You’re offline. This is a read only version of the page.
Online Help Center
Search
Support
For Home
For Business
English (US)
Bahasa Indonesia (Indonesian)
Dansk (Danish)
Deutsch (German)
English (Australia)
English (US)
Español (Spanish)
Français (French)
Français Canadien
(Canadian French)
Italiano (Italian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português - Brasil
(Portuguese - Brazil)
Português - Portugal
(Portuguese - Portugal)
Svenska (Swedish)
ภาษาไทย (Thai)
Tiếng Việt (Vietnamese)
Türkçe (Turkish)
Čeština (Czech)
Ελληνικά (Greek)
Български (Bulgarian)
Русский (Russian)
עברית (Hebrew)
اللغة العربية (Arabic)
日本語 (Japanese)
简体中文
(Simplified Chinese)
繁體中文
(Traditional Chinese)
繁體中文 HK
(Traditional Chinese)
한국어 (Korean)
Cancel
This website uses cookies for website functionality and traffic analytics. Our Cookie Notice provides more information and explains how to amend your cookie settings.
Learn More
Yes, I agree
Online Help Center
Trend Micro Cloud One
...
Trend Cloud One
Trend Cloud One File Storage Security
About File Storage Security
Architecture and flow
Table of Contents
The page you're looking for can't be found or is under maintenance
Try again later or go to the home page
Go to home page
About File Storage Security
What is File Storage Security?
Update Trend Cloud One File Storage Security to Trend Vision One File Security
Update to Trend Vision One File Security
Deploy a single AWS account to File Security
Estimated Downtime
Update to Trend Vision One File Security using APIs
Add AWS accounts to File Security
Verify that Trend Vision One Endpoint Security protection is working
Disable the Trend Cloud One File Security Storage EventBridge rule
Enable the Trend Vision One File Security Storage EventBridge Rule
Test upload sample files into protected S3 buckets
Estimated downtime
Update AWS Organization account to Trend Vision File Security
Verify that Trend Vision One Endpoint Security protection is working
Disable the Trend Cloud One File Security Storage EventBridge rule
Enable the Trend Vision One File Security Storage EventBridge Rule
Test upload sample files into protected S3 buckets
Estimated downtime
Rollback to Trend Cloud One
What's supported
What AWS services and regions are supported?
What Azure services and regions are supported?
What Google Cloud Platform (GCP) services and regions are supported?
Pricing
Pricing and subscription options
Consumption-based billing example and estimates
Estimate infrastructure costs
AWS cost estimation
Azure cost estimation
How to estimate S3 PutObject events
Create trail
Create Athena table to query logs
Query PutObject logs in Athena
Architecture and flow
AWS architecture and flow
Architecture
Components
S3 bucket to scan
Presigned URLs
Storage stack
Scanner stack
All-in-one stack
BucketListenerLambda function
ScannerLambda function
SQS ScannerQueue
SNS ScanResultTopic
PostScanActionTagLambda function
Your AWS account
Custom post-scan action Lambda function
API and code samples
Console
Additional Lambda functions
Azure architecture and flow
Architecture
Components
Protecting storage account
Storage stack
Scanner stack
All-in-one stack
Blob Listener Function
Scanner Function
Scanner Queue
Scan Result Topic
Post Scan Action Tag Function
Your Microsoft Entra ID
Custom post-scan action function
API and code samples
Console
GCP architecture and flow
Architecture
Components
Protecting Google Cloud Storage bucket
Storage stack
Scanner stack
Bucket Listener Function
Scanner Function
Scanner Topic
Scan Result Topic
Post Scan Action Tag Function
Your GCP Project
Custom post-scan action function
API and code samples
Console
Performance and scaling
AWS performance and scaling
Azure performance and scaling
GCP performance and scaling
Get started
Architectural and configuration setup options
Deploy with AWS
Permissions for deployment
Sign in to File Storage Security
Deploy the all-in-one stack on AWS
Configure ARNs
Generate your first detection
Deploy with Azure
Permissions for deployment
Sign in to File Storage Security
Deploy the all-in-one stack on Azure
Configure Azure stack
Generate your first detection on Azure
Deploy with GCP
Permissions for deployment
Connect GCP account to Trend Cloud One
Sign in to File Storage Security
Deploy scanner and storage stacks on GCP
Generate your first detection on GCP
User guides
Add stacks
AWS stacks
Add AWS stacks
How many stacks should I add?
