AWS Marketplace

Enhancing workload security using Trend Micro from AWS Marketplace in AWS Control Tower environment

Customers at all levels of cloud consumption are using AWS Control Tower to set up a new baseline multi-account AWS environment that is secure, well-architected, and ready to use. Automation and centralized management across an AWS environment help organizations to streamline their operations. Kishore, Devi, and I have heard from customers that they would like to integrate their cloud infrastructure with third-party solutions before deploying workloads. This week, it was announced that solutions integrated with AWS Marketplace are now available in AWS Marketplace. Trend Micro services on top of AWS Control Tower help you enhance workload security and cloud security compliance posture. You can find and subscribe to third-party software offerings in AWS Marketplace.

Trend Micro’s solution integrates Trend Micro Cloud One™ – Workload Security and Trend Micro Cloud One™ – Conformity with AWS Control Tower. This includes native functionality, such as lifecycle events. You can now enable Trend Micro Cloud One services to detect all your existing AWS accounts. Additionally, you can automate detection of any new AWS account using Account Factory in your AWS Control Tower environment.

Trend Micro Cloud One™ – Workload Security helps you to detect and protect against malware, vulnerability exploitation, and unauthorized changes to your containers as well as Windows and Linux systems. Trend Micro Cloud One™ – Conformity provides continuous assessments to enhance l8 cloud compliance and security. The automated checks performed by Conformity work across multiple AWS accounts. They are based on the AWS Well Architected Framework in addition to leading compliance frameworks such as NIST, CIS, PCI DSS, HIPAA, SOC2, and GDPR.

In this post, we help you quickly find, try, and subscribe to the Trend Micro services in AWS Marketplace. We also show you how to automate the integration of Trend Micro software solutions using AWS Control Tower lifecycle events.

Overview of solution

When you launch one of the AWS CloudFormation stacks provided in the walkthrough section, it deploys one of the Trend Micro solutions. There are two separate CloudFormation stacks, one for Trend Micro Cloud One Workload Security and one for Trend Micro Cloud One Conformity solutions. Whichever you launch, it retrieves a list of all AWS accounts in your environment and then integrates those accounts with their respective Trend Micro services. It also sets up required resources to automatically register any newly created AWS Control Tower Managed account with its respective Trend Micro services. Here is the workflow:

  1. An administrator logs in to AWS Control Tower master account and launches a new AWS account from Account Factory.
  2. Account Factory creates a new AWS account with the standard set of blueprints, which capture AWS best practices.
  3. AWS Control Tower generates a lifecycle event that includes the status of the operation and new account information.
  4. The lifecycle event triggers the lifecycle AWS Lambda function that verifies the success state of the account create operation.
  5. The lifecycle AWS Lambda function assumes a role in the new account and creates the cross-account role required for Trend Micro services to access the account.
  6. The API Key stored securely in the Secrets Manager is retrieved and used to interact with Trend Micro service portal.
  7. Finally, the new AWS account is registered with respective Trend Micro service.

Refer to the following architecture diagram.

Prerequisites

For this walkthrough, you should have the following prerequisites:

Trend Micro Cloud One – Workload Security is available as both AMI and SaaS in AWS Marketplace. In this blog post, we discuss only the SaaS solution. Refer to the implementation guide for additional information on launching Trend Micro services in your own AWS account using AMI products.

Things to know

When you deploy the solutions listed above:

  • Cross-account access is granted to the account where the partner software product (a.k.a control plane) runs. The control plane runs in Partner AWS Account for SaaS offerings and it runs in customer AWS account for AMI offerings.
  • Identity and Access Management (IAM) roles are created on the child accounts. You could review the IAM policies here for Trend Micro Cloud One Workload Security and Trend Micro Cloud One Conformity.
  • For the conformity solution, you can also download the IAM policy to a local Amazon Simple Storage Service (Amazon S3) bucket, review and update the stack from there.

Solution walkthrough: Enhancing workload security using Trend Micro from AWS Marketplace in AWS Control Tower environment

In this section, we walk through the steps to quickly subscribe and deploy Trend Micro services in your AWS Control Tower environment.

Most of the instructions to deploy and integrate Trend Micro services with AWS Control Tower are identical. So we are showing a single set of instructions for both solutions, calling out any differences. These are the steps involved:

  1. Find and subscribe to the Trend Micro services in AWS Marketplace.
  2. Collect API keys from Trend Micro web consoles.
  3. Deploy the solution by launching the CloudFormation stack provided.
  4. Verify your AWS accounts registered on Trend Micro web console.
  5. Create a new AWS Control Tower managed AWS Account and verify the new account in Trend Micro web console.

1. Find and subscribe

  • Log in to the AWS Marketplace console on your Audit account in your AWS Control Tower environment.
  • Choose the appropriate AWS Marketplace listing and subscribe:

For SaaS listings, you to complete the registration in the Trend Micro portal.

