DevOps automation for Trend Micro in AWS Marketplace using AWS Service Catalog and AWS Systems Manager Distributor

Trend Micro Deep Security, available in AWS Marketplace, is a host-based security product. It provides anti-malware, host firewall, intrusion prevention, file integrity monitoring, and log inspection modules for both Windows and Linux Amazon EC2 instances. Trend Micro Cloud Network Protection, powered by TippingPoint is also available in AWS Marketplace. It enables you to extend your existing TippingPoint network protection to your AWS cloud environment.

AWS recently announced support for third-party agents with AWS Systems Manager Distributor (Distributor). The Trend Micro Workload Security Cloud One agent was the first third-party agent that was supported by Distributor. Distributor lets you package your own software or finds AWS-provided agent software packages, such as AmazonCloudWatchAgent, to install on AWS Systems Manager managed instances. This enables customers to fully automate their agent deployments on AWS.

A common problem for customers is automating the deployment and updates of an entire suite of products available in AWS Marketplace. In this blog post, I demonstrate how to use DevOps automation and infrastructure as code (IaC) to automate the management and deployment of a suite of Trend Micro products in a multi-account AWS environment. I demonstrate this using AWS Service Catalog, AWS CodePipeline, AWS CloudFormation, AWS Organizations, and AWS Marketplace. This tutorial is targeted for Cloud Center of Excellence (CCOE) administrators and infrastructure engineers.

Furthermore, with the recent integration of Workload Security with Distributor, you can distribute Trend Micro Deep Security Agents across multiple platforms. You can also control access to managed instances and automate your Trend Micro deployments. My solution uses Distributor to implement a mechanism that enables automation using AWS Service Catalog for the provisioning of the Trend Micro Deep Security agent in a multi-account AWS environment in AWS Organizations.

Solution overview

This solution is deployed in a multi-account organization in AWS Organizations. The organization consists of a Shared Services account where Cloud Center of Excellence (CCOE) administrators can deploy shared services such as the AWS CodePipeline based DevOps service as well as other services such logging, networking, and monitoring. In this blog post I refer to all other accounts in the organization where the Trend Micro products/agents are deployed as managed accounts. From a hub-and-spoke perspective, the Shared Services account is the hub account, and the managed accounts are spoke accounts where Trend Micro products and agents get deployed.

Personas

It’s helpful to delineate the administration tasks for this solution into two distinct personas. The CCOE AWS administrator is responsible for the centralized deployment and automation of AWS services in the entire organization. The end user/AWS administrator is responsible for the administration and deployment of AWS services for their specific application within the organization. Here’s a description of the administration functions performed by these two personas for this solution:

CCOE AWS administrator

• The CCOE administrator performs initial setup from the AWS Shared Services account. After setup, the DevOps infrastructure (AWS CodePipeline) is provisioned in the AWS Shared Services account, and a Trend Micro AWS Service Catalog portfolio is provisioned in the managed accounts.
• The Trend Micro AWS Service Catalog portfolio consists of AWS Service Catalog products. This includes the Trend Micro Deep Security and Trend Micro Cloud Network Protection products that are available in AWS Marketplace. It also includes the Trend Micro Deep Security Agent that was packaged with Distributor.
• The CCOE administrator also performs code updates from the local Git repository. The administrator checks in updated Trend Micro product templates and (optionally) an updated buildspec.yaml file. The updated code flows via AWS CodePipeline in the AWS Shared Services account and updates the AWS Service Catalog portfolio in the managed accounts.

End user / AWS administrator in the managed accounts

• The end user launches Trend Micro products (including the TrendMicro Deep Security agent) from the AWS Service Catalog console in the managed account.

This layout of responsibilities also enables project and account owners to move at their own speed, re-use components and integrate them into their own application environments. The AWS CCOE team can focus on developing better tools and automation for the application teams to leverage and can be sure that best practices are applied throughout the organization.

Solution architecture

The following diagram shows the overall architecture for the automated DevOps-based, multi-account Trend Micro deployment. The solution architecture comprises of components that are deployed in the Shared Services account and those that are deployed in the managed accounts.

The AWS CodePipeline service in the Shared Services account consists of two stages, AWS CodeCommit and AWS CodeBuild. The AWS CodeCommit stage is triggered whenever there is a code update or check-in to the AWS CodeCommit Git Repository. In that case, it downloads the updated code into the Amazon S3 Artifact repository of the AWS CodePipeline. The AWS CodeBuild stage of the AWS CodePipeline copies the updated code to a staging S3 bucket and invokes AWS CloudFormation. AWS CloudFormation then creates a StackSet for the AWS Service Catalog portfolio in the Shared Services account and creates stack instances for the AWS Service Catalog portfolio in the managed accounts. Refer to the following diagram.

The AWS Service Catalog portfolio in the managed accounts consists of Trend Micro products from AWS Marketplace as well as the Trend Micro Deep Security Agent packaged with Distributor. Refer to the following diagram.

