Notifications

General

Manage connectors for sending notifications to customer-configured destinations.

A notification connector specifies where Trend Micro Cloud One^TM – Network Security should send messages to alert a user about specific conditions.

A notification type specifies the type of messages to send to a connector. For example, an "appliancehealth" notification type specifies messages related to the status of Network Security virtual appliances.

A connector type specifies the service specific to a cloud service provider to use for notifications for a connector. For example, an snsconnector type indicates the Amazon Simple Notification Service (SNS).

Amazon SNS

Follow these steps to ensure that Network Security can send notifications to your Amazon SNS topic.

Role

Create a role (or modify an existing role) in your account that Network Security can assume to publish messages to your SNS topic. Ensure the role has permission to publish messages.

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SnsPublish",
      "Effect": "Allow",
      "Action": [
          "SNS:Publish"
      ],
      "Resource": "arn:aws:sns:us-west-1:123456789012:MyTopic"
    }
  ]
} 

Replace the resource ARN above with the ARN for your SNS topic. Also, ensure the role has a trust policy that allows Network Security to assume the role.

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "NetworkSecurityAssumeRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::737318609257:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "12345abc"
        }
      }
    }
  ]
} 

Please note that the account ID in the principal ARN is the Network Security AWS account ID. Replace the STS external ID with the same value you use to create a connector. This should be a non-trivial random value known only to you.

Topic Access Policy

The SNS topic used by Network Security should allow the role above to publish messages.

 {
  "Sid": "NetworkSecurityPublish",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:sts::123456789012:assumed-role/MyRole/<Notification Type>"
  },
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:us-west-1:123456789012:MyTopic"
} 

Replace the account ID and role name in the principal ARN with the values for the role created above. The <Notification Type> in the principal ARN should match the notification type used in the corresponding notification connector. For example, "appliancehealth".