2. Collect API keys

  • For Trend Micro Cloud One – Workload Security service:
    • Use the credentials you created/used in step 1 earlier and log in to Cloud One Console.
    • Choose Administration.
    • On the left side panel under User Management, choose API Keys.
    • Choose New and follow through the steps to generate a new Secret key value.
    • Write down the Secret key value, as you will use it in next step.
  • For Trend Micro Cloud One – Conformity service:
    • Use the credentials you created in step 1 earlier and log in to the Cloud Conformity Console at  https://<your-registered-region>.cloudconformity.com/
    • On the top right, choose your name to show the drop-down menu. Select Settings.
    • In the left pane, choose API Keys.
    • Copy the API Key ID, as you use this with your CloudFormation template.

3. Deploy Trend Micro Cloud One Solutions

  • Log in to your AWS Control Tower Master account as Administrator.
  • Go to the AWS Control Tower home Region, the Region where AWS Control Tower is deployed.
  • Launch the CloudFormation stack to deploy:
    • Trend Micro Cloud One – Workload Security
      https://console.aws.amazon.com/cloudformation#/stacks/new?templateURL=https://s3.amazonaws.com/aws-quickstart/quickstart-ct-trend-micro-cloud-one-workload-security/templates/trend-micro-cloud-one-workload-security-lifecycle.template.yaml&stackName=WorkloadLifeCycleHook
    • Trend Micro Cloud One – Conformity
      https://console.aws.amazon.com/cloudformation#/stacks/new?templateURL=https://s3.amazonaws.com/aws-quickstart/quickstart-ct-trend-micro-cloud-one-conformity/templates/trend-micro-cloud-one-conformity-lifecycle.template.yaml&stackName=ConformityLifeCycleHook
  • Type in the ApiKey that you captured in step 2.
  • Change the other parameters if needed. This is uncommon.
  • Leave everything else as default. Choose Next until you are on the Review <StackName> page.
  • Scroll down and select the box next to I acknowledge that AWS CloudFormation might create IAM resources.
  • Choose Create stack. This will take about five minutes to complete.

4. Verify your accounts in Cloud One Workload Security console

  • Log in to your Trend Micro Web Console.
    • For Trend Micro Cloud One – Workload Security, use the credentials you created in step 2 Find and subscribe to log in to the Cloud One Console.
    • For Trend Micro Cloud One – Conformity, use the credentials you created in step 2 Find and subscribe  to log in to the Cloud Conformity Console at https://<your-registered-region>.cloudconformity.com/.
  • Go to the dashboard and find your new AWS accounts in the left sidebar. These accounts are automatically added to your Trend Micro Cloud One web console. Refer to the following screenshot to see newly created accounts in the left sidebar for Trend Micro Cloud One – Workload Security.

Refer to the following screenshot to see newly created accounts in the left sidebar for Trend Micro Cloud One – Conformity.

5. Create new AWS Account using Account Factory and verify

  1. To create a new AWS account in your AWS Control Tower environment, follow the steps in Create or Enroll An Individual Account. Account creation takes around 30 minutes.
  2. Log back in to the respective Trend Micro web console for your solution and verify the new account has been added to the Trend Micro service.

Cleaning up

Unless you decide to continue using the resources deployed as part of this walkthrough, delete them to avoid incurring future charges. To do that, delete the CloudFormation StackSet that you deployed in step 3 Deploy Trend Micro Cloud One Solutions section.

Conclusion

In this post, we showed how to find and subscribe to Trend Micro solutions in AWS Marketplace that integrate with AWS Control Tower. We also showed how to integrate your existing AWS accounts and auto-register new accounts with Trend Micro services using AWS Control Tower lifecycle events. This integration provides automation to remove barriers to enable cloud excellence and governance.

AWS Control Tower establishes a baseline multi-account AWS environment that is secure, well-architected, and ready to use. AWS Control Tower customers can further enhance your workload security and cloud security compliance posture using Trend Micro Cloud One – Workload Security and Trend Micro Cloud One – Conformity services.

If you want to get started on AWS or in the process of building your Landing Zone, visit Getting Started with AWS Control Tower. This page offers guidance on building a well-architected AWS environment. You can subscribe and integrate Trend Micro solutions with AWS Control Tower by visiting the security and operational intelligence solution pages and using the implementation guides that accompany these solutions.

Authors

Kishore Vinjam is a Senior Partner Solutions Architect focusing on AWS Service Catalog, AWS Control Tower, and AWS Marketplace. He is passionate about working in cloud technologies, and working with customers and building solutions for them. When not working, he likes to spend time with his family, hike, and play volleyball and ping-pong.
Devi Paulvannan Chapman is a Solutions Architect with Amazon Web Services. She enjoys working with customers to provide architectural and technical guidance on their cloud journey. Outside of work, she loves spending time outdoors rock climbing, hiking and traveling to new places.

Bryan Webster has worked in Systems Administration and Engineering roles supporting infrastructure and networking security for over 20 years, with a strong focus on VMware virtual infrastructure and public cloud since 2007.

Since joining Trend Micro in 2011, he has taken a role as Director of Architecture & Engineering, leading enterprise customers and partners to deploy comprehensive, agile security solutions for hybrid cloud infrastructures.