Storage stacks
Scanner stacks
Account scanner stacks
Where can I add stacks?
Restrictions, stipulations, and recommendations
Add an all-in-one stack
Add a scanner stack
Step 1: Add the scanner stack
Step 2: Configure the scanner stack's ARN
Next steps (add storage)
Add a storage stack
Multi-stack architecture
Step 1: Add the storage stack
Step 2: Configure the storage stack's ARN
Step 3: (Optional) Update KMS key policy if enabling scanner queue encryption
Step 4: (Optional) Update KMS key policy if enabling SNS ScanResultTopic encryption
Step 5: (Optional) Update Scanner stack if enabling SNS ScanResultTopic encryption and the KMS Key ARN has not been set to Scanner stack yet.
Step 6: Test the storage stack installation
How do I find a list of protected buckets?
Customizing AWS stacks
Deploy in VPC
Azure stacks
Add Azure stacks
How many stacks should I add?
Storage stacks
Scanner stacks
Where can I add stacks?
Restrictions, stipulations, and recommendations
Add an all-in-one stack
Add a scanner stack
Step 1: Add the scanner stack
Step 2: Configure the scanner stack's Tenant ID and Resource ID
Next steps (add storage)
Add a storage stack
Multi-stack architecture
Step 1: Add the storage stack
Step 2: Configure the storage stack's Tenant ID and Resource Group ID
Step 3: Test the storage stack installation
Deploy in Azure VNet
Introduction
Prerequisites
Supported Azure Regions
VNet & Subnets
Protected Storage Account
Private DNS Zones
Azure Monitor Private Link Scopes (optional)
Deploy the Azure Stacks
Configure the Azure Stacks
Add Azure Stacks's Application Insight to Azure Monitor Private Link Scopes
Firewall (optional)
Communication with a third party service
Set up for a Scanner Stack's KeyVaults
Set up for Application Insight
Conclusion
Deploy ARM with python 3.11 runtime
Deploy an All-in-One template
Deploy with the CLI
Deploy with the Azure console
Deploy a Storage stack template
Deploy with the CLI
Deploy with the Azure console
Deploy a Scanner stack template
Deploy with CLI
Deploy with the Azure console
Add stack information to the Trend Cloud One File Storage Security console
GCP stacks
Add GCP stacks
How many stacks should I add?
Storage stacks
Scanner stacks
Where can I add stacks?
How Terraform deploys the stacks under your GCP project
All-in-One Stack Deployment
Stack Deployment Cross GCP Projects
Add an all-in-one stack
Add a scanner stack
Add a storage stack
Convert the GCP stacks from GCP Deployment Manager to Terraform
The steps of converting the GCP stacks from GCP Deployment Manager to Terraform
Scan existing files
Scan existing files in the 'S3 bucket to scan'
Full scan and scheduled scan
Scan before reading the file (Scan on getObject request)
Prerequisite
How to scan on getObject request
Scan on getObject request
Prerequisite
How to scan on getObject request
Monitor scan results
View scan results on the Scan Activity page
Scan History chart
Malicious Events table
Scan Error Events table
Scan result format
AWS
AWS S3 scans and tags
Scan a file
View tags
AWS CloudWatch
View scan results in CloudWatch
Search for scan results in CloudWatch
Monitor for malicious files using CloudWatch
Be notified of scan results through AWS SNS
Storage Stack Dead-letter Queue
Handle scan errors in AWS
Re-scan the file manually
Re-scan the file by Python script
More ways to find the scan failed files
Get scan error file list from scan logs
Subscribe scan result from SNS ScanResultTopic to get scan error file list
Handling "network errors"
Recommended resolutions
Sample python script for re-scanning files in AWS
Azure
Azure Storage account blob scanning and tags
Scan a file
View the metadata and index tags
Azure Application Insights
Search for scan results in Application Insights
Monitor for malicious files using Application Insights
Be notified of scan results through Azure Service Bus Topic
Monitor errors
GCP
GCP Cloud Storage scans and tags
Scan a file
View the metadata
Monitor scan results in GCP
Pub/Sub Topic
Find the scan result topic resource name
Create a Pub/Sub subscription to the scan result topic
Scanner Logs
View scan results in scanner logs
Search for scan results in Logs Explorer
Add post-scan actions
Add post-scan actions in AWS
Add post-scan actions in Azure
Add post-scan actions in GCP
