Deploy on AWS (per protected instance hour license)

View guide — HTML | PDF

To deploy Deep Security on AWS in less than an hour, follow the step-by-step instructions in the Quick Start deployment guide. You might also want to check out the AWS Quick Start for NIST high-impact controls, featuring Deep Security.

For additional Quick Starts, see the complete catalog.


This Quick Start automatically deploys Trend Micro Deep Security on AWS, using AWS services and best practices.

Trend Micro Deep Security is a host-based security product that provides Intrusion Detection and Prevention, Anti-Malware, Host Firewall, File and System Integrity Monitoring, Log Inspection, and Content Filtering modules in a single agent running in the guest operating system.

This Quick Start deploys Deep Security using AWS CloudFormation templates and offers two license models: Per Protected Instance Hour and Bring Your Own License (BYOL). You can also launch the Quick Start with either licensing option in the AWS GovCloud (US) Region.

The default configuration protects instances in the VPC where the Deep Security Manager is deployed. After deployment, you can modify your setup to protect instances across your entire AWS infrastructure.

  • What you'll build

    The Quick Start deploys Trend Micro Deep Security into an existing virtual private cloud (VPC) in your AWS account. Before you launch the Quick Start, you must create a VPC that has two private subnets in different Availability Zones, and one public subnet with an attached Internet gateway.

    The Quick Start deploys a Deep Security management cluster that includes the following components into the VPC you've set up:

    • In the public subnet, a Deep Security public elastic load balancer.
    • In the public subnet, Deep Security Manager instances.
    • In the private subnets, a highly available Deep Security database and its mirror.

    For details, see the Quick Start deployment guide.

  • Deployment details

    Deploy and configure your Trend Micro Deep Security environment on AWS in less than an hour:

    1. Set up your VPC.
    2. Subscribe to Deep Security, choosing the Per Protected Instance Hour or BYOL licensing option.
    3. Launch the Quick Start for the licensing option you selected.
    4. Log in to the Deep Security Manager console.
    5. Deploy agents to protect your instances.

    For complete details, see the Quick Start deployment guide.

  • Cost and licenses

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. The cost of the resources created by the Quick Start varies based on how many instances you want to protect. Prices are subject to change. See the pricing pages for each AWS service you will be using in this Quick Start for full details.

    Because this Quick Start uses AMIs from the AWS Marketplace, you must be subscribed to Trend Micro Deep Security for AWS Marketplace before you launch the Quick Start. There are two licensing options:  

    • Per Protected Instance Hour is a consumption-based option that allows you to pay hourly per protected instance. Your costs will be determined by the number of instances you are protecting each hour, and will show up on your AWS bill.
    • Bring Your Own License (BYOL) is a perpetual licensing option for organizations that prefer traditional procurement. Please contact Trend Micro for a license key at

    The Quick Start has been designed to support deployment of up to 2,000 protected instances. If you are protecting more than 2,000 instances, please contact for free assistance with additional deployment options.

    You can also launch the Quick Start in the AWS GovCloud (US) Region with either licensing option.