Views:

Add and connect an AWS audit account with AWS CloudTrail and Control Tower configured to allow Trend Vision One to provide security for your multi-account AWS environment.

If you use an audit account to monitor and collect logs from your AWS Log Archive account, you can add the audit account to the Cloud Accounts app and enable the XDR for Cloud - AWS CloudTrail feature to allow Trend Vision One to access your cloud service to provide security and visibility into your cloud assets across multiple accounts. Some Cloud Account features have limited support for AWS regions. For more information, see AWS supported regions and limitations.
The steps below detail how to set up an S3 bucket in your AWS audit account to receive replicated Control Tower logs from your AWS Log Archive account, then how to deploy the Cloud Accounts stack to your AWS audit account.
Important
Important
The Cloud Accounts app currently only supports connecting audit accounts using the CloudFormation stack template.
The steps are valid for the AWS console as of July 2024.
You must enable Control Tower and ensure your AWS Log Archive and AWS Audit accounts are set up before using these steps to connect to Trend Vision One with XDR for Cloud - AWS CloudTrail enabled.

Procedure

  1. Before you begin, sign in to the Trend Vision One console, your AWS Log Archive account, and the AWS audit account.
    Tip
    Tip
    For best results, sign in to Trend Vision One and the AWS audit account on separate tabs in the same browser session. Use a different browser to access the AWS Log Archive account.
  2. In the AWS audit account, create an S3 bucket to collect the replicated data from the Control Tower on the log archive account.
    1. Go to Amazon S3Buckets.
    2. Click Create bucket.
      The Create bucket screen appears.
    3. For Bucket type, select General purpose.
    4. Provide a unique name for the bucket.
      Important
      Important
      Do not use the prefix "aws-controltower" when naming the S3 bucket in your audit account. This might disable your ability to edit or delete the bucket due to restrictions imposed by AWS Control Tower.
    5. Under Bucket Versioning, select Enable.
    6. Leave all other settings as default and click Create bucket.
      The S3 bucket is created. For the following steps, this topic uses the term "audit bucket" to refer to this S3 bucket.
  3. Configure an Amazon EventBridge for the audit bucket.
    1. Go to Amazon S3Buckets.
    2. Locate the audit bucket and click the bucket name to open the Bucket details screen.
    3. Go to PropertiesAmazon EventBridge.
    4. Click Edit.
    5. For Send notifications to Amazon EventBridge for all events in this bucket, select On.
    6. Click Save changes.
  4. In your AWS Log Archive account, create a replication rule for the Control Tower bucket.
    1. Sign on to your AWS Log Archive account and go to Amazon S3Buckets.
    2. Locate the Control Tower bucket you want to monitor and click the name.
      Tip
      Tip
      Type the prefix aws-cloudtrail to filter the list and find the bucket more easily.
    3. In the Bucket details screen, go to ManagementReplication rules.
    4. Click Create replication rule.
    5. Specify a name for the rule.
    6. Make sure the status is set to Enabled.
    7. Under the Source bucket section, choose the rule scope.
      • If you only want select data to be replicated, select Limit the scope of this rule using one or more filters. Choosing this option requires you to define filters for replicated data.
      • To replicate all data, select Apply to all objects in the bucket. Trend Micro recommends using this configuration to maximize visibility into your cloud environment.
    8. Under the Destination section, select Specify a bucket in another account.
    9. For Account ID, paste the account ID for the AWS audit account.
    10. For Bucket name, paste the name of the audit bucket.
    11. Select Change object ownership to destination bucket owner.
    12. Under IAM role, the role should select automatically.
      If no IAM role is available, create a new IAM role.
    13. Click the IAM role to open the IAM role details in a new tab.
    14. Go to Permissions and click Edit.
    15. Verify the permissions contains the following code. If not, copy and paste the following:
      {
      			"Action": [
      				"s3:ReplicateObject",
      				"s3:ReplicateDelete",
      				"s3:ReplicateTags",
      				"s3:ObjectOwnerOverrideToBucketOwner"
      			],
      			"Effect": "Allow",
      			"Resource": [
      				"THE_ARN_OF_S3_BUCKET_IN_LOG_ARCHIVE_ACCOUNT/*",
      				"THE_ARN_OF_AUDIT_BUCKET_IN_AUDIT_ACCOUNT/*"
      			]
      		}
      Replace the following parameters in the Resource attribute:
      • THE_ARN_OF_S3_BUCKET_IN_LOG_ARCHIVE_ACCOUNT: The ARN of the Control Tower bucket you want to replicate.
      • THE_ARN_OF_AUDIT_BUCKET_IN_AUDIT_ACCOUNT: The ARN of the audit bucket.
      Important
      Important
      You must include /* at the end of both ARN values in Resource. For example, if your audit bucket arn is aws:arn::12345:audit.bucket, the value to input is "aws:arn::12345:audit.bucket/*".
    16. Click Next, then click Save changes.
    17. Go back to the tab to configure the replication rules.
    18. Leave all other settings as default and click Save.
    19. When prompted, select whether or not to replicate existing objects and click Submit.
  5. Configure the audit bucket policies.
    1. In the AWS audit account, go to Amazon S3Buckets.
    2. Locate the audit bucket and click the name to access the Bucket details screen.
    3. Go to PermissionsBucket policy.
