AWS Partner Network (APN) Blog
Reinventing cloud risk management with Trend Vision One™
By: Eduardo Castro, Product Management – Trend Micro
By: Felipe Costa, Solution Architect – Trend Micro
By: Fernando Cardoso, VP Product Management – Trend Micro
By: Faisal Pias, Sr. Partner Solutions Architect – AWS
 |
| Trend Micro |
 |
As organizations increasingly migrate to Amazon Web Services (AWS), the importance of cloud risk management has never been greater. The implications of information security issues ranging from inadvertent data access to compliance issues can impact not only businesses but also customers, partners, and public trust. Security in AWS is a shared effort, in which AWS is responsible for protecting the underlying infrastructure and customers play an important role in enhancing the security of their own data, workloads, configurations, and access policies. This shared responsibility model underscores the importance of understanding, assessing, and mitigating risks within the cloud environment.
To effectively manage risks, organizations are turning to a combination of AWS services and partner solutions such as Trend Vision One™, which can enable enhanced visibility, automated remediation, and streamlined threat detection. This synergy empowers teams to move beyond reactive security and toward a proactive, risk-aware cloud strategy. In this post, we discuss cloud risk management on AWS and explore how modern organizations can strengthen their security posture with powerful capabilities offered by Trend Vision One.
Enhancing security features with Trend Vision One
To complement AWS solutions, Trend Vision One offers comprehensive risk management with Cyber Risk Exposure Management, encompassing integrated capabilities such as Cloud Risk Management (CRM), including Cloud Infrastructure Entitlement Management (CIEM) and Data Security Posture Management (DSPM). This approach unifies proactive and reactive security measures in the cloud—combining attack surface discovery, risk assessment and prioritization, and mitigation options. Powered by AI-driven insights, Trend Vision One Cloud Security delivers deep visibility into cloud environments, identifying vulnerabilities, misconfigurations, malware, and excessive permissions. These integrated capabilities help organizations strengthen their cloud security posture and reduce risk exposure across complex environments.
Effective cloud risk management starts with a proactive mindset. Before diving into specific risk scenarios, organizations should establish these foundational practices:
- Implement least privilege access using AWS Identity and Access Management (IAM).
- Automate patch management with Patch Manager, capability of AWS Systems Manager.
- Enable comprehensive logging with AWS CloudTrail, VPC Flow Logs, and AWS Config.
- Perform regular security assessments using AWS Security Hub and AWS Well-Architected reviews.
- Automate remediation using AWS Lambda functions and AWS Systems Manager.
These practices, when enhanced with solutions such as Trend Vision One, create a robust foundation for addressing the most common cloud security challenges.
How to reduce risk in AWS from the silent six
There are six common factors that might leave an enterprise open to risk. These factors are often overlooked, undermining an enterprise’s security posture without obvious warning signs. These “silent six” risk factors are:
- Lack of visibility
- Misconfigurations
- Unintended access
- Vulnerabilities
- Sensitive data exposure
- Compliance violations
In this section, we explain how you can use Trend Vision One and AWS services to address each of these risks.
Lack of visibility
In dynamic cloud environments, it’s easy to lose track of what’s deployed, who has access to it, and where sensitive data lives. Without centralized monitoring, visibility gaps can multiply. Without visibility into workloads, user activity, and network behavior, organizations risk unintended data access, which undermines trust with customers and regulators. Visibility is foundational to accountability, governance, and resilience.
To address a lack of visibility, enable services such as AWS CloudTrail, AWS Config, Amazon GuardDuty, and AWS Security Hub to aggregate logs and detect suspicious activity. Pair these with extended detection and response (XDR) tools such as Trend Vision One™ XDR for Cloud for end-to-end threat correlation and faster response times.
Figure 1: Attack path overview in Trend Vision One – Workbench
Misconfigurations
From overly permissive Amazon Simple Storage Service (Amazon S3) buckets to open ports in security groups, cloud misconfigurations remain one of the most common—and preventable—causes of unintended access issues.
Misconfigurations are often simple mistakes with outsized consequences. Outside parties are known to scan the internet for misconfigured services. A single error in a deployment script or manual change can expose critical data or infrastructure.
To address misconfiguration risks, start with AWS security services to establish a strong foundation for configuration management. Use AWS Config to continually monitor and assess your AWS resource configurations against best practices. Enable AWS Security Hub to centrally view security findings and compliance status. Use Compliance, a capability in AWS Systems Manager to track configuration compliance. Extend these built-in capabilities with Trend Vision One Cloud Security, which provides automated cloud security posture management (CSPM) to identify risky configurations and apply best practices across your environment with enhanced visibility and intelligent remediation recommendations.
