CloudFormation template for Trend Micro Cloud One Workload Security Events - Amazon SNS Integration with Amazon CloudWatch Logs
Step 1: Create a Cloud One Workload Security API Key. Refer to the Workload Security documentation for steps to create this API key - https://cloudone.trendmicro.com/docs/workload-security/api-send-request/#create-an-api-key
Step 2: Run the CloudFormation template workloadsecurity-events-aws-sns-cloudformation.json
The CloudFormation template creates the following resources -
-
Amazon SNS Topic
- Workload Security sends security events from various Workload Security modules, like System, Anti-Malware, Web Reputation, Application Control, Integrity Monitoring, Log Inspection, Firewall and Intrusion Prevention (IPS) events.
- SNS Messages are encrypted with the Default AWS Managed key (AWS-CMK) for SNS (
arn:aws:kms:<AWS::Region>:<AWS::AccountId>:alias/aws/sns
).
-
AWS Lambda Function (C1WSLambdaSnsS3Writer)
- Compute to read Amazon SNS messages and write the security events to Amazon S3 bucket.
- Can be used to action auto-remediation tasks within the environment. Some use-cases may be included in this code repository.
-
Amazon S3 Bucket
- Storage location for security events.
- Can be queried with Amazon Athena.
- Objects are encrypted by default with the Default SSE-S3 encryption.
- Objects can only be accessed via HTTPS.
-
IAM User
- Creates an IAM User for Workload Security to post to SNS Topic.
-
IAM User Access Key
- Required. Access and secret keys for the IAM User to authenticate AWS API calls.
- Access and secret keys are never shared in the CloudFormation Outputs section and sent directly to Workload Security using APIs.
-
AWS IAM Policy for SNS
- Permissions for the IAM User to publish to the SNS Topic.
-
AWS Lambda Function (C1WSConfigureSIEMLambdaFunction)
- Configuration logic to call Workload Security APIs and configure Workload Security for SNS Event Forwarding.
- You can see the configuration on the Workload Security Console: Administration > System Settings > Event Forwarding
-
Custom CloudFormation Resource (CloudOneWorkloadSecurityConfigResource)
- Runs the configuration logic during Create and Update Stack to populate the following fields on the Workload Security console.
- SNS Topic Arn
- Access key and
- Secret key
- Runs the configuration logic during Create and Update Stack to populate the following fields on the Workload Security console.
-
AWS IAM Role for Lambda functions
- Use the AWS Managed Policy "AWSLambdaBasicExecutionRole" for AWS Lambda.
-
AWS IAM Policy for Lambda Service
- Permissions for the Lambda functions to write to the created S3 bucket.
GitHub Repository Name | Description |
---|---|
cloudOneWorkloadSecurityDemo | Run an attack simulation on your workload to test policy events and alerts |
WorkloadSecurityConnector-AWS | Automation scripts to setup the AWS Connector on Trend Micro Cloud One Workload Security / Deep Security (On-Prem on AWS) |
If you encounter a bug or think of a useful feature, or find something confusing in the docs, please Create a New Issue
PS.: Make sure to use the Issue Template
We ❤️ pull requests. If you'd like to fix a bug or contribute to a feature or simply correct a typo, please feel free to do so.
If you're thinking of adding a new feature, consider opening an issue first to discuss it to ensure it aligns to the direction of the project (and potentially save yourself some time!).