AWS deployment architecture

Get an overview of how the Cloud Accounts stack fits into your environment and how data is shared with TrendAI Vision One™.

The diagrams below provide an abstract visualization of how the deployment stack fits into your AWS cloud account. Additionally, these diagrams show the flow of information between related AWS assets and how that data is shared with TrendAI Vision One™ to power cloud security features.

For details about the resources used and deployed to your AWS environment, seeResources deployed in AWS environments .

Core Features and stack deployment

When deploying the Cloud Accounts stack to your AWS account, the stack creates IAM policies and roles to allow TrendAI Vision One™ to connect with your account. Additionally, nested stacks are deployed based on the features you enable.

For details about the resources used and deployed to your AWS environment, see Resources deployed in AWS environments.

CAM=GUID-3a908e1e-b930-4bb3-a285-ed64dc058106.png — Core Features Deployment Architecture

Agentless Vulnerability & Threat Detection deployment in AWS

The diagram shows how the Agentless Vulnerability & Threat Detection feature uses assets within your AWS account to discover vulnerabilities in EBS volumes attached to EC2 instances and ECR images.

Sentry=GUID-6031b545-082a-48f0-8bed-1a23ac35f631.png — Agentless Vulnerability & Threat Detection

Agentless Vulnerability & Threat Detection outbound traffic

Review the outbound network traffic generated by the Agentless Vulnerability & Threat Detection deployment stack in your AWS environment.

When you deploy Agentless Vulnerability & Threat Detection to your AWS account, the scanning infrastructure generates outbound network traffic to AWS services and TrendAI Vision One™ cloud services. All outbound traffic uses HTTPS (TCP port 443) with TLS 1.2 or higher encryption.

Understanding this traffic is important for configuring firewall rules, network security groups, and compliance requirements in restricted network environments.

Important

No inbound ports are opened on any deployed resource. All scanner components use security groups that deny inbound traffic.

Traffic categories

The Agentless Vulnerability & Threat Detection stack generates outbound traffic in four categories:

Category	Description	Frequency
OS packages	Standard operating system packages installed during scanner EC2 instance bootstrap, including AWS CLI, Docker runtime, and filesystem utilities. Sources are standard Amazon Linux package repositories.	Once per scanner instance launch
AWS services	AWS service API calls for compute, storage, security, and monitoring operations using the AWS SDK with IAM role-based authentication. Destinations are standard AWS regional endpoints.	Continuous
Container images	Scanner container image pulled from AWS Elastic Container Registry (ECR) Public Gallery when launching scanner EC2 instances. The image is cached locally for the instance lifetime.	Once per scanner instance launch
TrendAI Vision One™ services	Connections to TrendAI Vision One™ cloud services for scan result reporting, threat intelligence updates, and management telemetry. Authentication uses bearer tokens that are automatically rotated and stored in AWS Secrets Manager.	Per scan and periodic updates

Destination endpoints

The following table lists all destination endpoints that the Agentless Vulnerability & Threat Detection stack communicates with:

Destination	Port	Protocol	Purpose
`sentry.{region}.cloudone.trendmicro.com`	443	HTTPS	Sentry Backend API for pattern updates, Lambda updates, report submission, telemetry, and log forwarding
`xlogr-{code}.xdr.trendmicro.com`	443	HTTPS	Scan results, detection events, and asset lifecycle changes
`api.{region}.xdr.trendmicro.com`	443	HTTPS	TrendAI Vision One™ management API
`*.{region}.amazonaws.com`	443	HTTPS	AWS service endpoints including S3, Secrets Manager, SQS, EBS, EC2, Lambda, CloudWatch, Step Functions, STS, AppConfig, KMS, CloudFormation, EventBridge, SSM, Cost Explorer, IAM, and ECR
`public.ecr.aws`	443	HTTPS	Scanner container image from ECR Public Gallery
OS package repositories	443	HTTPS	Amazon Linux package repositories for OS package installation

Note

No traffic is sent to third-party services outside of TrendAI Vision One™ and AWS.

Component inventory

The Agentless Vulnerability & Threat Detection stack deploys via four CloudFormation stacks. The following tables list the components in each stack that generate outbound traffic.

SentryShared stack

Component	Type	Purpose
CustomerTokenGenerator	Lambda	Generates XLogR authentication tokens via Sentry Backend API
CustomerTokenRotator	Lambda	Rotates XLogR tokens on a schedule
PatternUpdater	Lambda	Downloads latest anti-malware scan patterns from Sentry Backend
LambdaUpdater	Lambda	Checks for and applies Lambda function code updates
LogAndAlertForwarder	Lambda	Forwards audit logs and alerts to Sentry Backend
TelemetryForwarder	Lambda	Sends telemetry data to Sentry Backend
ReportSender	Lambda	Submits completed scan reports to Sentry Backend

SentrySet stack (per-region)

Component	Type	Purpose
Dispatcher	Lambda	Routes incoming scan events to the appropriate handler
RealTimeScanHandler	Lambda	Processes real-time EBS snapshot scan events
LifecycleEventHandler	Lambda	Tracks EC2, ECR, and Lambda asset lifecycle events and sends changes to XLogR
ScheduledScanHandler	Lambda	Initiates periodic full-account scans
ResourceCollector	Lambda	Enumerates scannable resources across the account

Scanner CSF (Cloud Scanner Framework)

Component	Type	Purpose
scanner-aws-parse-volume	Lambda	Reads EBS snapshots via EBS Direct API and parses partition metadata
scanner-aws-am-scan	Lambda	Anti-malware scanning using iCRC pattern engine
scanner-aws-vuln-scan	Lambda	Vulnerability scan
scanner-aws-build-report	Lambda	Aggregates scan results into final report
scanner-aws-send-xlogr	Lambda	Sends scan results to XLogR endpoints
EC2 Manager	Lambda	Launches and terminates scanner EC2 instances
Step Functions	State Machine	Orchestrates the scan pipeline

VPCStack (VPC Flow Log Processing)

Component	Type	Purpose
VPCFlowLogProcessor	Lambda	Reads VPC flow logs from S3 and sends to XLogR for network activity visibility

Note

The SentryShared stack is deployed once per customer account. The SentrySet, Scanner CSF, and VPCStack are deployed per monitored region.

Data handling

The following data is transmitted from your AWS account to TrendAI Vision One™ cloud services:

Scan results including malware detections, vulnerability findings, and integrity changes
Asset inventory updates
VPC flow log summaries
Operational telemetry

Important

Raw workload data such as file contents and disk images never leave your AWS account. All scanning occurs locally within your account.

Security considerations

All authentication tokens are stored in AWS Secrets Manager with KMS encryption
Customer tokens are automatically rotated
No credentials are hardcoded or logged
All traffic uses TLS 1.2 or higher encryption
Proxy configuration is supported through HTTP_PROXY and HTTPS_PROXY environment variables

Cloud Detections for AWS CloudTrail deployment

TrendAI Vision One™ supports monitoring your CloudTrail logs either through a single account, or by leveraging ControlTower. The diagrams below detail the resources leveraged to enable the Cloud Detections for AWS CloudTrail feature.

CALM=GUID-347f2904-5127-438c-8bce-3eecfa3b60b5.png — CloudTrail Log Monitoring for a Single Account

ConrolTower=GUID-397a82aa-ec27-450b-b520-7dd20cf5d0e2.png — CloudTrail Log Monitoring using ControlTower

File Security Storage deployment in AWS

The diagram below shows how File Security Storage uses assets within your AWS account to monitor and scan files and cloud storage.

FSS=GUID-9b10d393-162e-4d89-87a2-f33fd03934c0.png — File Security