Finally, AWS Systems Manager Distributor integrates with AWS CodePipeline in the Shared Services account via an AWS CloudFormation template. The template uses Distributor’s functionality of deploying the Trend Micro Deep Security agent as an AWS Systems Manager Association. This CloudFormation template is checked in as source code to the CodeCommit stage of the AWS CodePipeline.

Solution components

The full solution is available here. It consists of the following AWS CloudFormation templates:

• aws-trendmicro-codepipeline.yaml – Sets up the AWS CodePipeline automation for the Trend Micro products available in AWS Marketplace in the Shared Services account
• aws-trendmicro-servicecatalog-portfolio.yaml – Sets up the  AWS Service Catalog portfolio for the Trend Micro products and the Trend Micro Deep Security Agent packaged with Distributor in the managed accounts
• aws-systemsmanagerdistributor-agent – Installs the Trend Micro Deep Security Agent as Distributor package in the managed accounts. It uses the AWS-ConfigureAWSPackage AWS Systems Manager association and leverages the supplied TrendMicro-CloudOne-WorkloadSecurity package via the integration between Distributor and Trend Micro Workload Security. It also provisions AWS Systems Manager Parameter Store with the parameters as required by this integration. This template requires the dsTenantId and dsToken parameters that represent the required Tenant ID and the API token respectively for the Trend Micro Deep Security Manager product. In order to obtain these parameters, log in to the Trend Micro Workload Security console from Support > Deployment Scripts. For more information, see Integrate with AWS Systems Manager Distributor in the Trend Micro Cloud One documentation.

Walkthrough

In this section, I walk through the prerequisites and the steps to set up and deploy this solution. I also explain how to perform updates.

Prerequisites

As a CCOE AWS administrator signed in to the AWS Shared Services account, set up the following resources.

• Trend Micro AMI product templates – The Trend Micro AMI based products are available in AWS Marketplace. The use of all Trend Micro templates requires appropriate licensing, as noted in AWS Marketplace. This solution uses the following Trend Micro source templates:
  • The Trend Micro Deep Security AWS CloudFormation template is available from the Trend Micro Deep Security on AWS Quickstart.
  • I have also provided a sample tippingpoint-cloudnetworksecurity.json AWS CloudFormation template for installing the Tipping Point Cloud Network Protection AMI. The template requires an AMI ID as an input. To get the AMI ID, follow this link, select your products, and choose Continue to subscribe. Follow the subscription wizard. When it’s published, copy the AMI ID and use it as an input for this template.
• Local Git repository and AWS CodeCommit Git repository – Create an AWS CodeCommit Git Repository in the AWS Shared Services account and integrate it with your local Git repository. For more information, see Setup steps for SSH connections to AWS CodeCommit repositories on Windows in the AWS CodeCommit User Guide.

The AWS CodeCommit repository now contains the following templates:

• TrendMicro AMI templates:
  • Trend Micro Deep Security in the deepsecurity folder
  • Trend Micro Cloud Network Protection in the tippingpoint folder.
• AWS CloudFormation templates:
  • AWS Service Catalog Portfolio template
  • AWS Systems Manager Distributor template for the Trend Micro Deep Security Agent in the distributoragent folder
• buildspec.yml
• buildspec-updates.yml

Initial setup

Step 1: Configure the templates

1. In the following files that are available for download from the solution, substitute the <SHAREDSERVICES_ACCOUNT_ID> parameter with your AWS Account ID. Substitute the <SHAREDSERVICES_ACCOUNT_REGION> parameter with the AWS Region of your AWS Shared Services account.
   • buildspec.yml
   • buildspec-updates.yml
2. In the buildspec.yml, for all the managed accounts where you need to deploy this solution, substitute the <MANAGED_ACCOUNT_ID> with your AWS Account ID. Substitute the <MANAGED_ACCOUNT_REGION> parameter with the AWS Regions.

Step 2: Complete the initial setup

Now you are ready to complete the initial set up as a CCOE AWS administrator logged in to the AWS Shared Services Account.

Log in to the AWS CloudFormation console of your AWS Shared Services as the CCOE AWS Administrator and do the following:

1. From the AWS CloudFormation console, launch the aws-trendmicro-codepipeline.yaml. To launch an AWS CloudFormation template from the console, follow the steps outlined here.
2. In the step to enter parameters enter the name of the AWS CodeCommit repository name from the prerequisites section where you set up the local Git repository and AWS CodeCommit Git repository. Accept all other default values for this template.

Here’s what happens during the initial setup by running this template.