Change the bucket associated with a stack
Updates
AWS updates
Update AWS stacks
Before you begin
Update a stack
Update AWS components
Azure updates
Update Azure stacks
Update components in Azure
GCP updates
Update GCP stacks
Before you begin
Update a stack
Update GCP components
Delete stacks
Delete AWS stacks
Delete Azure stacks
Alternate method of deleting a stack
Delete GCP stacks
Delete GCP (Deployment Manager) Stacks
Delete GCP (Terraform) Stacks
Resource prefixes
Advanced
s3:ObjectCreated:* event in use
AWS permissions control
GCP Bucket Location Suggestion
Account scanner stacks
AWS
Deploy account scanner stacks
Set up cross region or cross account scans
Use the AWS web management console
For each region
For each bucket
Use the AWS CLI
For each region
For each bucket
Enable server-side encryption
For SQS queues
For the SNS topic
For your buckets
Delete Account scanner stacks
In File Storage Security
In AWS
Automation
Sample code plugins
API reference
Create an API key
For Trend Micro Cloud One API Key
For Legacy API Key
DEPRECATED
Deploy stacks
Deploy stacks in AWS
Obtain an external ID
Create CloudFormation stacks in AWS
Prerequisites
Using template link
Create an all-in-one stack using template link
Create a scanner stack using template link
Create a storage stack using template link
Using AWS CLI
Create an all-in-one stack using AWS CLI
Create a scanner stack using AWS CLI
Create a storage stack using AWS CLI
Add stacks to File Storage Security using the API
Recommendation
Prerequisites
Deploy an all-in-one stack using the API
Deploy a scanner stack using the API
Deploy an account scanner stack using the API
Deploy a storage stack using the API
Deploy stacks in Azure
Prepare Azure Service Principal
Create stacks in Azure
Prerequisites
Using template link
Create an all-in-one stack using template link
Create a scanner stack using template link
Create a storage stack using template link
Using Azure CLI
Create an all-in-one stack using Azure CLI
Create a scanner stack using Azure CLI
Create a storage stack using Azure CLI
Add stacks to File Storage Security using the API
Recommendation
Prerequisites
Deploy an all-in-one stack using the API
Deploy a scanner stack using the API
Deploy a storage stack using the API
Deploy stacks in GCP
Create stacks in GCP
Create a Cloud Account for GCP
Prerequisites
Using Terraform with gcloud CLI
Create an all-in-one stack by Terraform
Create a scanner stack by using Terraform
Create a storage stack by using Terraform
Add stacks to File Storage Security using the API
Recommendation
Prerequisites
Deploy an all-in-one stack using the API
Deploy a scanner stack using the API
Deploy a storage stack using the API
List storage information
FAQs and troubleshooting
Frequently asked questions
Troubleshoot and monitor health
Create a support ticket
Access log events
Access logs
Scan detail code
Data collection disclosure
What's new
Architecture and flow
Related information
AWS architecture and flow
Azure architecture and flow
GCP architecture and flow
Was this article helpful?
Inaccurate information
Too complex or confusing
Translation issue
Other
Submit
Table of Contents
About File Storage Security
What is File Storage Security?
Update Trend Cloud One File Storage Security to Trend Vision One File Security
Update to Trend Vision One File Security
Deploy a single AWS account to File Security
Estimated Downtime
Update to Trend Vision One File Security using APIs
Add AWS accounts to File Security
Verify that Trend Vision One Endpoint Security protection is working
Disable the Trend Cloud One File Security Storage EventBridge rule
Enable the Trend Vision One File Security Storage EventBridge Rule
Test upload sample files into protected S3 buckets
Estimated downtime
Update AWS Organization account to Trend Vision File Security
Verify that Trend Vision One Endpoint Security protection is working
Disable the Trend Cloud One File Security Storage EventBridge rule
Enable the Trend Vision One File Security Storage EventBridge Rule
Test upload sample files into protected S3 buckets
Estimated downtime
Rollback to Trend Cloud One
What's supported
What AWS services and regions are supported?
What Azure services and regions are supported?
What Google Cloud Platform (GCP) services and regions are supported?
