Trend Micro Cloud One – Conformity AWS Control Tower Integration on AWS

Partner Solution Deployment Guide

QS

August 2023
Geoff Baskwill and Bryan Webster, Trend Micro
Kishore Vinjam, AWS Marketplace team
Shivansh Singh, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Trend Micro in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This guide covers the information you need to deploy the Trend Micro Cloud One – Conformity AWS Control Tower Integration Partner Solution in the AWS Cloud.

This Partner Solution is for users who want to improve security and compliance posture for AWS infrastructure through automated checks and clear remediation steps. For more information, refer to Trend Cloud One Conformity.

Costs and licenses

This Partner Solution requires a subscription to the SaaS offering for Conformity, which is available from AWS Marketplace. Additional pricing, terms, and conditions may apply.

In addition to the SaaS offering subscription, you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the AWS Partner Solution General Information Guide.

Architecture

Deploying this Partner Solution with default parameters builds the following Conformity environment in the AWS Cloud.

Architecture
Figure 1. Partner Solution architecture for Conformity on AWS

As shown in Figure 1, this Partner Solution sets up the following:

  • An administrator enrolls a new or existing AWS account in AWS Control Tower, generating a lifecycle event.

  • The lifecycle event uses an Amazon Eventbridge rule to invoke an AWS Lambda function.

  • The Lambda function creates an AWS Identity Access Management (IAM) cross-account role in the newly created AWS account.

  • The Lambda function queries AWS Secrets Manager for the API key secrets that are used to authenticate with the Conformity endpoint.

  • The Lambda function registers the new AWS account with the Conformity endpoint.

Deployment options

This Partner Solution provides the following deployment option:

  • Deploy Conformity. This option provisions Conformity in the management account of your AWS Control Tower environment.

This Partner Solution also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Conformity settings.

Predeployment steps

Subscribe to the Conformity

This Partner Solution requires a subscription to the SaaS offering for Conformity in AWS Marketplace.

  1. Sign in to your AWS account.

  2. Open the page for the Conformity SaaS offering in AWS Marketplace, and then choose Continue to Subscribe.

  3. Choose the contract duration, provide the renewal settings, select the contract options to be activated with your contract, and choose Create contract.

    Software Contract

  4. You are prompted to confirm the contract. If you agree to the pricing, choose Pay Now. You are redirected to the Conformity portal.

  5. In the Conformity portal, continue to create your account. Choose the Region in which to host your data. Most organizations choose the Region closest to the majority of their workloads. Some other organizations may have compliance requirements that affect their Region choice.

  6. After your account is created, log in. On the Conformity home page, choose the Conformity tile. Skip the wizard that prompts you to add your first AWS account; the AWS Control Tower integration adds the account for you.

    Conformity tile
The process of adding current and future AWS Control Tower accounts to the Conformity console is automated.

  1. In the Conformity console, choose the arrow next to your name in the top-right corner. Then choose User settings > API Keys from the left navigation and create a new API key. Ensure you save this string, as it cannot be retrieved later. This key is used to authenticate the automation from the AWS Control Tower management account to the Conformity API. For more information about generating an API key, refer to the Conformity documentation.

Deployment steps

  1. Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.

  7. Choose Create stack. The stack takes about 15 minutes to deploy.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Trend Micro Cloud One – Conformity AWS Control Tower Integration deployment is ready.

  9. To view the created resources, choose the Outputs tab.

Postdeployment steps

Test the deployment

After the AWS CloudFormation stack completes successfully, return to the Conformity console. Confirm that your accounts are imported and that the Conformity bot has started scanning your AWS accounts to alert you about any misconfigurations or posture concerns.

As a best practice for scanning your AWS accounts, prioritize high-severity findings for investigation and remediation.

Also keep the Conformity role up-to-date. The Conformity bot is continuously improved to enhance visibility or add coverage for new AWS services. Sometimes, a new IAM permission is required for the role in each protected account. To update the role, modify the CloudFormation stack using the template URL provided in the Deployment steps section. The role is updated to the most recent version in all current and future enrolled accounts.

