On July 14, 2026, Amazon Web Services made good on a promise first floated in March: its Security Hub can now natively monitor resources running in Microsoft Azure. The integration automatically discovers Azure virtual machines, container registry images, serverless functions, and user identities, then checks them for misconfigurations, vulnerabilities, and internet exposure—ranking those findings right alongside AWS issues in a single prioritized dashboard. The same AWS EventBridge workflows that alert on an over-permissioned S3 bucket can now fire when an Azure VM is exposed to the internet.
The New Azure Pipeline: Discovery, Scoring, and Response
Security Hub’s Azure monitoring starts with automatic, agentless discovery. Once you create the integration, the service finds supported Azure assets without deploying additional sensors. It continuously assesses the following resource types:
- Azure Virtual Machines – checked for common configuration weaknesses, missing patches, and public exposure.
- Azure Container Registry images – included in vulnerability management, much like Amazon ECR images.
- Azure Function Apps – added to Security Hub’s unified resource inventory, making serverless components visible.
- Azure identities – evaluated for risky configurations as part of the overall security posture.
The posture checks rely on the CIS Microsoft Azure Foundations Benchmark, a well-known standard. When a finding is generated—say, an Azure VM with port 3389 open to the world—it appears in the same findings list as AWS issues, carrying the same severity labels (Critical, High, Medium, Low) and following the AWS Security Finding Format (ASFF).
Because the findings are normalized, existing Amazon EventBridge integrations can route Azure issues into ticketing systems, Slack channels, or automated remediation runbooks without modification. A SOC team that built a response playbook for an unprotected EC2 instance can reuse the exact same logic for an exposed Azure VM.
The pricing model is straightforward. AWS charges the same rate to monitor an Azure resource as it does for its AWS equivalent. There is no additional platform fee. A 30-day free trial kicks off when you create the integration, giving teams time to evaluate coverage before committing.
Regional availability matters, especially for organizations with data residency or processing requirements. The integration is available in most commercial AWS Regions where Security Hub operates, with four exceptions: Middle East (UAE), Middle East (Bahrain), Asia Pacific (Taipei), and Asia Pacific (New Zealand). If your Azure resources reside in an excluded region’s corresponding Azure geography, they cannot be monitored through this integration today.
Who Benefits Most—and Where It Falls Short
For Windows-oriented teams running hybrid environments, the immediate benefit is consolidation. If your security operations staff already lives in the AWS Management Console and uses Security Hub as the single pane of glass for AWS, adding Azure to that view eliminates the need to switch contexts—or to build a separate ingestion pipeline for Microsoft’s findings.
However, the integration does not replace Microsoft’s own security stack. Security Hub’s Azure coverage focuses on cloud security posture management (CSPM) and vulnerability management. It does not offer workload protection, endpoint detection, identity threat detection, or the extended SIEM capabilities found in Microsoft Defender for Cloud, Microsoft Defender XDR, or Microsoft Sentinel. Here’s a quick comparison:
| Capability | AWS Security Hub for Azure | Microsoft Defender for Cloud |
|---|---|---|
| Posture management | Yes (CIS benchmark, exposure checks) | Yes (CIS, PCI, custom initiatives) |
| Vulnerability management | Yes (integrated with Inspector) | Yes (Defender for Cloud vulnerability) |
| Workload/Endpoint protection | No | Yes (Defender for Servers, Containers) |
| Identity threat detection | Limited to posture checks | Yes (Defender for Identity, Identity Protection) |
| SIEM/SOAR integration | Via EventBridge to AWS services | Native with Sentinel; Defender XDR |
| Multicloud support | AWS + Azure (GCP TBD) | AWS, GCP, Azure |
For Microsoft-heavy shops that already use Defender for Cloud to monitor Azure and even AWS resources, enabling Security Hub for Azure could create duplicate findings. Teams will need to decide which console is the "source of truth" and set up suppression rules or filter duplicates. If your team is more comfortable in the Azure portal, you might gain little by adding another dashboard.
The integration really shines for development teams that use Azure alongside AWS but prefer AWS-native tooling. A DevOps team managing .NET applications on both Azure Functions and AWS Lambda can now track vulnerabilities in their Azure container images and function apps without leaving the AWS console or granting the developers access to Defender for Cloud.
