The CheckResourceExistence Lambda function is deployed as part of the Trend Vision One CloudFormation stack. This function verifies the existence of AWS resources during
stack operations.
To ensure security, the function's IAM policy restricts destructive permissions (such
as Delete, Detach, and Untag actions) to resources that meet specific conditions.
This prevents the function from accidentally modifying or deleting resources that
do not belong to Trend Vision One.
Security conditions for destructive permissions
The CheckResourceExistence Lambda function can only perform destructive actions on
resources that meet one of the following conditions:
-
Resource tagging: The resource has the
TrendMicroProducttag. -
Naming pattern: The resource name or ARN contains one of the following strings:
VisionOneVision-Onevision-oneTrendMicro/V1CS/(for AWS Secrets Manager resources)
If a resource does not meet either condition, the CheckResourceExistence Lambda function
cannot perform destructive actions on it.
Affected AWS services and actions
The following table lists the AWS services and the restricted actions that require
the security conditions:
|
AWS Service
|
Restricted Actions
|
|
IAM
|
|
|
Lambda
|
|
|
S3
|
|
|
CloudWatch Logs
|
|
|
SQS and EventBridge
|
|
|
Secrets Manager
|
DeleteSecret
|
|
Step Functions
|
DeleteStateMachine, UntagResource
|
|
ECR
|
DeleteRepository, UntagResource
|
|
CodeBuild
|
DeleteProject
|
Non-conditional permissions
The CheckResourceExistence Lambda function also has the following permissions that
do not require the security conditions:
-
Logging permissions: CreateLogGroup, CreateLogStream, PutLogEvents
-
IAM read-only permissions: GetRole, GetRolePolicy, GetPolicy, GetPolicyVersion, ListAttachedRolePolicies, ListRolePolicies, ListPolicyVersions
-
CloudFormation operations: DescribeStacks, DescribeStackResources
These permissions allow the function to perform standard logging, read IAM configurations,
and interact with CloudFormation stacks without restrictions.