Table of contents
Topics on this page

Deploy the all-in-one stack on AWS

AWS Lambda is ending support of Python 3.6. As of July 18, 2022, Lambda will no longer apply security patches and updates to Python 3.6 runtime. As of August 17, 2022, we will no longer be able to update functions using Python 3.6 runtime. As a result:

  • The File Storage Security backend cannot update the license and pattern configured in the Lambda
  • After the license times out, the Lambda cannot scan files
  • If you do not update your Stack, we will still support and investigate File Storage Security issues. However, we do not recommend this.
  • If a problem occurs in your File Storage Security setup, you may have to update the Stack or rebuild it.
We recommend that you upgrade your existing Python 3.6 functions to Python 3.8 before August 17, 2022.

Follow the procedure below to deploy the all-in-one stack into your AWS account.

There is also a video demonstration if you prefer.

  1. In the File Storage Security console, select the Stack Management page, select AWS, then select Deploy.

    screen shot

  2. To deploy the all-in-one-stack, select Scanner Stack and Storage Stack.

    screen shot

    There is also the option to add a scanner stack by itself.

  3. On the Deploy Scanner Stack and Storage Stack dialog box:

    • For Step 1, make sure you're signed in to your AWS account.
    • For Step 2, select the AWS region where you want to deploy the all-in-one stack. This region must:

    • (Optional) Select Review Stack to view the contents of the all-in-one stack template before launching it.

    • Select Launch Stack.

      screen shot

    You are redirected to the AWS Quick create stack page.

  4. Fill out the Quick create stack page as follows:

    • Stack name: Specify the name of the stack. Example: FileStorageSecurity-All-In-One.
    • S3BucketToScan: Specify the name of your S3 bucket to scan, as it appears in S3. You can only specify one bucket. Example: my-s3-bucket-to-scan-01
    • ObjectFilterPrefix: Optional. Provide a prefix of the objects you want to scan. If the s3:ObjectCreated:* event of the scanning bucket is partially in use, provide a prefix that is not in use or use TriggerWithObjectCreatedEvent.
    • KMSKeyARNForBucketSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt S3 bucket objects if you have enabled SSE-KMS
    • KMSKeyARNForQueueSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt messages in SQS queues if you have enabled server-side encryption.
    • KMSKeyARNForTopicSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt the SNS ScanResultTopic if you have enabled SNS encryption.
    • ScannerEphemeralStorage: The size of the scanner lambda function's temp directory in MB. The default value is 512, but it can be any whole number between 512 and 2048 MB. Configure a large ephemeral storage to scan larger files in zip files. For more information, see Configuring ephemeral storage. (In preview)
    • TriggerWithObjectCreatedEvent: Optional. If the s3:ObjectCreated:* event of the scanning bucket is in use, set this to false. For more details on how to trigger the scan afterward, see s3:ObjectCreated:* event in use.
    • ReportObjectKey: Optional. Enable this to report the object keys of the scanned objects to File Storage Security backend services. File Storage Security can then display the object keys of the malicious objects in the response of events API.
    • ScanOnGetObject: Optional. Enable this to scan the objects when you get them. For more details, see Scan on getObject request. (In preview)

    screen shot

    • ScanResultTagFormat: The format of the scan result tags tagged on the scanned object. Select Separated tags to add each FSS tag as a standalone tag. Select Merged tag to add all FSS tags in one tag. Select No tag to disable the tagging feature. For more information, see View tags
    • PermissionsBoundary: Optional. Provide the ARN of a policy that will be used to set the permissions boundary for all the roles that will be created. For more details, see AWS permissions control and Permissions boundaries for IAM entities.
    • AdditionalIAMPolicies: Optional. Provide a list of IAM policy ARNs to attach to all the roles that will be created. For more details, see AWS permissions control.
    • Resource prefixes: Optional. Either leave these fields empty or specify the prefix of each resource type. For details, see Resource prefixes.
    • Deploy in VPC: Optional. Either leave these fields empty or specify the VPC subnet IDs and the security group IDs. For details see Deploy in VPC.
    • Stack package location: Leave this field as-is. It is for internal use by File Storage Security.
    • Version: Leave this field as-is. It is for versioning.
    • File Storage Security management account: Leave this field as-is. The account number is: 415485722356. You'll be granting this account permission to manage your all-in-one stack. More specifically, this account has permission to:

      • Obtain the storage and scanner stacks' Lambda logs.
      • Update the ScannerLambda function, anti-malware pattern layers, and license layer in the stacks.
      • Send some of your organization's data to its own AWS SNS topic. For details on the data we collect, see our Data collection disclosure.
    • Trend Micro Cloud One region: Leave this field as-is. It specifies the region to which the scanner and storage stacks will connect to for Cloud One services such as the File Storage Security console, event management services, and telemetry services. For more information, see Cloud One regions.

    • ExternalID: Leave this field as-is. It is required for security purposes. For details, see Why do you need to use an external ID?
    • At the bottom of the page, select both I acknowledge [...] check boxes.
    • Select Create stack.

    screen shot

  5. Wait while the stacks are installed. This could take several minutes. You'll know when everything is installed when you see three CREATE_COMPLETE messages for the File Storage Security stacks.

    screen shot

    You have now installed the all-in-one stack. Continue to the next section to configure ARNs.