From Microsoft’s Playbook: The Multicloud Security Backstory
AWS is a late entrant to the multicloud monitoring game. Microsoft Defender for Cloud has supported posture management for AWS since late 2021 and for Google Cloud since early 2022. Google completed its $32 billion acquisition of Wiz on March 11, 2026—one day after AWS pre-announced its Security Hub expansion at the RSA Conference. Wiz, Palo Alto Networks, CrowdStrike, and others have sold cloud-native application protection platforms (CNAPPs) that span all three major clouds for years.
The competitive pressure is clear. By offering Azure monitoring natively, AWS is acknowledging that many of its largest customers are multicloud by necessity—and that those customers will choose a security operations hub that follows their workloads. As AWS’s director of security services, Michael Fuller, wrote in the launch blog post, “Your workloads move to new clouds. Your security should already be there.”
Yet the delivered feature set shows that AWS’s “multicloud” still means AWS plus Azure. No timeline has been announced for Google Cloud support. For enterprises running across all three, Security Hub cannot yet serve as a complete native control plane.
A Practical Setup Checklist
If you’re considering enabling the Azure integration, here’s a step-by-step approach that limits noise and maximizes value:
- Audit existing security tools. Map out which CSPM, vulnerability, and threat detection tools already cover your Azure resources. If you have Microsoft Defender for Cloud, Sentinel, or a third-party CNAPP, note their coverage and which teams use them.
- Start with the free trial. The Azure monitoring trial lasts 30 days and begins when you create the integration. Use it to compare findings with your current tools.
- Configure cross-account access carefully. The integration uses an IAM role in your Azure account to read resource metadata. Follow AWS documentation to set up the necessary permissions, ensuring the role is scoped to only the subscriptions and resource groups you intend to monitor.
- Tune findings. After a few days, review the findings and determine which are actionable. Use Security Hub’s suppression rules to remove noise from non-applicable benchmarks or resources that are intentionally exposed.
- Reuse existing workflows. Connect Security Hub’s EventBridge output to your current SOAR or ticketing systems. If you already have playbooks for AWS findings, test them against identical Azure issues.
- Plan for regional constraints. If your Azure resources are deployed in regions served by the excluded AWS Regions (e.g., UAE, Bahrain, Taipei, New Zealand), you cannot monitor them with Security Hub. Consider whether to keep a backup CSPM for those locations.
- Evaluate AI protections separately. GuardDuty AI Protection and the AI inventory are AWS-native; they do not cover Azure AI services like Azure OpenAI or Azure AI Foundry. If you use both clouds for AI, you’ll need additional defenses for your Azure-hosted models.
- GuardDuty AI Protection can detect prompt injection, anomalous model invocations, and cost harvesting in Amazon Bedrock and SageMaker.
- The AI inventory, built into Security Hub Essentials, discovers AI assets across EC2, ECS, and EKS, including self-hosted models and external API calls—valuable for surfacing shadow AI.
The Multicloud Security Horizon
AWS has said more clouds will follow “quickly,” but without a concrete roadmap for Google Cloud or a timeline, multicloud coverage remains incomplete. The next logical expansion would bring Google Cloud into Security Hub, at which point a single AWS console could monitor all three hyperscalers. Until then, Windows shops that rely on all three clouds will need a patchwork of native and third-party tools.
The bigger question is how deep AWS intends to go. Currently, Security Hub’s Azure coverage matches the posture and vulnerability management it offers for AWS—but Microsoft’s Defender suite goes far deeper into workload, identity, and endpoint protection. If AWS enriches its Azure integration with network inspection, custom policy support, or integration with AWS-native threat detection like GuardDuty, it could become a more compelling alternative to Microsoft’s multicloud offering.
For now, the integration is a pragmatic step. It gives AWS-heavy enterprises a native way to fold Azure findings into their existing security workflows without a separate SIEM or CNAPP. Whether it can replace your current Azure security tooling depends on how much of your defense already lives in the Microsoft ecosystem—and how much you trust AWS to watch your other cloud.