Adding an AWS Account Manually | Trend Micro Service Central

Views:

How to connect your AWS account to Cloud Accounts if you cannot use the stack template.

Some AWS accounts do not allow the use of stack templates to deploy resources within the cloud environment. This is usually due to security policies which prevent the automatic creation of IAM policies and roles required by the deployment script within the stack template.

To connect an AWS account manually, leverage the API resources on the Automation Center.

Important

The user role assigned to use Trend Vision One APIs must have full permissions to add, delete, and edit Cloud Accounts. For more information about user roles, see User Roles (Foundation Services release).
Deployment using this method only supports Core Features. You cannot enable additional cloud security features.
The steps are valid for the AWS console as of February 2024.

Procedure

Generate and download the stack template from Cloud Accounts either from the Trend Vision One console or by calling an API.

Access the Trend Vision One console and create the template.

In the Trend Vision One console, go to Service Management → Cloud Accounts → AWS
Click Add Account.
In the Add Cloud Account screen, select Single Account.
Click Download and Review Template.

Note

The Account Name and Description fields are not exported to the review template. You can provide these parameters when calling the connect account API.

Call an API to retrieve the template.
1. Locate the Get AWS CloudFormation template API on the automation center.
2. Locate the query_params strings.
3. For awsRegion, provide the AWS region where you want to deploy the stack template and Core Features. The default region is based on your Trend Vision One region.
4. For features and featureAwsREgions, leave the parameters blank.
5. Save your changes and call the API.
  
  The API returns the following:
  - templateUrl: The URL to download the template.
  - visionOneOidcProviderUrl: A required parameter for deploying the template.
  - createStackUrl: URL of the AWS CloudFormation console pointing to the CloudFormation template of Trend Vision One.
6. Download the template.

Access the AWS console.
Add Trend Vision One as an identity provider.
1. In the AWS console, open the Identity and Access Management (IAM) service.
2. Go to Access management → Identity providers.
3. Click Add provider.
  
  The Add an Identity provider screen opens.
4. In the Configure provider section, select OpenID Connect.
5. For provider URL, type or paste the Provider URL.
  - If you used the API to call the template, copy and paste the visionOneOidcProviderUrl parameter the API returned.
  - If you downloaded the template, type cloudaccounts-{region}.xdr.trendmicro.com where {region} is your Trend Vision One region (us, eu, au, sg, in, or jp)
    
    For example, if your Trend Vision One region is the United States, your visionOneOidcProviderUrl is cloudaccounts-us.xdr.trendmicro.com
6. For Audience input arn:aws:iam::${AWSAccountId}:root.
  
  Replace ${AWSAccountId} with your AWS account ID.
7. Click Get thumbprint.
8. Click Add provider.
  
  The provider is added to the Identity providers list.
9. Click the name for the provider you created.
  
  The provider details screen opens.
10. Copy the provider ARN for use when creating the Role in a later step.
11. Locate the Thumbprints section and click Manage.
12. Delete the thumbprint generated when creating the provider and paste the following thumbprints.
  Click Add thumbprint to add each new line.
  - 9e99a48a9960b14926bb7f3b02e22da2b0ab7280
  - 9565AD13689C2C4B4F018BE31767084D197F2692
  - 8CF427FD790C3AD166068DE81E57EFBB932272D4
  - F21C12F46CDB6B2E16F09F9419CDFF328437B2D7
13. Click Save changes.

Add the Trend Vision One policies.

In the Identity and Access Management service, go to Access management → Policies.
Click Create policy.
For Policy editor, select JSON.

Copy and replace the Statement parameter using the same parameter from VisionOnePolicyPart1 in your downloaded template file.

You can also click this link to view and copy the JSON code directly.

Important

Make sure to keep the second line of the code

"Version":
                                                   "2012-10-17"

. Deleting the line might cause the policy to not work correctly.

Click Next.
For Policy name, type VisionOnePolicyPart1.
Click Create policy.

The policy is created and the Policies screen appears.
After the policy is created, click Create policy from the Policies screen.
For Policy editor, select JSON.

Copy and replace the Statement parameter using the same parameter from VisionOnePolicyPart2 in your downloaded template file.

You can also click this link to view and copy the JSON code directly.

Important

Make sure to keep the second line of the code

"Version":
                                                   "2012-10-17"

. Deleting the line might cause the policy to not work correctly.

Click Next.
For Policy name, type VisionOnePolicyPart2.
Click Create policy.

The policy is created and the Policies screen appears.

Add the Trend Vision One role.

