Integrate Workload Security with AWS Systems Manager Distributor

AWS Systems Manager Distributor allows you to securely store and distribute software packages in your accounts. By integrating this tool with Trend Cloud One Workload Security, you can distribute Trend Cloud One Workload Security agents across multiple platforms, control access to managed instances, and automate your deployments.

The following diagram depicts the integration architecture:

When integrated, the Trend Cloud One Workload Security agent is distributed across the organizational unit member accounts across all regions enabled by default.

On the functional level, the following occurs:

• The AWS CloudFormation stack is deployed in the organizational management account as an AWS CloudFormation template.
• A custom resource obtains the Trend Cloud One Workload Security agent activation URL, manager URL, tenant ID, and token.
• A custom resource obtains all IDs of all organizational units included in an AWS Organization.
• On deployment, a StackSet is created in every AWS account based on the provided IDs of organizational units and agent parameters.
• Four parameters are created in AWS Systems Manager parameter store in each AWS region.
• An AWS Systems Manager association runs on creation (cron as well) that will deploy the Trend Cloud One Workload Security agent on every ['*'] instance.

Requirements

Before starting the integration, ensure that you have an API key for a Trend Cloud One account.

In addition, ensure that the following criteria are met:

• Amazon EC2 instances have the AWS Systems Manager agent installed. For additional information, see Supported operating systems.
• Amazon EC2 instances have the required AWS Systems Manager permissions. For more information, see Configure instance permissions for Systems Manager.
• StackSets do not deploy the AWS CloudFormation stack instances to the organization management account, even if this account is in your organization or within an organizational unit in your organization. For more information, see DeploymentTargets.

Deployment

To deploy via a Dashboard, launch an AWS CloudFormation template in your organizationʼs management account, and then set the template parameters to the following values:

• AccountAdminStatus

  • StackName - Specify the name for the AWS CloudFormation stack.

  • AccountAdminStatus - Specify whether or not the solution will use a delegated administrator account within the organization to manage the software packages. AWS CloudFormation StackSet IAM roles should be provisioned beforehand.

• Targets

  • CronJob - Specify the cron job for future scheduling. The default value is every day @10:15AM - cron(15 10 * * ? *). For more information, see Schedule expressions using rate or cron.

• Cloud One Workload Security

  • CloudOneAPIKey - Specify the API key for the Trend Cloud One account. For more information, see Requirements.

  • Trend Cloud One account region.

To deploy via the CLI, execute the following:

#!/bin/bash
export STACK_NAME=ABI-TM-SSM
export TEMPLATE_URL=https://immersionday-workshopstrendmicro.
s3.amazonaws.com/abi/main.template.yaml
export CLOUDONE_API_KEY=<cloudone-api-key>
export CLOUDONE_REGION_ENDPOINT=<cloudone-ws-region-endpoint>
export ACCOUNT_ADMIN_STATUS=<SELF|DELEGATED_ADMIN>
export CRON_JOB="cron(15 10 * * ? *)"
aws cloudformation create-stack \
--stack-name $STACK_NAME \
--template-url $TEMPLATE_URL \
--parameters
ParameterKey=CloudOneAPIKey,ParameterValue=$CLOUDONE_API_KEY \
ParameterKey=CloudOneRegionEndpoint,ParameterValue=$CLOUDONE_REGION_ENDPOI
NT \
ParameterKey=AccountAdminStatus,ParameterValue=$ACCOUNT_ADMIN_STATUS \
ParameterKey=CronJob,ParameterValue="$CRON_JOB" \
--capabilities CAPABILITY_NAMED_IAM

If your deployment fails or you decide to remove the stack, all modifications, including any kind of account integration, is reverted to the predeployment state.

Required AWS Permissions and Resources

Lambda functions require the following permissions:

• secretsmanager:GetSecretValue
• organizations:ListOrganizationalUnitsForParent
• organizations:ListRoots
• logs:CreateLogGroup
• logs:CreateLogStream
• logs:PutLogEvents

To deploy the stack, you need the following permissions:

• Permissions to create, update, delete, and describe AWS CloudFormation stacks:
  • cloudformation:CreateStack
  • cloudformation:UpdateStack
  • cloudformation:DeleteStack
  • cloudformation:DescribeStacks
• Permissions to create, update, delete, and describe AWS CloudFormation StacksSet, StackInstance:
  • cloudformation:CreateStackSet
  • cloudformation:CreateStackInstances
  • cloudformation:DescribeStackSet
  • cloudformation:UpdateStackSet
  • cloudformation:UpdateStackInstances
  • cloudformation:DeleteStackSet
  • cloudformation:DeleteStackInstances
  • cloudformation:ListStackInstances
• Permissions to create, update, and obtain the configuration of the Lambda function:
  • lambda:CreateFunction
  • lambda:UpdateFunctionCode
  • lambda:GetFunctionConfiguration
• Permissions to retrieve all organizational unit IDs in the organization:
  • organizations:ListRoots
  • organizations:ListOrganizationalUnitsForParent
• Permissions to create the IAM role for the Lambda function, as well as to attach and detach the policy from the role:
  • iam:CreateRole
  • iam:CreatePolicy
  • iam:AttachRolePolicy
  • iam:DeleteRolePolicy
• Permissions to create an Amazon CloudWatch logs group and stream, as well as write logs from the Lambda function to the Amazon CloudWatch logs:
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:PutLogEvents
• Permissions to download the code from an AWS S3 bucket:
  • s3:GetObject