Views:

Quickly add your accounts to the Cloud Accounts app by connecting your AWS Organization.

Cloud Accounts supports adding accounts managed by your AWS Organization by deploying features to the root account or organizational unit (OU) level. Adding your AWS Organization to Cloud Accounts provides a quick way to allow Trend Vision One access to your managed cloud accounts to provide security and visibility into your cloud assets. Some Cloud Account features have limited support for AWS regions. For more information, see AWS supported regions and limitations.
Related information

AWS Organization pre-requisites and deployment details Parent topic

Before connecting an AWS Organization with Trend Vision One, review the pre-deployment requirements to ensure a successful connection.

Before you begin, ensure you have access to a sign-in or user role with administrator privileges, including permissions to create and manage AWS CloudFormation stack sets for the AWS Organization you wish to connect. For more information, see AWS CloudFormation StackSets and AWS Organizations.
Before you begin, consider the following:
  • The Cloud Accounts app currently only supports connecting AWS organizations using the CloudFormation stack template.
  • You must have access to a sign-in or user role with administrator privileges, including permissions to create and manage AWS CloudFormation stack sets for the AWS Organization you wish to connect. For more information, see AWS CloudFormation StackSets and AWS Organizations.
  • Adding an AWS organization forces accounts managed by that organization to apply the same settings configured for the entire organization. Settings cannot be modified for individual accounts added as part of an organization.
    To apply different configurations to individual accounts managed by an AWS organization, you must add those accounts separately. Either add the accounts before adding your AWS organization, or use the OrganizationExcludedAccounts parameter to exclude those accounts from the stack deployment.
  • Due to limitations of AWS, StackSets does not deploy resources to your management account. To add your management account, see Connect an AWS account using CloudFormation.
    For more information, see Why is my management account not visible after connecting my AWS organization?.
Trend Vision One uses the following rule structure to populate the names of AWS accounts that were added as part of an AWS organization:
  1. AWS account alias: If the AWS account has an AWS account alias, then that is used as the account display name in the Cloud Accounts app. An account alias is a name assigned to an AWS account instead of using the 12-digit account ID.
  2. Organization AWS account name: If the account does not have an account alias, then the AWS account name is used. Trend Vision One does an organization genealogy database lookup to retrieve the account name from the AWS Organizations hierarchy.
    Note
    Note
    AWS account aliases differ from AWS account names in two key ways:
    • aliases are optional, while account names are required
    • account names are used within AWS Organizations for organizational structure, whereas aliases uniquely identify an individual AWS account regardless of its organization.
  3. User-provided account name: If the account does not have an account alias, and no Organization account name is found, then Trend Vision One retries the organization lookup and attempts to detect the fallback format {user-input}-{aws-account-id}, in which the user who created the account provided an account name that includes the AWS account ID.

Review the naming logic for how Trend Vision One populates AWS account names that were connected as part of an AWS organization.

Trend Vision One uses the following logic to populate the names of AWS organization accounts:
  1. AWS account alias: If the AWS account has an AWS account alias, then that is used as the account display name in the Cloud Accounts app. An account alias is a name assigned to an AWS account instead of using the 12-digit account ID.
  2. Organization AWS account name: If the account does not have an account alias, then the AWS account name is used. Trend Vision One does an organization genealogy database lookup to retrieve the account name from the AWS Organizations hierarchy.
    Note
    Note
    AWS account aliases differ from AWS account names in two key ways:
    • AWS account aliases are optional, while account names are required.
    • AWS account names are used within AWS organizations for organizational structure, whereas aliases uniquely identify an individual AWS account regardless of its organization.
  3. User-provided account name: If the account does not have an alias, and no AWS account name is found, then Trend Vision One retries the organization lookup and attempts to detect the fallback format {user-input}-{aws-account-id}, in which the user who created the account provided an account name that includes the AWS account ID.

Connect an AWS Organization Parent topic

Complete the steps to connect an AWS organization to Trend Vision One.
Note
Note
The steps are valid for the AWS console as of November 2023.

