reference deployment

Deep Security on AWS

Automatically deploy and configure Trend Micro's security solution on the AWS Cloud

This Quick Start automatically deploys Trend Micro Deep Security on AWS, using AWS services and best practices.

Trend Micro Deep Security is a host-based security product that provides Intrusion Detection and Prevention, Anti-Malware, Host Firewall, File and System Integrity Monitoring, Log Inspection, and Content Filtering modules in a single agent running in the guest operating system.

This Quick Start deploys Deep Security using AWS CloudFormation templates and offers two license models: Per Protected Instance Hour and Bring Your Own License (BYOL). You can also launch the Quick Start with either licensing option in the AWS GovCloud (US) Region.

The default configuration protects instances in the VPC where the Deep Security Manager is deployed. After deployment, you can modify your setup to protect instances across your entire AWS infrastructure.


This Quick Start was developed by Trend Micro in collaboration with AWS. Trend Micro is an APN Partner.

AWS Service Catalog administrators can add this architecture to their own catalog.

This Quick Start supports the AWS GovCloud (US) Region.
  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • The Quick Start deploys Trend Micro Deep Security into an existing virtual private cloud (VPC) in your AWS account. Before you launch the Quick Start, you must create a VPC that has two private subnets in different Availability Zones, and one public subnet with an attached internet gateway.

    The Quick Start deploys a Deep Security management cluster that includes the following components into the VPC that you have set up:

    • In the public subnet, a Deep Security public elastic load balancer.
    • In the public subnet, Deep Security Manager instances.
    • In the private subnets, a highly available Deep Security database and its mirror.

    The architecture built by this Quick Start supports AWS best practices for high availability and security:

    • The Amazon RDS database server used by the Deep Security Manager is deployed across two Availability Zones (where available), providing high availability at the database layer.
    • The AWS security groups created by the template are configured to only allow traffic that is required.




  •  How to deploy
  • To build your Trend Micro Deep Security environment on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at and set up your VPC. The VPC must have two private subnets in different Availability Zones, and one public subnet with an attached internet gateway.
    2. Subscribe to Deep Security, choosing the Per Protected Instance Hour or BYOL licensing option.
    3. Launch the Quick Start for the licensing option you selected. Each deployment takes less than an hour. You can choose from four options:
    4. Log in to the Deep Security Manager console.
    5. Deploy agents to protect your instances.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. The cost of the resources created by the Quick Start varies based on how many instances you want to protect. Prices are subject to change. See the pricing pages for each AWS service you will be using in this Quick Start for full details.

    Because this Quick Start uses AMIs from AWS Marketplace, you must be subscribed to Trend Micro Deep Security for AWS Marketplace before you launch the Quick Start. There are two licensing options:

    • Per Protected Instance Hour is a consumption-based option that allows you to pay hourly per protected instance. Your costs will be determined by the number of instances you are protecting each hour, and will show up on your AWS bill.
    • Bring Your Own License (BYOL) is a perpetual licensing option for organizations that prefer traditional procurement. Please contact Trend Micro for a license key at

    The Quick Start has been designed to support deployment of up to 2,000 protected instances. If you are protecting more than 2,000 instances, please contact for free assistance with additional deployment options.