Get answers to frequently asked support questions for Cloud Risk Management.
Cloud Risk Management FAQs
How do I manage rule failures related to Agentless Vulnerability & Threat Detection for GCP?
The Agentless Vulnerability & Threat Detection
                  (AVTD) for GCP feature has undergone thorough testing including security and performance
                  in
                  order to meet cloud configuration best practices. The following rules findings have
                  been
                  reviewed by Trend Micro team and can be safely ignored:
- CloudVPC-006: Ensure that Cloud DNS logging is enabled for all VPC networks: AVTD securely deploys a VPC network. Cloud DNS logging is not required for monitoring.
- CloudVPC-003: Enable VPC Flow Logs for VPC Subnets: AVTD securely deploys VPC subnets network . VPC Flow Logs is not required for monitoring.
- CloudStorage-005: Define index page suffix and error page for the bucket website configuration: The cloud storage is not intended for website hosting where website configuration is not applicable.
- CloudStorage-003: Configure Retention Policies with Bucket Lock: AVTD sets retention policy for the cloud storage. Not enforcing the bucket lock feature to allow flexibility to adjust the policy.
What to do next?
To prevent failures for the rule CloudVPC-003 from affecting compliance of your
                  cloud accounts, exclude AVTD resources from the rules above, you can create a rule exception using the resource ID to exclude the
                  resources from the rules. 
CloudVPC-003: Create a rule exception using the resource ID reported in the failed
                  result.
CloudStorage-005, CloudStorage-003: Create a rule exception using tag the
                  
trend-micro-product::avtd.Alternatively, you can create and apply an exception profile:
- 
Merge the profile with the affected accounts to apply the rule exceptions.
Exclusions are not supported for the rule CloudVPC-006, therefore we recomment that
                  you apply a permanent rule suppression to prevent it from affecting the
                  compliance score of your cloud accounts.
What are the potential rule failures related to Agentless Vulnerability and Threat Detection?
The new Guided Exclusions feature is automatically enabled by
                  default to exclude AVTD resources and prevent failures from affecting the compliance
                  and
                  risk scores for your cloud accounts. For more information including disabling the
                  exclusions, see: Managing preferences.
Potential Rule Findings for Excluded Resources
The following potential rule findings have been reviewed
                  by Trend Micro team. When context of these resources is taken into account, these
                  findings
                  are not applicable and can be safely ignored:
 The new Guided Exclusions feature is automatically enabled by default to exclude
                  AVTD resources and prevent failures from affecting the compliance and risk scores
                  for your
                  cloud accounts. For more information including disabling the exclusions, see: Managing preferences.
Potential Rule Findings for Excluded Resources
The following potential rule findings have been reviewed by Trend Micro team. When
                  context
                  of these resources is taken into account, these findings are not applicable and can
                  be
                  safely ignored:
- Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Managed Keys: AVTD resources are securely encrypted with default keys. In addition, the environment variables do not contain any secrets, so adding additional encryption using customer-managed keys is not required.
- SecretsManager-001: Secret Encrypted With KMS Customer Master Keys: AVTD resources are securely encrypted with default keys so adding additional encryption using customer-managed keys is not required.
- Lambda-001: Lambda Using Latest Runtime Environment: AVTD ensures that all our Lambdas use a Supported Runtime Environment with no End Of Life date. All supported runtime environments receive frequent security updates from AWS.
- Lambda-003: Lambda Tracing Enabled : AVTD ensures that this feature is throughly tested before the release hence this additional visibility via Enabling Tracing is not required.
- SecretsManager-002:Secret Rotation Enabled AVTD uses its own secrets feature instead of the one provided by AWS hence enabling the AWS provided Secret Rotation feature is not required.
- SecretsManager-003: Secret Rotation Interval AVTD uses its own secrets feature instead of the one provided by AWS hence enabling the AWS provided Secret Rotation feature is not required.
- S3-024: S3 Transfer Acceleration: The AVTD feature does not use the transfer acceleration feature.
- Lambda-006: Using an IAM Role For More Than One Lambda Function: AVTD employs a strategy called "permission planes” where Lambda functions that require identical permissions use a single IAM role. This ensures both efficiency and manageability when deploying to multiple regions e.g. reduction of the number of IAM roles used in a customer’s cloud account
- Lambda-007:VPC Access for AWS Lambda Functions: AVTD does not utilize resources like Redshift, ElastiCache, and RDS which may require a VPC implementation.
- CFM-001: CloudFormation Stack Notification: AVTD Cloudformation stack is already managed via V1 CAM instead AWS.
- CFM-002: CloudFormation Stack Policy: AVTD Cloudformation stack is already managed via V1 CAM instead AWS.
- CFM-005:CloudFormation Stack Termination Protection: In order to give customers control of the stacks in their environment, AVTD does allow users to deactivate and remove the stack from their account
- S3-025: S3 Buckets Encrypted with Customer Provided Keys CMKs: AVTD is already encrypted using S3-Managed Keys.
- SQS-006:SQS Dead Letter Queue: AVTD implements Dead Letter Queue (DLQ) in some of its SQS resources where applicable.
- S3-013: S3 Bucket MFA Delete Enabled: Objects stored in AVTD S3s are Objects are relatively short-lived hence enabling MFA Delete protection for accidental deletion is not required
- S3-023: Object Lock: Objects stored in AVTD S3s are relatively short-lived and hence Object lock for accidental deletion is not required.
Performance
Performance troubleshooting
Troubleshooting options for performance issues
| Issue | Resolution or Cause | 
| Compliance scan has caused my account to reach its rate limit | Manage performance issues by increasing the delay between Compliance scan runs | 
| API throttling | Cloud Risk Management has optimised the platform to avoid unnecessary API calls.
                              Examples of performance optimisation:1. when Cloud Risk Management
                                 calls the AWS API for S3 bucket list, the bot does not do
                                 repetitive calls, instead, the bot checks for changes only.2.
                                 Cloud Risk Management supports partial inventory. i.e. using partial lists
                                 of resources from AWS so the system is capable of dealing with
                                 partial calls e.g. S3 bucket list - secondary IP calls - if the
                                 bot fails to call second API calls, the rule engine will still
                                 work.3. Support for exponential backoff API. | 
If you experience any other issues, please let our team know via Cloud Risk Management support.
 
		