Cleanup

To remove the AWS Control Tower lifecycle hook, identify and delete the CloudFormation stack. Managed accounts that have already been added remain protected. Refer to the Conformity documentation for details about removing an account subscription.

If you want to remove protection for all managed accounts, send a remove_all invocation event to the lifecycle hook before deleting the CloudFormation stack. Follow these steps:

  1. Log in to the AWS Management Console for your organization’s AWS Control Tower management account.

  2. Open the CloudFormation console.

  3. Locate the ConformityLifeCycleHook stack, and open the Resources tab.

  4. On the LifecycleEventHandler row, locate the Type value AWS::Lambda::Function. Choose the link to open the AWS Lambda console for the function.

  5. In the Lambda function console, open the Test tab and create a new event with the following event payload:

    {"InvokeAction":"remove_all"}

  6. Choose Invoke to trigger the lifecycle hook with the remove_all event payload.

Verify that the removal has been triggered for each account in your organization by reviewing the output logs. 

Self-host the Partner Solution content

If you want to ensure that the code you review is the code that you deploy, you can self-host the Partner Solution content. Follow these steps:

  1. Create an S3 bucket in the Region where AWS Control Tower is deployed. The bucket can belong to any AWS account, as long as your AWS Control Tower management account can access the content.

    If your bucket is not in the same Region where AWS Control Tower is deployed, the stack deployment will fail.

  2. Copy the CloudFormation template into your bucket using the quickstart-ct-trend-micro-cloud-one-conformity/templates/Trend-Micro-Cloud-One-Conformity-Lifecycle-QS.yaml key.

  3. Copy the Lambda function deployment package into your bucket. You can choose your own prefix, but the object path must end in functions/packages/c1c-controltower-lifecycle.zip (example: quickstart-ct-trend-micro-cloud-one-conformity/functions/packages/c1c-controltower-lifecycle.zip).

    Use the AWS command-line interface to copy the content:

    aws s3 cp --recursive \
    s3://aws-quickstart-us-east-1/quickstart-ct-trend-micro-cloud-one-conformity \
    s3://<your-bucket>/quickstart-ct-trend-micro-cloud-one-conformity

    In this example, the S3 key prefix value is the default quickstart-ct-trend-micro-cloud-one-conformity/ value.

  4. Review the content according to your organization’s preferred practices. You can read the details of the CloudFormation stack to see what it creates and the properties of each resource. You can also learn about the Lambda function by reading its source code.

  5. Using the URL to the template, launch the CloudFormation stack in the same Region where AWS Control Tower is deployed. Replace the default parameter value for the S3 bucket name with the name of your bucket. Also replace the S3 key prefix with the name of the prefix in the bucket where the content is stored.

If you deploy the stack in a different Region than AWS Control Tower, the lifecycle function will not receive events when new accounts are created or removed and will not automatically add or remove accounts in Conformity.

Best practices for using Conformity on AWS

Follow these best practices:

  • Configure SAML to manage access to your Conformity account. For more information, refer to the Conformity documentation.

  • Configure notifications to security teams for high severity violations through integrations like PagerDuty or Amazon SNS. For more information, refer to the Conformity documentation.

  • Distribute responsibility for account remediation and visibility to account owners by configuring integrations with tools like Zendesk and ServiceNow for operations teams, or Jira and Slack for development teams.

  • Configure custom profiles to tailor monitoring for your security policy or individual accounts. Engage account owners to determine if specific frameworks like Service Organization Control 2 (SOC 2) or PCI should be included in evaluation. For more information, refer to the Conformity documentation.

Troubleshooting

Q. Where can I get further help with the Conformity solution?

A. See the FAQ at https://www.cloudconformity.com/frequently-asked-questions.html.

Q. How do I contact Trend Micro?

A. See the Conformity contact page.

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.