Pricing
Pricing and subscription options
Consumption-based billing example and estimates
Estimate infrastructure costs
AWS cost estimation
Azure cost estimation
How to estimate S3 PutObject events
Create trail
Create Athena table to query logs
Query PutObject logs in Athena
Architecture and flow
AWS architecture and flow
Architecture
Components
S3 bucket to scan
Presigned URLs
Storage stack
Scanner stack
All-in-one stack
BucketListenerLambda function
ScannerLambda function
SQS ScannerQueue
SNS ScanResultTopic
PostScanActionTagLambda function
Your AWS account
Custom post-scan action Lambda function
API and code samples
Console
Additional Lambda functions
Azure architecture and flow
Architecture
Components
Protecting storage account
Storage stack
Scanner stack
All-in-one stack
Blob Listener Function
Scanner Function
Scanner Queue
Scan Result Topic
Post Scan Action Tag Function
Your Microsoft Entra ID
Custom post-scan action function
API and code samples
Console
GCP architecture and flow
Architecture
Components
Protecting Google Cloud Storage bucket
Storage stack
Scanner stack
Bucket Listener Function
Scanner Function
Scanner Topic
Scan Result Topic
Post Scan Action Tag Function
Your GCP Project
Custom post-scan action function
API and code samples
Console
Performance and scaling
AWS performance and scaling
Azure performance and scaling
GCP performance and scaling
Get started
Architectural and configuration setup options
Deploy with AWS
Permissions for deployment
Sign in to File Storage Security
Deploy the all-in-one stack on AWS
Configure ARNs
Generate your first detection
Deploy with Azure
Permissions for deployment
Sign in to File Storage Security
Deploy the all-in-one stack on Azure
Configure Azure stack
Generate your first detection on Azure
Deploy with GCP
Permissions for deployment
Connect GCP account to Trend Cloud One
Sign in to File Storage Security
Deploy scanner and storage stacks on GCP
Generate your first detection on GCP
User guides
Add stacks
AWS stacks
Add AWS stacks
How many stacks should I add?
Storage stacks
Scanner stacks
Account scanner stacks
Where can I add stacks?
Restrictions, stipulations, and recommendations
Add an all-in-one stack
Add a scanner stack
Step 1: Add the scanner stack
Step 2: Configure the scanner stack's ARN
Next steps (add storage)
Add a storage stack
Multi-stack architecture
Step 1: Add the storage stack
Step 2: Configure the storage stack's ARN
Step 3: (Optional) Update KMS key policy if enabling scanner queue encryption
Step 4: (Optional) Update KMS key policy if enabling SNS ScanResultTopic encryption
Step 5: (Optional) Update Scanner stack if enabling SNS ScanResultTopic encryption and the KMS Key ARN has not been set to Scanner stack yet.
Step 6: Test the storage stack installation
How do I find a list of protected buckets?
Customizing AWS stacks
Deploy in VPC
Azure stacks
Add Azure stacks
How many stacks should I add?
Storage stacks
Scanner stacks
Where can I add stacks?
Restrictions, stipulations, and recommendations
Add an all-in-one stack
Add a scanner stack
Step 1: Add the scanner stack
Step 2: Configure the scanner stack's Tenant ID and Resource ID
Next steps (add storage)
Add a storage stack
Multi-stack architecture
Step 1: Add the storage stack
Step 2: Configure the storage stack's Tenant ID and Resource Group ID
Step 3: Test the storage stack installation
Deploy in Azure VNet
Introduction
Prerequisites
Supported Azure Regions
VNet & Subnets
Protected Storage Account
Private DNS Zones
Azure Monitor Private Link Scopes (optional)
Deploy the Azure Stacks
Configure the Azure Stacks
Add Azure Stacks's Application Insight to Azure Monitor Private Link Scopes
Firewall (optional)
Communication with a third party service
Set up for a Scanner Stack's KeyVaults
Set up for Application Insight
Conclusion
Deploy ARM with python 3.11 runtime
Deploy an All-in-One template
Deploy with the CLI
Deploy with the Azure console
Deploy a Storage stack template
Deploy with the CLI
Deploy with the Azure console
Deploy a Scanner stack template
Deploy with CLI
Deploy with the Azure console
Add stack information to the Trend Cloud One File Storage Security console
GCP stacks
Add GCP stacks
How many stacks should I add?
Storage stacks
Scanner stacks
Where can I add stacks?