1. The template provisions AWS CodePipeline in the AWS Shared Services account.
2. The AWS CodeCommit stage of AWS CodePipeline downloads the code from the AWS CodeCommit Git repository and into the Amazon S3 artifact repository of AWS CodePipeline.
3. The AWS CodeBuild stage of AWS CodePipeline uses the AWS Service Catalog Portfolio template, executes the commands in the buildspec.yaml file to stage the code in an S3 bucket, and leverages AWS CloudFormation StackSets to launch the aws-trendmicro-servicecatalog-portfolio in the managed accounts. This last step creates the AWS Service Catalog portfolio in the managed accounts with the following products:
   • The Trend Micro Deep Security and Trend Micro Cloud Network Protection products available in AWS Marketplace
   • The Trend Micro Deep Security agent that was packaged with Distributor
   • This step also creates an end user group (TrendMicroEnduserGroup), an end user role (TrendMicroEnduserRole) and a launch constraint in the managed accounts. This allows an end user in managed accounts to log in and directly use the AWS Service Catalog console to launch Trend Micro products.

Step 3: Test the setup

To test that the initial setup was successful, perform the following steps:

1. Log in to the IAM console of the AWS managed account as an IAM end user. Check that the end user is a member of the TrendMicroEnduserGroup.
2. Next, navigate to the AWS Service Catalog console in the AWS managed account. In the left sidebar, choose  Products. Select the Trend Micro Deep Security agent product. As a best practice, the AWS Service Catalog product for the Trend Micro agent is set up to allow deployment of Trend Micro Deep Security agents to EC2 instances based on resource tags.
3.  To test the launch of the Trend Micro Deep Security agent, accept the defaults.
4. To set up Trend Micro Deep Security, follow the instructions in the Deep Security Quick Start.

Performing updates

You can perform updates directly from the local GitHub repository.

Step 1: Perform an update

1. In your local GitHub repository , navigate to the folder where you have placed the aws-systemsmanagerdistributor-agent-v1.yaml file and rename it aws-systemsmanagerdistributor-agent-v2.yaml. Assume that you have a new version of the agent and a new version of this template has been created for that and checked in your source code repository.
2. In your local GitHub repository, update the aws-trendmicro-servicecatalog-portfolio AWS CloudFormation template. Look for the Resources section in this template and specifically the TrendMicroDeepSecurityAgent Resource. Update the ProvisioningArtifactParameters section with the following:
   • Description: This is version 2.0 of Trend Micro Deep Security Agent
   • Name: Version – 2.0
   • Info: LoadTemplateFromURL: !Sub “${S3StagingBucketURL}distributoragent/aws-systemsmanagerdistributor-agent_v2.yaml”
3. Replace the existing buildspec.yml file with buildspec-updates.yml. Rename buildspec-updates.yml to buildspec.yml.
4. Commit the changes from your local GitHub repository by using git bash commands and update the AWS CodeCommit Repository.

Step 2: Validate the update

To validate the update, do the following:

1. Log in to the AWS CodePipeline console of the AWS Shared Services account.
2. Validate that the AWS CodePipeline gets triggered by showing a status of In Progress.
3. Wait for the AWS CodePipeline to complete successfully by verifying that each stage of the AWS CodePipeline shows a Success status.
4. Navigate to the AWS CloudFormation console. From the left panel, choose StackSets and then Operations.
5. Verify that the aws-trendmicro-servicecatalog-portfolio StackSet is updated successfully by verifying that the deployment status shows Succeeded.
6. Log in to the AWS  Service Catalog console of the AWS managed account as an end user.
7. Verify that the Trend Micro Deep Security Agent product has been updated with the new version, template, and description.

Here is what this process does: the updated buildspec.yaml file invokes update-stackset on AWS CloudFormation instead of create-stackset. After a code change has been made in the local repository, the changes are committed and pushed to a remote AWS CodeCommit repository in a bash terminal using standard git commands. AWS CodePipeline automatically recognizes the commit and updates the Trend Micro products in AWS Service Catalog for the managed accounts. The automated pipeline for managing AWS Service Catalog is now set up and responding to template changes via git commits.

Cleanup

To clean up your account after trying the solution outlined in this blog post, do the following:

1. Log in to the AWS  Service Catalog console of the AWS managed account as an end user.
2. Navigate to the Provisioned product list page.
3. Select the provisioned product that was deployed, Trend Micro Deep Security Agent product, and then choose Terminate provisioned product.
4. Verify the provisioned product you want to delete, and then choose Terminate.

Conclusion

Customers combining DevOps practices with infrastructure as code in AWS can automate deployment and updates of an entire suite of products available in AWS Marketplace and reduce their time managing infrastructure. In this blog post I have demonstrated how customers can use Trend Micro products with DevOps automation in AWS for delineation of administration tasks as well as to automate visibility and control for workload security in their organization in AWS Organizations. To find out more about Trend Micro’s offerings in AWS Marketplace, visit the Trend Micro seller page in AWS Marketplace. I hope that you have found this solution helpful and welcome your feedback.

About the Author

Kanishk is an ISV Solutions Architecture Lead at AWS. In this role, he leads cloud transformation and solution architecture for our Independent Software Vendor partners and mutual customers in all areas that relate to management and governance, security and compliance, and migrations and modernizations in AWS.