In the Identity and Access Management service, go to Access management → Roles.
Click Create role.
For Trusted entity type, select Custom trust policy.
The Custom trust policy JSON editor appears.

Replace the placeholder code with the following JSON code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "${visionOneOIDCProvider}"
      },
      "Action": [
        "sts:AssumeRoleWithWebIdentity",
        "sts:SetSourceIdentity"
      ],
      "Condition": {
        "StringEquals": {
          "${visionOneOIDCProviderURL}:aud": "arn:aws:iam::${AWSAccountId}:root",
          "${visionOneOIDCProviderURL}:sub": [
            "urn:visionone:identity:${visionOneRegion}:${visionOneAccountID}:account/${visionOneAccountID}"
          ]
        }
      }
    }
  ]
}

Replace the strings for the following parameters:

Parameter	Description	Example
`"Federated"`	Replace `"${visionOneOIDCProvider}"` with the provider ARN for the provider you created.	For example, if your Trend Vision One region is the United States, the ARN follows the format `"arn:aws:iam::1xxxxxxxxxx1:oidc-provider/cloudaccounts-us.xdr.trendmicro.com"`
`"StringEquals"`	Replace both instances of `"${visionOneOIDCProviderURL}"` with the value used when you created the provider.	For example, if your Trend Vision One region is the United States, use `cloudaccounts-us.xdr.trendmicro.com`
	For the string `"arn:aws:iam::${AWSAccountID}:root"`, replace `${AWS::AccountID}` with your AWS account ID.	The string should follow the format `"arn:aws:iam::1xxxxxxxxxx1:root"`
	In the string starting with `"urn:visionone:identity:..."` , replace the following parameters: `${visionOneRegion}`: Your Trend Vision One region (`us, eu, au, sg, in,` or `jp`) `${visionOneAccountID}` Your Trend Vision One business ID. Make sure to replace both instances.	If your Trend Vision One region is the United States, the string looks like `"urn:visionone:identity:us:1#####1:account/1#####1"`

Click Next.
On the Add permissions screen, search for the policies you created and select both.
Click Next.
On the Name, review, and create screen, type VisionOneRole for the Role name.

Under Step 3: Add tags, add the following tags.

Key	Value
`VisionOneFeatures`	`Base`
`VisionOneFormationStackName`	`Vision-One-Cloud-Account-Management`
`VisionOneFormationStackRegion`	Input the AWS region where you want to deploy the resources. For example, `us-east-1`.

Click Create role.
Once creation completes, click on the role name for the role you created.
In the role details screen, copy the ARN to use with the add account API in a later step.

Connect your AWS account to the Cloud Accounts app using the Add Account API.

Access the API from the Automation Center, or copy the following code to customize.

import requests
import json

url_base = 'https://api.xdr.trendmicro.com'
url_path = '/beta/xdr/cam/awsAccounts'
token = 'API Keys'

query_params = {}
headers = {
    'Authorization': 'Bearer ' + token,
    'Content-Type': 'application/json;charset=utf-8'
}
body = {
    'roleArn': 'YOUR_ROLEARN (string)',
    'name': 'YOUR_NAME (string)',
    'description': 'YOUR_DESCRIPTION (string)',
    'features': 'YOUR_FEATURES (array)',
    'connectedSecurityServices': [
        {
            'name': 'YOUR_NAME2 (string)',
            'instanceIds': 'YOUR_INSTANCEIDS (array)'
        }
    ]
}

r = requests.post(url_base + url_path, params=query_params, headers=headers, json=body)

print(r.status_code)
for k, v in r.headers.items():
    print(f'{k}: {v}')
print('')
if 'application/json' in r.headers.get('Content-Type', '') and len(r.content):
    print(json.dumps(r.json(), indent=4))
else:
    print(r.text)

Provide the values for the following parameters in the API code.

Parameter	Value
`roleArn`	The ARN for the role you created
`name`	The name of the account as it appears in the Cloud Accounts app The name must be unique within the Cloud Accounts app.
`description`	The description of the account as it appears in the Cloud Accounts app
`features`	Leave this value blank

If you have provisioned at least one Server & Workload Protection instance, you must provide the parameters for connectedSecurityServices.

Parameter	Value
`name`	`workload`
`instanceIds`	The Instance ID for the Server & Workload Protection instance you want to associate with your connected AWS account You can find the Instance ID in the Trend Vision One console by going to Service Management → Product Instance.

Important

You can only associate one Server & Workload Protection instance with an AWS account connection.

Call the Add Account API.

The Cloud Accounts app connects to your AWS account. You can verify the connection in the Cloud Accounts app, or by calling the Get Connected Accounts API.