Table of contents

About Cloud Account Management

The Cloud Accounts feature allows you to easily connect your cloud providers with Trend Cloud One so that Cloud One can provide protection for the resources in your cloud accounts.

Supported cloud providers

Currently, the common Cloud Accounts feature is used for File Storage Security protection on AWS and Google Cloud Platform (GCP). More support and integration will be added in the future. For the remainder of the Cloud One services, please connect your cloud accounts directly in those services.

What permissions does Cloud One require?

The required read-only permissions can be found in the setup instructions for each cloud provider.
When adding your GCP account, you'll be required to grant Cloud One the viewer role. This does not grant permission to modify any resources or data.

Permissions for Cloud One - Network Security

Write permissions are required for hosted infrastructure deployments.
Below is a breakdown of what write-access permissions are requested, and what they enable. Network Security can still read information about the customer environment without write permissions.

Permission Requested Reason
cloudformation:CreateStack

These permissions grant Cloud One the ability to use CloudFormation to maintain the subnets and VPC Endpoints for Network Security with hosted infrastructure.

Cloud One uses CloudFormation templates for this to get the advantages of Infrastructure as Code for the security subnets and endpoints.

AWS will limit Cloud One CloudFormation stacks to only the other permissions listed here.

cloudformation:DeleteStack
ec2:CreateSubnet

These permissions grant Cloud One the ability to create subnets and VPC Endpoints in order to deploy Network Security with hosted infrastructure in your account.

These are required for Cloud One to deploy the necessary resources in your AWS account to inspect traffic using Network Security with hosted infrastructure.

ec2:CreateTags
ec2:CreateVpcEndpoint
ec2:DeleteSubnet
ec2:DeleteVpcEndpoints
logs:CreateLogGroup

These permissions grant Cloud One the ability to send logs to CloudWatch Logs in your AWS account for Network Security with hosted infrastructure.

These logs will include items such as flows that Network Security blocks.

logs:CreateLogStream
logs:PutLogEvents

How does this connect to my cloud provider?

Cloud One uses OpenID Connect (OIDC) to create a trust relationship between Cloud One, which acts as the external identity provider, and a third party cloud provider, such as AWS or GCP.