Use the APIs on the Trend Vision One Automation Center to connect your AWS account.
You can use the APIs available on the Trend Vision One Automation Center to connect your AWS
account, and retrieve the CloudFormation stack template from Cloud Accounts.
The stack template created by the Cloud Accounts app contains a token used to
activate certain features after deployment. The token is designed to expire,
requiring you to periodically regenerate the CloudFormation stack template to get
an
updated token. The features which require a token are:
-
Cloud Detections for AWS CloudTrail
-
Agentless Vulnerability & Threat Detection
For organizations that require a static template that does not expire, use the token
API to generate a token which can be added into the CloudFormation template. You can
access the token API from the automation center.
Important
|
The following steps cover using the AWS console to upload the stack template. If you
use an API to upload templates to your AWS account, follow your normal procedures
and use the suggested configurations contained in these steps.
Procedure
- Generate and download the stack template from Cloud Accounts.
-
Access the Trend Vision One console and create the template.
-
In the Trend Vision One console, go to
-
Click Add Account.
-
On the Deployment Type screen, select CloudFormation and Single AWS Account.
-
Click Next.
-
Specify the Account name, Description, and select the AWS region for deployment.
-
If you have more than one Server & Workload Protection Manager instance, select the instance to associate with the connected account and click Next.
-
On the Features and Permissions screen, enable Cloud Detections for AWS CloudTrail and click Next.
-
Click Download and Review Template.
Note
The Account Name and Description fields are not exported to the review template. These parameters are provided in a later step. -
-
Call an API to retrieve the template.
-
Locate the Get AWS CloudFormation template API on the automation center.
-
Locate the
query_params
strings. -
For
awsRegion
, provide the AWS region where you want to deploy the stack template and Core Features. The default region is based on your Trend Vision One region. -
For
features
, list the features you want to enable. -
For
featureAwsRegions
, specify the regions to deploy resources for certain features.This field is required for features such as Agentless Vulneratibility & Threat Detection and Containter Protection for Amazon ECS. Some features have limited region support. For more information, see AWS supported regions and limitations. -
Save your changes and call the API.The API returns the following:
-
templateUrl
: The URL to download the template. -
visionOneOidcProviderUrl
: A required parameter for deploying the template. -
createStackUrl
: URL of the AWS CloudFormation console pointing to the CloudFormation template of Trend Vision One.
-
-
Download the template.
-
-
- If you need to deploy a static template, call the Token API.The API returns the values
bootstrapToken
andvisionOneApiKey
. - Locate the template file and open it in a text editor.
- Locate the
Parameters
resource immediately following theOutputs
resource and provide values for the required parameters.Replace the explanation strings within the brackets {} with the required values.ParameterValueCloudAccountDescription
Specify a description which displays in the Cloud Accounts appCloudAccountName
Specify the account name which displays in the Cloud Accounts appCloudAuditLogMonitoringCloudTrailSNSTopicArn
The ARN of the CloudTrail SNS topic to monitorThis is required only if you enabled the Cloud Detections for AWS CloudTrail feature. Otherwise, leave empty.CloudAuditLogMonitoringCloudTrailArn
The ARN of the CloudTrail to monitorThis is required only if you enabled the Cloud Detections for AWS CloudTrail feature. Otherwise, leave empty.OrganizationID
Leave empty for connecting a single account.ServerWorkloadProtectionManager
The ID of the Server & Workload Protection instance to associate with the AWS accountIf you have provisioned at least one Server & Workload Protection, you must provide this value. The value is the following JSON string encoded in base64:-
[{"name":"workload", "instanceIds":["<instance id>"]}]
Theinstance id
can be found in the Product Instance app.For example, if theinstance id
is 123:-
The JSON string is
[{"name":"workload", "instanceIds":["123"]}]
-
The base64 string to provide for this parameter is: W3sibmFtZSI6Indvcmtsb2FkIiwgImluc3RhbmNlSWRzIjpbIjEyMyJdfV0=
VisionOneAPIKey
Specify the API Key to invoke Cloud AccountsIf you are using the Token API, paste thevisionOneApiKey
returned by the API.Otherwise, use your account API Key. Make sure the user account associated with the API Key has full permissions for Cloud Accounts.VisionOneAccountID
Your Trend Vision One business IDVisionOneOIDCProviderURL
cloudaccounts-{region}.visionone.trendmicro.com
Replace{region}
with one of the region values:us, eu, au, sg, in, jp
Note
If you used an API to retrieve the template, the API returns the value asvisionOneOidcProviderUrl
.VisionOneRegion
The region of your Trend Vision One deploymentUse one of the values:us, eu, au, sg, in, jp
-
- If you are using a static template, provide the parameters returned by the
Token API
- Locate the resource
customExchangeToken
and go to theproperties
section. - Locate the property
VisionOneBootstrapToken
and replace the value with thebootstrapToken
value generated by the Token API. - Locate the property
VisionOneAPIKey
and replace the value with thevisionOneApiKey
value generated by the Token API.
- Locate the resource
- Save your changes to the template file.
- Access the Amazon CloudFormation console and go to Stacks.
- Click Create Stack.If prompted, select With new resources (standard).
- In the Create stack screen, select Template is ready.
- For Template source, select Upload a tempate file then click Choose file to upload the template.
- Click Next.
- Configure the Specify stack details screen.
- If you want to use a name other than the default, specify a new Stack name.
- In the Parameters section, verify the following
parameters are correct.
-
CloudAuditLogMonitoringCloudTrailArn
-
CloudAuditLogMonitoringCloudTrailSNSTopicArn
Important
Do not change any other settings in the Parameters section. CloudFormation automatically provides the settings for the parameters. Changing parameters might cause stack creation to fail. -
- Click Next.
- Configure the Configure stack options as needed for your organization needs, then click Next.
- In the Review screen, select the options under
Capabilities.
-
I acknowledge that AWS CloudFormation might create IAM resources with custom names.
-
I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND.
-
- Click Submit.The Stack details screen for the new stack appears with the Events tab displayed. Creation might take a few minutes. Click Refresh to check the progress.