    4. Click Edit.
    5. Copy and paste the following policy.
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "AUDIT_BUCKET_NAME",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "ARN_OF_CONTROLTOWER_BUCKET_REPLICATION_IAM_ROLE"
                  },
                  "Action": [
                      "s3:ReplicateObject",
                      "s3:ReplicateDelete",
                      "s3:ObjectOwnerOverrideToBucketOwner",
                      "s3:ReplicateTags"
                  ],
                  "Resource": [
                      "ARN_OF_THE_AUDIT_BUCKET_IN_AUDIT_ACCOUNT/*"
                  ]
              }
          ]
      } 
      Replace the following parameters:
      • AUDIT_BUCKET_NAME: The name of the audit bucket.
      • ARN_OF_CONTROLTOWER_BUCKET_REPLICATION_IAM_ROLE: The ARN of the IAM role assigned to the replication rule you created for the Control Tower bucket in the AWS Log Archive account.
      • ARN_OF_THE_AUDIT_BUCKET_IN_AUDIT_ACCOUNT: The ARN of the audit bucket. You must include /* at the end of the ARN.
    6. Click Save changes.
  6. Create an Amazon SNS topic in the AWS audit account.
    1. Go to Amazon SNSTopics.
    2. Click Create topic.
    3. Select Standard.
    4. Type a name for the topic.
    5. Leave the remaining settings default and click Create topic.
  7. Create an EventBridge in the AWS audit account.
    1. Go to Amazon EventBridgeBuses Rules.
    2. Click Create rule.
    3. Type a name for the rule.
    4. Leave the remaining settings default and click Next.
    5. Under Creation method, select Use pattern form.
    6. In the Event pattern section, for Event source, select AWS services.
    7. For AWS service, select Simple Storage Service (S3).
    8. For Event type, select Amazon S3 Event Notification.
    9. For Event type specification 1, select Specific event(s), then select Object Created.
    10. For Event type specification 2, select Specify bucket(s) by name.
    11. Paste the name of the audit bucket in the Specify bucket(s) by name field.
    12. Click Next.
    13. For Target 1, select AWS service as the target type.
    14. Under Select a target, select SNS topic.
    15. Under Topic, select the SNS topic you created.
    16. Click Next, and click Next again.
    17. On the Review and create screen, click Create rule.
  8. In the Trend Vision One console, go to Cloud SecurityCloud AccountsAWS.
  9. Click Add Account.
    The Add AWS Account window appears.
  10. Specify the Deployment Type.
    1. For Deployment Method, select CloudFormation.
    2. For account type, select Single AWS Account.
    3. Click Next.
  11. Specify the general information for the account.
    1. Specify the Account name to display in the Cloud Accounts app.
    2. Add a Description to display in Cloud Accounts.
    3. Select the AWS region for CloudFormation template deployment.
      Note
      Note
      The default region is based on your Trend Vision One region.
      Some features and permissions have limited support for some AWS regions. For more information, see AWS supported regions and limitations.
    4. If you have more than one Server & Workload Protection Manager instance, select the instance to associate with the connected account.
      Note
      Note
      • If you only have one Server & Workload Protection Manager instance, the account is automatically associated with that instance.
    5. To add custom tags to the resources deployed by Trend Vision One, select Resource tagging and specify the key-value pairs.
      Click Create a new tag to add up to three tags.
      Note
      Note
      • Keys can be up to 128 characters long, and cannot start with aws.
      • Values can be up to 256 characters long.
    6. Click Next.
  12. Configure the Features and Permissions for your audit account.
    1. Enable Cloud Detections for AWS CloudTrail.
    2. Expand Cloud Detections for AWS CloudTrail and then enable Control Tower deployment.
    3. Click Next.
  13. Launch the CloudFormation template in the AWS console.
    1. If you want to review the stack template before launching, click Download and Review Template.
    2. Click Launch Stack.
    Your AWS audit account opens to the CloudFormation service on the Quick create stack screen.
  14. Scroll down to Parameters and locate the section labeled These are the parameters required to enable service cloud audit log monitoring control tower.
    Provide the values for the following parameters:
    • CloudAuditLogMonitoringCloudTrailArn: The ARN of aws-controltower-BaselineCloudTrail.
    • CloudAuditLogMonitoringCloudTrailS3Arn: The ARN of the audit bucket.
    • CloudAuditLogMonitoringCloudTrailSNSTopicArn: The ARN of the SNS topic you created in your AWS audit account.
    Important
    Important
    • The monitored CloudTrail and CloudTrail SNS must be on the same account and located in the same region you selected for the template deployment.
    • Do not change any other settings in the Parameters section. CloudFormation automatically provides the settings for the parameters. Changing parameters might cause stack creation to fail.
  15. In the Capabilities section, select the following acknowledgments:
    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND.
  16. Click Create Stack.
    The Stack details screen for the new stack appears with the Events tab displayed. Creation might take a few minutes. Click Refresh to check the progress.
  17. In the Trend Vision One console, click Done.
    The account appears in Cloud Accounts once the CloudFormation template deployment successfully completes. Refresh the screen to update the table.