About Cloud Sentry

Cloud Sentry rapidly surfaces malware and provides integrity monitoring detection in your environment without any impact to running applications and resources. Daily scans are performed for trial and paid customers. Cloud Sentry offers visibility of your daily security view of your cloud account.

Cloud Sentry deploys as a serverless scanner in your cloud account to scan your resources for threats. When you deploy Cloud Sentry, it automatically starts scanning the following resources across available AWS regions: EC2 instances, ECR repositories, and Lambda functions. It only returns findings to Trend Cloud One Central by AWS account; you maintain ownership and control of your data and it never leaves your environment.

The Cloud Sentry engine performs a series of functions without an instance to maintain. It is deployed by the CAM cloud formation template. As a serverless function, the Cloud Sentry engine only activates during scanning and can leverage its scalability advantage while performing the scan. Your data remains in the your account. The data is analyzed locally, and only the metadata is processed by Trend Micro backend systems.

Architecture and flow

1. Cloud Sentry takes a snapshot of your EBS.

2. It then scans the snapshot. One snapshot is kept for differential comparison.

3. Your data remains in the your account. The data is analyzed locally, and only metadata is processed by Trend Micro backend systems.

4. The results are sent to Cloud One Central where you can view them and their suggested remediation options.

Cloud Sentry provides the following types of threat detection:

• Anti-Malware. It inspects your EC2 instances, ECR images, and Lambda functions for malware, including viruses, trojans, spyware, and more. The engine is also able to search for obfuscated or polymorphic variants of malware, based on fragments of previously seen malware and detection algorithms. There is no file type or size limitation for the Cloud Sentry scanner.

• Integrity Monitoring. It monitors for suspicious changes in the host operating system of your EC2 instances, including the addition of suspicious artifacts and indicators of attack (IoA).

After deployment, Cloud Sentry begins scanning your EBS volumes, ECR container images, and Lambda functions. When findings are detected they are sent to Cloud One Central where you can view them and their suggested remediation options.

Cloud Sentry runs scans on a fixed daily schedule. Scan times may vary depending on the number of resources. However, you should expect findings to start appearing within minutes of the deployment.

Scanned artifacts

Currently, Cloud Sentry scans the following:

• EBS: Volumes attached to any EC2, NTFS, or Linux instance

• ECR:

  • Images located in private ECR repositories
  • Images tagged latest
  • Images in tar format

• Lambda: Functions with deployment packages as .zip file archives

Currently Cloud Sentry is only available for AWS. Other platforms such as Azure and GCP will be supported in the future.

Supported Amazon regions

Cloud Sentry supports the following Amazon Web Services (AWS) regions:

Cloud Sentry does not support the following Amazon Web Services (AWS) regions due to a lack of a pattern layer:

Limitations

There is a number of limitations you should consider when using Cloud Sentry.

Amazon Elastic Block Store (EBS) snapshot limit

AWS accounts limit the total pending EBS snapshot count to 100. The Cloud Sentry scanner creates EBS snapshots for all EBS volumes that are attached to the EC2 instances daily. During the creation process, you may encounter a PendingSnapshotLimitExceeded error when creating the snapshots. This may slow in the scanning.

Cloud Sentry stack removal error

If you have a specific stack version and try to remove the Cloud Sentry stack from your AWS account, you may encounter the DELETE_FAILED at StackResourceCleanerCustom with AccessDenied error preventing removal of the stack. Although this issue was fixed in the latest version of the Sentry stack, you might still experience it if you are on the previous stack. You can troubleshoot it as follows:

1. In AWS CloudFormation, navigate to Stacks > StackSet-SentrySetNNN-NNN > Events. Notice that Status is displayed as DELETE_FAILED with Status reason StackResourceBucketCleanerCustom AccessDenied.

2. Select Resources and enter StackResourceBucket in the search field.

3. Locate both StackResourceBucketCleanerLambdaRole and StackResourceBucketLogsCleanerLambdaRole under Logical ID.

4. Under Physical ID, click the arrow icon corresponding to both physical IDs to access their IAM role definitions.

5. In IAM > Roles > Permissions > Permission policies, select NNN-StackResourceBucketLogsCleanerFunction permission under Policy name.

