to be any way to control roles at the IAM level from the control tower account through the GUI.
• Some features on AWS accounts still require logging into the individual account with the root user and cannot be done from AWS Control Tower.

Incentivized

• In the event of Cloud traffic it is not easy to monitor and identify attacks.
• Difficult to protect unmatched Cloud devices.

Incentivized

There is no way to easily close an AWS account whether it was created manually or via the AWS Control Tower. It takes too many steps to close it vs to provision a new AWS account

Incentivized

I have not utilized actual support but the Sales and Product teams have been super helpful in moving our implementation forward and showing us the best practices.

Incentivized

Using AWS Systems Manager and other slightly lower level components has been helpful for us to manage parts of our AWS presence at a more granular level than AWS Control Tower was designed for. It's not at all an apples-to-apples comparison as they solve different use cases, but for us, the use case associated with AWS Systems Manager was a better fit for our specific needs and skillsets. We did not need everything that AWS Control Tower was doing for us.

Incentivized

Microsoft Defender for Cloud Apps was chosen primarily due to its ability to work perfectly within our mostly M365 environment. Given that this was an added feature of our E5 license, we chose to dive into it and use it due to it's good visibility into user actions and the ability to tie all M365 actions together into one place. We did not see similar visibility with other tools that we vetted

Incentivized

• Less time manually deploying accounts which was error prone.
• Central logging allowed us to have 1 place to view logs.

Incentivized

• Cloud App Security saves us thousands of dollars finding and rectifying apps security issues
• Identity Security Posture helps the organization identity stay in shape, saving thousands of dollars on security consultations
• The cost of suffering a breach cannot be quantified, CAS helps minimize the chances of the attackers succeeding, with excellent historical logging for most operations

Incentivized