How Terraform deploys the stacks under your GCP project
All-in-One Stack Deployment
Stack Deployment Cross GCP Projects
Add an all-in-one stack
Add a scanner stack
Add a storage stack
Convert the GCP stacks from GCP Deployment Manager to Terraform
The steps of converting the GCP stacks from GCP Deployment Manager to Terraform
Scan existing files
Scan existing files in the 'S3 bucket to scan'
Full scan and scheduled scan
Scan before reading the file (Scan on getObject request)
Prerequisite
How to scan on getObject request
Scan on getObject request
Prerequisite
How to scan on getObject request
Monitor scan results
View scan results on the Scan Activity page
Scan History chart
Malicious Events table
Scan Error Events table
Scan result format
AWS
AWS S3 scans and tags
Scan a file
View tags
AWS CloudWatch
View scan results in CloudWatch
Search for scan results in CloudWatch
Monitor for malicious files using CloudWatch
Be notified of scan results through AWS SNS
Storage Stack Dead-letter Queue
Handle scan errors in AWS
Re-scan the file manually
Re-scan the file by Python script
More ways to find the scan failed files
Get scan error file list from scan logs
Subscribe scan result from SNS ScanResultTopic to get scan error file list
Handling "network errors"
Recommended resolutions
Sample python script for re-scanning files in AWS
Azure
Azure Storage account blob scanning and tags
Scan a file
View the metadata and index tags
Azure Application Insights
Search for scan results in Application Insights
Monitor for malicious files using Application Insights
Be notified of scan results through Azure Service Bus Topic
Monitor errors
GCP
GCP Cloud Storage scans and tags
Scan a file
View the metadata
Monitor scan results in GCP
Pub/Sub Topic
Find the scan result topic resource name
Create a Pub/Sub subscription to the scan result topic
Scanner Logs
View scan results in scanner logs
Search for scan results in Logs Explorer
Add post-scan actions
Add post-scan actions in AWS
Add post-scan actions in Azure
Add post-scan actions in GCP
Change the bucket associated with a stack
Updates
AWS updates
Update AWS stacks
Before you begin
Update a stack
Update AWS components
Azure updates
Update Azure stacks
Update components in Azure
GCP updates
Update GCP stacks
Before you begin
Update a stack
Update GCP components
Delete stacks
Delete AWS stacks
Delete Azure stacks
Alternate method of deleting a stack
Delete GCP stacks
Delete GCP (Deployment Manager) Stacks
Delete GCP (Terraform) Stacks
Resource prefixes
Advanced
s3:ObjectCreated:* event in use
AWS permissions control
GCP Bucket Location Suggestion
Account scanner stacks
AWS
Deploy account scanner stacks
Set up cross region or cross account scans
Use the AWS web management console
For each region
For each bucket
Use the AWS CLI
For each region
For each bucket
Enable server-side encryption
For SQS queues
For the SNS topic
For your buckets
Delete Account scanner stacks
In File Storage Security
In AWS
Automation
Sample code plugins
API reference
Create an API key
For Trend Micro Cloud One API Key
For Legacy API Key
DEPRECATED
Deploy stacks
Deploy stacks in AWS
Obtain an external ID
Create CloudFormation stacks in AWS
Prerequisites
Using template link
Create an all-in-one stack using template link
Create a scanner stack using template link
Create a storage stack using template link
Using AWS CLI
Create an all-in-one stack using AWS CLI
Create a scanner stack using AWS CLI
Create a storage stack using AWS CLI
Add stacks to File Storage Security using the API
Recommendation
Prerequisites
Deploy an all-in-one stack using the API
Deploy a scanner stack using the API
Deploy an account scanner stack using the API
Deploy a storage stack using the API
Deploy stacks in Azure
Prepare Azure Service Principal
Create stacks in Azure
Prerequisites
Using template link
Create an all-in-one stack using template link
Create a scanner stack using template link
Create a storage stack using template link
Using Azure CLI
Create an all-in-one stack using Azure CLI
Create a scanner stack using Azure CLI
Create a storage stack using Azure CLI
Add stacks to File Storage Security using the API
Recommendation
Prerequisites
Deploy an all-in-one stack using the API
Deploy a scanner stack using the API
Deploy a storage stack using the API
Deploy stacks in GCP
Create stacks in GCP
Create a Cloud Account for GCP
Prerequisites
Using Terraform with gcloud CLI
Create an all-in-one stack by Terraform
Create a scanner stack by using Terraform
Create a storage stack by using Terraform
Add stacks to File Storage Security using the API
Recommendation
Prerequisites
Deploy an all-in-one stack using the API
Deploy a scanner stack using the API
Deploy a storage stack using the API
List storage information
FAQs and troubleshooting
Frequently asked questions
Troubleshoot and monitor health
Create a support ticket
Access log events
Access logs
Scan detail code
Data collection disclosure
What's new