Figure 2: Cloud security posture dashboard within Trend Vision One
Unintended access
Managing identities and access rights in the cloud can be tricky, especially as environments scale. Over-permissioned accounts, unused access keys, and weak credentials all contribute to security debt.
Identity misuse is a leading cause of unintended access. When outside parties gain access through weak or excessive permissions, they can move laterally and exfiltrate sensitive data. Strong identity governance is essential to prevent insider threats and unintended external access.
To safeguard your cloud environment, follow the principle of least privilege. Use multi-factor authentication (MFA), rotate credentials regularly, and implement cloud infrastructure entitlement management (CIEM) tools to monitor and reduce excessive permissions.
Figure 3: Cloud Entitlements dashboard within Trend Vision One
Vulnerabilities
With DevOps pipelines and cloud-based stacks, vulnerabilities can be introduced faster than ever through outdated libraries, unpatched systems, or insecure containers.
Unpatched systems and insecure containers create vulnerabilities that outside parties can potentially use for unintended access. Addressing them early is critical to maintaining business continuity and customer confidence.
You can address the problem by integrating vulnerability scanning into your continuous integration and continuous delivery (CI/CD) pipeline using tools such as Amazon Inspector for Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Elastic Container Registry (Amazon ECR) container images combined with partner solutions such as Trend Vision One Container Security for comprehensive coverage.
Figure 4: Policy Configuration within Trend Vision One – Container Security
Sensitive data exposure
Cloud platforms are home to sensitive data such as customer records, financial data, and proprietary intellectual property (IP). Without proper controls, this information can be inadvertently exposed.
Sensitive data is often among the most valuable and vulnerable assets in the cloud. Sensitive data can easily spread across multiple services, storage layers, and applications—often without proper classification or tracking. Without centralized visibility and control, critical data might be left exposed, misplaced, or mishandled, increasing the risk of unintended access, compliance violations, and financial loss.
Enforce data security policies across your AWS environment to address the issue. Use Amazon Macie to automatically discover, classify, and enhance protection for sensitive data stored in Amazon S3. Implement AWS Key Management Service (AWS KMS) for centralized encryption key management and data encryption. Enable AWS CloudTrail data events to monitor access to sensitive data resources and Amazon GuardDuty to detect suspicious data access patterns. Extend these foundational capabilities with Trend Vision One DSPM, which provides enhanced visibility into cloud assets containing sensitive data. Trend Vision One DSPM helps you understand your organization’s overall data risk, identify where your riskiest sensitive data resides, monitor access patterns, and ensure that only authorized identities can interact with protected information.
Figure 5: Trend Vision One dashboard providing visibility into cloud assets with sensitive data
Compliance violations
From General Data Protection Regulation (GDPR) to Health Insurance Portability and Accountability Act (HIPAA) to Payment Card Industry Data Security Standard (PCI-DSS), regulatory compliance adds another layer of responsibility to cloud security. Yet, without automation, it’s difficult to keep up.
Compliance is rarely optional. Violations can result in fines, lawsuits, and loss of market access. In regulated industries, maintaining compliance is essential to operating legally and ethically. Automation helps organizations stay ahead of evolving standards.
Cloud security and compliance teams should establish processes to identify deviations from appropriate security standards. Use AWS Config to continually monitor resource configurations against compliance rules and AWS Security Hub to centrally manage compliance findings across your AWS accounts. Use Compliance, a capability of AWS Systems Manager, to track and report on compliance status. Extend these built-in capabilities with Trend Vision One Cloud Security to scan over 900 AWS rules to detect cloud misconfigurations and map findings with dozens of best practices (including the AWS Well-Architecture Framework) and compliance frameworks.
Conclusion
Managing cloud risk on AWS requires more than merely deploying security features—it demands a continuous, integrated approach. By embracing a proactive, integrated approach that combines AWS capabilities with partner solutions such as Trend Vision One, organizations can build resilient cloud environments that enhance data protection, help maintain compliance, and maintain public trust.
Trend Vision One enhances AWS foundational tools by providing deeper context, unified visibility, and intelligent automation across hybrid and multi-cloud infrastructures. Security teams can benefit from using this layered approach to detect threats earlier, respond faster, and continuously improve their cloud posture.
Ready to strengthen your AWS Cloud security posture? Explore how Trend Vision One integrates with your existing AWS security services to provide comprehensive risk management and enhanced threat protection. If you’re not already using it, you can get started with Trend Vision One Cloud Security with a 30-day trial. To learn more about the features and capabilities, check out Trend Vision One Documentation.
.
.
Trend Micro – AWS Partner Spotlight
Trend Micro is an AWS Security Competency Partner and global leader in cybersecurity, helping make the world safe for exchanging digital information.