Topics on this page

Integrate Trend Cloud One with AWS CloudTrail

As per AWS documentation, AWS CloudTrail is a tool that monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.

A successful integration of an AWS account in Trend Cloud One involves deployment of resources in your AWS account and configurations via the Trend Cloud One dashboard. These tasks, including the AWS CloudTrail integration and connecting it to your Trend Vision One tenant, can be automated using an AWS CloudFormation template.

Once the integration has been completed, you start receiving alerts on AWS CloudTrail events that trigger a detection model in Trent Vision One Workbench.

The following diagram depicts the integration architecture:

AWS Cloud Trail

On the functional level, the following occurs:

A custom resource obtains the Trend Cloud One Account ID and Trend Cloud One region.
A custom resource completes the integration between the Trend Cloud One and Trend Vision One accounts.
All the required IAM resources for Trend Cloud One Workload Security are created.
A custom resource completes the integration between the AWS and Trend Cloud One Workload Security accounts.
The default Trend Cloud One CloudFormation stack is deployed.
A custom resource completes the integration between the AWS and Trend Cloud One accounts.
A custom resource obtains from Trend Cloud One backend the Token for AWS CloudTrail integration.
The default AWS CloudTrail CloudFormation stack is deployed.

Requirements

Before starting the integration, ensure that you have the following:

An API key for a Trend Cloud One account.
An AWS account with Admin privileges.
A Trend Vision One enrollment token, which you can generate by performing step #1 in Configuring Trend Cloud One.

In addition, ensure that your AWS CloudFormation stack name contains no more than 8 characters. For example, CloudOne.

You must deploy the AWS CloudFormation stack to one of the following regions based on your Trend Cloud One account region:

Trend Cloud One Region Code	AWS Region Code
us-1	us-east-1
in-1	ap-south-1
gb-1	eu-west-2
au-1	ap-southeast-2
de-1	eu-central-1
jp-1	ap-northeast-1
sg-1	ap-southeast-1
ca-1	ca-central-1

Parameters

You must define the following parameters:

CloudOneApiKey - Trend Cloud One API key. For more information, see Requirements.
VisionOneServiceToken - Trend Vision One service token. For more information, see Requirements.
CreateNewTrail - Defines whether or not a new AWS CloudTrail should be created. Defaults to false, therefore you must enter the AWS S3 bucket name in the ExistingCloudtrailBucketName parameter. If set to true, a new trail and bucket are created, resulting in extra costs.
ExistingCloudtrailBucketName - Specify the name of an existing bucket that you want to use for forwarding to Trend Cloud One. Only used if CreateNewTrail is set to false.

There is a number of parameters whose default values should be accepted, unless you want to host the templates yourself, in which case QSS3BucketName should define the AWS S3 bucket hosting these templates and QSS3KeyPrefix should define the key prefix or path of the root folder for the templates. For example, if the files are hosted in the bucket named my-bucket inside the trendmicro/onboarding folder, the QSS3BucketName value should be my-bucket and QSS3KeyPrefix value should be trendmicro/onboarding.

QSS3BucketName - The AWS S3 bucket name for the deployment assets. The value can include numbers, lowercase alpha characters, uppercase alpha characters, hyphens ( - ). The default value is cloudone-community.
QSS3KeyPrefix - The AWS S3 key prefix for the deployment assets. The value can include numbers, lowercase alpha characters, uppercase alpha characters, hyphens ( - ), dots ( . ), forward slash ( / ). The default value is "".

Deployment

To deploy via a Dashboard, launch an AWS CloudFormation stack.

To deploy via the CLI, execute the following:

#!/bin/bash
export BUCKET="your-cloudtrail-bucket"
export APIKEY="your-cloudone-apikey"
export TOKEN="your-visionone-enrollment-token"
aws cloudformation create-stack --stack-name common-onboard-test --
template-url https://aws-abi-pilot.s3.us-east-1.amazonaws.com/latest/cfnabi-
trend-cloudone/templates/trend-cloudone-onboard/main.template.yaml --
capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND --parameters
ParameterKey=ExistingCloudtrailBucketName,ParameterValue=$BUCKET
ParameterKey=CloudOneApiKey,ParameterValue=$APIKEY
ParameterKey=VisionOneServiceToken,ParameterValue=$TOKEN
ParameterKey=QSS3KeyPrefix,ParameterValue=$HASH/

If your deployment fails or you decide to remove the stack, all modifications, including any kind of account integration, is reverted to the predeployment state.

Required AWS Permissions and Resources

Lambda functions triggered as custom resources require the following permissions:

secretsmanager:GetSecretValue - Specific to the secrets created as part of this stack.
kms:Decrypt - Specific to the key created as part of this stack.
Managed Policy - AWSLambdaBasicExecutionRole.

In addition, a number of product-specific resources are required. For information, see the relevant Trend Cloud One documentation.

To deploy the stack, you need the following permissions:

Permissions to create, update, delete, and describe AWS CloudFormation stacks:
- cloudformation:CreateStack
- cloudformation:UpdateStack
- cloudformation:DeleteStack
- cloudformation:DescribeStacks
Permissions to create, update, and obtain the configuration of the Lambda function:
- lambda:CreateFunction
- lambda:UpdateFunctionCode
- lambda:GetFunctionConfiguration
Permissions to create the IAM role for the Lambda function, as well as to attach and detach the policy to the role:
- iam:ListAccountAliases
- iam:CreateRole
- iam:DeleteRole
- iam:CreatePolicy
- iam:PassRole
- iam:AttachRolePolicy
- iam:DetachRolePolicy
- iam:DeleteRolePolicy
- iam:PutRolePolicy
- iam:GetRole
- iam:GetRolePolicy
Permissions to create an Amazon CloudWatch logs group and stream, as well as write logs from the Lambda function to the Amazon CloudWatch logs:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Permissions to download the code from an AWS S3 bucket:
- s3:GetObject
- s3:GetBucketLocation
Permissions to create and trigger the custom resources:
- lambda:InvokeFunction
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:GetFunction
- lambda:GetFunctionConfiguration
- lambda:AddPermission
- lambda:RemovePermission
- lambda:UpdateFunctionCode
- lambda:UpdateFunctionConfiguration
- lambda:InvokeFunction