A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
AWS connector in Defender
Hi i have connected AWS account to Defender for cloud foundational CSPM, it is more than 30 hours and i still cannot see resources listed in Inventory. And the status in environment variables says it is connected. Any idea what's the issue.
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
-
Rukmini • 43,095 Reputation points • Microsoft External Staff • Moderator
2026-06-16T20:01:22.2+00:00 Hello @Nadoda, Rijens (CA)
Hey! If your AWS account is showing as connected in Defender for Cloud but you can’t see resources in Inventory after ~30 hours, it’s usually down to one of the onboarding/streaming delays or a connector configuration/permissions issue.
Here are the most relevant things to check based on Defender for Cloud’s cloud connector troubleshooting guidance:
1) Wait for recommendation/inventory streaming delays
Even after onboarding, resources typically appear only after the first security recommendations have streamed in.
- AWS recommendations can take ~10 minutes to stream into Microsoft Defender for Cloud after onboarding.
- If AWS Security Hub was enabled recently, recommendations can take up to a day to stream into Security Hub (then onward).
- If AWS Config rules were enabled recently, recommendations can take up to a day to stream.
- For Inventory specifically: Inventory can take up to 12 hours to refresh from the first recommendation triggered on that resource.
Since you’re at ~30 hours, you may be past the normal delay window—so it’s worth checking connector health and CloudFormation/permissions.
2) Confirm the correct Defender plan is enabled in Defender for Cloud
If you don’t see expected data, make sure the subscription has the right Defender plan enabled:
- Defender for Cloud should have the Servers plan enabled (and you may have “CSPM/foundational CSPM” enabled depending on your setup).
- If the Servers plan isn’t enabled, you can end up with missing inventory/recommendation data.
Also verify permissions:
- The user role on the subscription should be Owner, Contributor, or Security Admin.
3) Check for AWS EC2 onboarding path issues (SSM / Arc dependencies)
If you expect EC2 instances to show up, ensure they’re eligible for onboarding:
- Verify the AWS Systems Manager Agent (SSM) is configured and running.
- Ensure you’re using supported OS versions.
- Verify SPN permissions: the user who created the SPN needs the Owner role (this is a common cause of “connected but no resources showing”).
4) Refresh timing tied to recommendations (not just “connected”)
A key detail: resources with recommendations are what appear in Inventory.
So if recommendations aren’t being produced/ingested from AWS, inventory may remain empty even though the connector says “connected”.
5) Look for CloudFormation / StackSet mismatch (common “no data” cause)
There is a known issue where the StackSet name in AWS doesn’t match what Defender expects.
If you see problems like “Invalid StackSet when onboarding AWS account”, fix it by:
- Check the StackSet name in AWS (CloudFormation > StackSets > StackSet name).
- In Defender for Cloud, go to Environment settings and open the connector.
- Go through Select plans → Next: Configure access.
- Update the StackSet name to the correct one that exists in AWS.
- If the StackSet doesn’t exist, rerun the CloudFormation template only for the StackSet portion.
Follow-up questions (so we can pinpoint the exact cause)
- In Defender for Cloud, what does the AWS connector show under Environment settings—are there any errors or “service principal validation” messages?
- Is AWS Security Hub and/or AWS Config already enabled before onboarding, or were they enabled right around the same time?
- In Defender for Cloud, is the Servers plan enabled on the subscription where you onboarded the AWS connector?
- Are the AWS resources you expect primarily EC2 instances? If yes, do those instances have SSM Agent running?
- Did onboarding use a management account connector, and does the StackSet name in AWS match the one in the Defender connector settings?
References (documentation)
- Microsoft Defender for Cloud - Troubleshoot cloud connectors (missing inventory/recommendations, streaming delays, permissions, SSM/Arc prerequisites, StackSet mismatch, SPN permissions, etc.) https://learn.microsoft.com/azure/defender-for-cloud/troubleshooting-guide#troubleshooting-the-native-multicloud-connector
- Defender for Cloud - Connect AWS accounts to Microsoft Defender for Cloud (onboarding context) https://learn.microsoft.com/azure/defender-for-cloud/quickstart-onboard-aws
- Defender for Cloud - Quickstart for AWS onboarding https://learn.microsoft.com/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings
- Cloud connectors Q&A / troubleshooting (native multicloud connector issues) https://learn.microsoft.com/azure/defender-for-cloud/troubleshooting-guide#troubleshooting-the-native-multicloud-connector
If you can answer the follow-up questions above (especially connector errors, whether Security Hub/Config were enabled recently, and whether you’re expecting EC2 instances with SSM), we can narrow it down quickly.
Note: This content was drafted with the help of an AI system.
-
Rukmini • 43,095 Reputation points • Microsoft External Staff • Moderator
2026-06-17T16:47:12.05+00:00 Hello @Nadoda, Rijens (CA) Following up to see if the above provided information was helpful. If you have any further queries do let us know.
-
Nadoda, Rijens (CA) • 0 Reputation points
2026-06-17T22:36:06.26+00:00 Hi Rukmini,
thanks for your response.
Could you please confirm is it is mandatory to enable AWS Security Hub? (If AWS Security Hub was enabled recently, recommendations can take up to a day to stream into Security Hub (then onward).)
To let you know I have only enabled **"**Foundational CSPM".
Thanks
Regards,
Rijens
-
Rukmini • 43,095 Reputation points • Microsoft External Staff • Moderator
2026-06-18T00:36:56.9766667+00:00 In order to onboard an AWS account with Foundational CSPM, AWS Security Hub is not required. However, because Defender for Cloud uses AWS Config data for resource discovery and posture assessments, AWS Config must be enabled and actively recording resources. Please confirm that AWS Config is enabled and that the CloudFormation deployment was successful and error-free if Inventory is still empty after more than 30 hours.
Could you verify that the AWS account and recording resources have AWS Config enabled?
-
Rukmini • 43,095 Reputation points • Microsoft External Staff • Moderator
2026-06-18T17:25:33.4733333+00:00 Hello @Nadoda, Rijens (CA)
Following up to see if the above provided information was helpful. If you have any further queries do let us know.
-
Nadoda, Rijens (CA) • 0 Reputation points
2026-06-18T22:27:47.01+00:00 @Rukmini yes I can confirm that AWS Cloud formation deployment stack succeed. I see a IAM role that was created which is begin accessed by resources so it is surely capturing data.
Hope this screenshot is helpful
Thanks
Regards,
Rijens
-
Rukmini • 43,095 Reputation points • Microsoft External Staff • Moderator
2026-06-19T00:27:55.7666667+00:00 Hello @Nadoda, Rijens (CA)
Since you have enabled only Foundational CSPM and AWS Config is enabled, the next step is to verify whether AWS Config is actively recording all supported resource types and whether resources are present in the regions covered by the recorder. Could you also confirm if any AWS resources are visible under the AWS account in Defender for Cloud recommendations, or if both Recommendations and Inventory remain empty?
-
Nadoda, Rijens (CA) • 0 Reputation points
2026-06-19T13:35:47.3933333+00:00 Hi @Rukmini I have check the AWSConfig and the recorder is ON.
And both Recommendation and Inventory is empty.
Thanks
-
Rukmini • 43,095 Reputation points • Microsoft External Staff • Moderator
2026-06-19T17:39:43.1733333+00:00 Hello @Nadoda, Rijens (CA)
Thank you for sharing details will update you shortly!
-
Nadoda, Rijens (CA) • 0 Reputation points
2026-06-25T15:57:31.27+00:00 @Rukmini any updates on this?
Sign in to comment