6. Use the Policy editor to add the following necessary permissions to enable the list s3 version:

   "Statement": [
       {
           "Action": [
               ...
               "s3:ListBucketVersions",
               "s3:GetObjectVersion",
               "s3:GetBucketVersioning"
           ],
           ...                     

7. Click Next.

8. On Review and save, click Save changes.

9. If the error occurs in other regions, replicate the same changes in the corresponding regions.

10. In Stacks, select the parent stack and click Delete to initiate the removal of all stacks, including the SentrySet stack, across all deployed regions.

11. In the Delete stack? dialog, click Delete without selecting any offered options. This removes all stacks and resources, including s3 buckets and StackResourceCleanerCustom deployed for Sentry.

Deployment

You can enable or disable Cloud Sentry when you add or update your AWS accounts on your Cloud Account Management page. For more information, see Manage your AWS cloud accounts

Upgrade from preview version to release version

The release date for the general availability of Cloud Sentry is 2023/03/01. If you are using the preview version of Cloud Sentry, you need to update to the latest version to get rid of the hourly error log in CloudWatch.

Migrate from Cloud Sentry to Trend Vision One Agentless Vulnerability & Threat Detection

Migrating from Cloud Sentry to Trend Vision One Agentless Vulnerability & Threat detection requires you to have a Trend Vision One account. First, you must add your AWS accounts to Trend Vision One and enable Agentless Vulnerability & Threat Detection using the CloudFormation template. Then, you can delete the Cloud Sentry stacks from your AWS accounts and remove the accounts from Trend Cloud One

Installing Trend Vision One Agentless Vulnerability & Threat Detection takes approximately 20 minutes per account across all supported regions. Deleting all deployed resources in the Cloud Sentry stack takes approximately 18 minutes per account.

Add AWS accounts and enable Trend Vision One Agentless Vulnerability & Threat Detection

1. In the Trend Vision One console, go to Cloud Security > Cloud Accounts.
2. In the AWS tab, click Add account.
3. Select CloudFormation as the deployment method and select Single AWS account.
4. Click Next.
5. Enter a name for the AWS account to be used in the Trend Vision One console.
6. Add a description for the account to make the account easier to identify.
7. Select the region to deploy the CloudFormation Template. The selected region is the primary region where the stack is deployed.
8. Enable resource tagging and enter a key and value to help track resources deployed by the template.
9. Click Next.
10. In Features and Permissions, enable Agentless Vulnerability & Threat Detection.
11. Select at least one region to which you wish to deploy the feature stack.
12. Click Scanner settings and expand Agentless Vulnerability & Threat Detection.
13. Select the resource types to include in scans. EBS, ECR, and Lambda are supported for vulnerability scans by default, while all resources are disabled for anti-malware scanning by default.
14. In a new browser tab, sign in to your AWS account.
15. In the Trend Vision One console, click Launch stack.
    • Clicking Launch stack opens the Quick Create Stack screen in the AWS console.
16. In the AWS console, scroll to the bottom of the Quick Create Stack screen, select the acknowledgment options, and click Create stack.
17. After the stack deployment completes, go to the Trend Vision One console and click Done. The first scan runs automatically.

Tip: Agentless Vulnerability & Threat Detection also supports AWS Organization deployment, allowing you to quickly add cloud accounts to Trend Vision One. For details on adding accounts via AWS Organization, see Adding AWS organizations.

Verify detections in Trend Vision One

Agentless Vulnerability & Threat Detection scan results are available in the following locations in the Trend Vision One console:

• Cloud Security Posture
• Cyber Risk Overview
• Threat and Exposure Management
• Attack Surface Discovery asset profile screens

Important: Due to differences in risk event reporting criteria, not all detections will be shown as new risk events in Threat and Exposure Management, so the number of malware-related risk events may differ from the number in Trend Cloud One.

In Threat and Exposure Management, expand malware-related risk events to view metadata you can used to execute queries in Search for further threat investigation. Click on vulnerability-related risk events to see remediation options for the vulnerability.

If Agentless Vulnerability & Threat Detection is correctly reporting malware and vulnerability detections in Trend Vision One, you can delete the Cloud Sentry stack from your AWS account.