Procedure

  1. Sign in to the Trend Vision One console.
  2. In a separate browser tab, sign into your AWS organization account.
  3. In the Trend Vision One console, go to Cloud SecurityCloud AccountsAWS.
  4. Click Add Account.
    The Add AWS Account window appears.
  5. Specify the Deployment Type.
    1. For Deployment Method, select CloudFormation.
    2. Select the account type:
      • Single AWS Account
    3. Click Next.
  6. Specify general information for the organization:
    1. Provide an Account name and Description to display in Cloud Accounts.
      Once the AWS Organization is added, all member accounts without a previously specified alias in AWS receive an automatically generated name in the Cloud Accounts app.
    2. Select the AWS region for CloudFormation template deployment.
      Note
      Note
      The default region is your Trend Vision One region.
      Some features and permissions have limited support for some AWS regions. For more information, see AWS supported regions and limitations.
    3. If you have more than one Server & Workload Protection Manager instance, select the instance to associate with the connected account.
      Note
      Note
      • If you have one Server & Workload Protection Manager instance, the account is automatically associated with that instance.
    4. To add custom tags to the resources deployed by Trend Vision One, select Resource tagging and specify the key-value pairs.
      To add up to three tags, click Create a new tag.
      Note
      Note
      • Keys can be up to 128 characters long, and cannot start with aws.
      • Values can be up to 256 characters long.
    5. Click Next.
  7. Configure the Features and Permissions you want to grant access to your cloud environment.
    Important
    Important
    • Agentless Vulnerability & Threat Detection is a pre-release feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release disclaimer before using the feature.
    • If you want to use Cloud Detections for Amazon Security Lake to monitor your organization, you must configure an account within your organization to collect logs from other managed accounts. Connect your Security Lake account to Trend Vision One before connecting your organization account.
    • Cloud Response for AWS requires that you enable Cloud Detections for AWS CloudTrail monitoring for your AWS account, which you can do by:
      • Individual AWS account: Enable Cloud Detections for AWS CloudTrail in for the AWS account.
      • AWS Organization: Enable Cloud Detections for AWS CloudTrail and select the AWS Control Tower deployment checkox, or enable Cloud Detections for Amazon Security Lake with CloudTrail log monitoring enabled.
    • As of November 2023, AWS private and freemium accounts allow up to 10 Lambda executions. Container Protection deployment requires at least 20 concurrent Lambda executions. Please verify your AWS account status before enabling this feature.
    • Only the features and permissions listed here support deployment to organization managed accounts. If you want to enable additional features and permissions on an account, you must connect the account individually before connecting the organization account.
    • Core Features and Cyber Risk Exposure Management: Connect your AWS account to Trend Vision One to discover your cloud assets and rapidly identify risks such as compliance and security best practice violations in your cloud infrastructure.
    • Agentless Vulnerability & Threat Detection: Deploy Agentless Vulnerability & Threat Detection in your cloud account to scan for vulnerabilities and malware in supported cloud resources with zero impact to your applications.
      Click Scanner Configuration to choose the resource types to scan and whether to scan for vulnerabilities, malware, or both.
    • Container Protection for Amazon ECS: Deploy Trend Vision One Container Security in your AWS account to protect your containers and container images in Elastic Container Service (ECS) environments. Trend Vision One Container Security uncovers threats and vulnerabilities, protects your runtime environment, and enforces deployment policies.
    • Cloud Response for AWS: Allow Trend Vision One permission to take response actions to contain incidents within your cloud account, such as revoking access for suspicious IAM users. Additional response actions leverage integration with third party ticketing systems.
    • Real-Time Posture Monitoring: Deploy Real-Time Posture Monitoring in your AWS account to provide live monitoring with instant alerts for activities and events within your cloud environment.
    • Cloud Detections for AWS VPC Flow Logs: Deploy to collect your Virtual Private Cloud (VPC) flow logs, enabling Trend Vision One to gather insight into your VPC traffic, with detection models to identify and provide alerts on malicious IP traffic, SSH brute force attacks, data exfiltration, and more. Review Cloud Detections for AWS VPC Flow Logs recommendations and requirements before enabling the feature.
      Select the AWS regions you want to deploy the feature to.
      Important
      Important
      XDR for Cloud only supports monitoring VPC Flow Logs version 5 or later. For more information, see Cloud Detections for AWS VPC Flow Logs recommendations and requirements.
  8. Click Next.
  9. Launch the CloudFormation template in the AWS console.
    1. To review the stack template before launching, click Download and Review Template.
    2. Click Launch Stack.
      The AWS management console opens in a new tab and displays the Quick Create Stack screen.
  10. In the AWS management console, complete the steps in the Quick Create Stack screen.
    1. If you want to use a name other than the default, specify a new Stack name.
    2. In the Parameters section, specify the following parameters: AWS Root ID or the Organizational Unit (OU) ID in the OrganizationID field.
      • OrganizationID: type in the AWS Root ID or the Organizational Unit (OU) ID of the organization account.
        To add multiple Organization Units, type in the Organization Unit (OU) ID of each organization unit you want to add. Trend Vision One will deploy the stackset to each organization unit and associated child accounts.
      • (Optional) OrganizationExcludedAccounts: type in the account IDs of any AWS account within the organization you want to exclude from the monitoring features within the stack.
        Use this parameter field to exclude accounts you do not want monitored, or for accounts you want to use a different feature configuration. You can connect excluded accounts to the Cloud Accounts app individually. Type accounts as a list separated by a comma (,) with no spacing. For example, 123456789012,345678901234
      Important
      Important
      The OrganizationExcludedAccounts parameter must only contain account IDs within the organization. Adding an account ID for an account that is not managed by the organization might cause the stack deployment to fail.
      Do not change any other settings in the Parameters section. CloudFormation automatically provides the settings for the parameters. Changing parameters might cause stack creation to fail.
    3. In the Capabilities section, select the following acknowledgments:
      • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
      • I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND.
    4. Click Create Stack.
      The Stack details screen for the new stack appears with the Events tab displayed. Creation might take a few minutes. Click Refresh to check the progress.
  11. In the Trend Vision One console, click Done.
    The organization and associated member accounts appear in Cloud Accounts once the CloudFormation template deployment successfully completes. Refresh the screen to update the table.