Add AWS stacks

After deploying File Storage Security, you might want to add more stacks.

Topics:


How many stacks should I add?

Storage stacks

You'll need one storage stack per S3 bucket to scan.

There is no limit to the number of storage stacks you can add, but keep in mind that costs will go up as the number of stacks increases. If you have a lot of files to scan that are spread across many S3 buckets, consider deploying just one storage stack, and transferring files into its associated S3 bucket to scan and then back out after scanning. We provide a sample Lambda that automates some of this work. See Post-Scan Action: Promote or Quarantine on GitHub for details.

The number of storage stacks you deploy will not affect performance, so deploy as many or as few as you want.

Scanner stacks

Typically, you'll only need one scanner stack for your entire deployment regardless of size. This is because the scanner stack auto-scales to handle increases in load. (For details on performance, see How long do scans take?) There is no limitation on the number of storage stacks if the storage stacks and the scanner stack are in the same account. However, if the storage stacks and the scanner stack are deployed by different accounts, there is a maximum limit of 50 storage stacks to one scanner stack due to the Amazon SQS policy. The 1:50 ratio is imposed by an Amazon policy that limits the SQS ScannerQueue (in the scanner stack) to a maximum of 50 principals. For details on this policy, see this AWS topic: Quotas Related to Policies.


Where can I add stacks?

Unless otherwise noted below, you can add stacks anywhere in AWS, including: under separate AWS accounts, in separate AWS regions, or under the same AWS account. The storage stacks are aware of their respective scanner stack through an Amazon Resource Name (ARN).

Restrictions, stipulations, and recommendations


Add an all-in-one stack

To add an all-in-one stack, see Deploy the all-in-one stack.


Add a scanner stack

To add a scanner stack, read these sections:

Step 1: Add the scanner stack

Add the scanner stack following the instructions below.

  1. Sign in to File Storage Security, then select the Stack Management page.
  2. Select AWS tab.
  3. Select Deploy.

    The Deploy dialog box appears.

    screen shot

  4. Select Scanner Stack.

    The Deploy Scanner Stack dialog box appears.

    screen shot

  5. On the Deploy Scanner Stack dialog box:

    • For Step 1:
      • Make sure you are signed in to the AWS account where you want to install the scanner stack.
    • For Step 2:
      • Select the AWS region where you want to deploy the scanner stack. This region must:
      • (Optional) Select Review Stack to view the contents of the scanner stack before launching it.
    • Select Launch Stack.

    You are redirected to the AWS Quick create stack page.

  6. Fill out the Quick create stack page as follows:

    • Stack name: Specify the name of the stack. Example: Scanner-TM-FileStorageSecurity
    • KMSKeyARNForQueueSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt messages in SQS queues if you have enabled server-side encryption. Use the same KMS master key if you deploy the corresponding storage stack.

    screen shot

    • PermissionsBoundary: Optional. Provide the ARN of a policy that will be used to set the permissions boundary for all the roles that will be created. For more details, see AWS permissions control and Permissions boundaries for IAM entities.
    • AdditionalIAMPolicies: Optional. Provide a list of IAM policy ARNs to attach to all the roles that will be created. For more details, see AWS permissions control.
    • Resource prefixes: Optional. Either leave these fields empty or specify the prefix of each resource type. For details, see Resource prefixes.
    • Deploy in VPC: Optional. Either leave these fields empty or specify the VPC subnet IDs and security group IDs. For details see Deploy in VPC.
    • Stack package location: Leave this field as-is. It is for internal use by File Storage Security.
    • Version: Leave this field as-is. It is for versioning.
    • File Storage Security management account: Leave this field as-is. The account number is: 415485722356. You'll be granting this account permission to manage your scanner stack. More specifically, this account has permission to:

      • Obtain the storage and scanner stacks' Lambda logs.
      • Update the ScannerLambda function, anti-malware pattern layers, and license layer in the stacks.
      • Send some of your organization's data to its own AWS SNS topic. For details on the data we collect, see our Data collection disclosure.
    • Trend Micro Cloud One region: Leave this field as-is. It specifies the region to which the scanner and storage stacks will connect to for Cloud One services such as the File Storage Security console, event management services, and telemetry services. For more information, see Cloud One regions.

    • ExternalID: Leave this field as-is. It is required for security purposes. For details, see Why do you need to use an external ID?
    • At the bottom of the page, select the I acknowledge [...] check box.
    • Select Create stack.

    screen shot

    The scanner stack installs. The installation could take several minutes. You'll know when everything is deployed when you see the CREATE_COMPLETE message for the scanner stack.

You have now installed the scanner stack. You are now ready to configure the ARN.

Step 2: Configure the scanner stack's ARN

You must configure the scanner stack's Amazon Resource Name (ARN) in the File Storage Security console.

  1. In AWS, go to CloudFormation > your scanner stack, if you're not there already.
  2. In the main pane, select the Outputs tab.
  3. Copy and paste the ScannerStackManagementRoleARN value into the File Storage Security console.

    If the dialog box is not visible, select Deploy > Scanner Stack again to see it.

    screen shot

  4. Select Submit.

You have now specified the scanner stack's ARN.

Next steps (add storage)

At this point, the scanner stack is fully installed, but is not associated with any storage stacks, so no scanning will take place. To associate the scanner stack with a storage stack and get scanning working, you'll need to add a storage stack.


Add a storage stack

To add a storage stack, read these sections:

Multi-stack architecture

The illustration below shows a typical multi-stack architecture. You can see that there are multiple storage stacks spread across several AWS accounts, all connected to the same scanner.

Because all scanning is completed within a single AWS account, security activities such as audits and configurations are more manageable.

architectural diagram

Step 1: Add the storage stack

After reviewing the multi-stack architecture, you are ready to add the storage stack. Follow the instructions below.

  1. Sign in to File Storage Security, then select the Stack Management page.
  2. On the left, select the scanner stack to associate with the new storage stack.

    screen shot

  3. Select Add Storage.

    The Add Storage dialog box appears.

    screen shot

  4. On the Add Storage dialog box:

    • For Step 1:
      • Make sure you are signed in to the AWS account where you want to install the storage stack.
    • For Step 2:
      • Select the AWS region that corresponds to your S3 bucket to scan's region. For supported regions, see What regions are supported?
      • (Optional) Select Review Stack to view the contents of the storage stack before launching it.
      • (Optional) Select Share Link to obtain a link to the storage stack's CloudFormation template in AWS. You can share this link with others who need an additional storage stack either under the same AWS account or a different account.
    • Select Launch Stack.

    You are redirected to the AWS Quick create stack page.

  5. Fill out the Quick create stack page as follows:

    • Stack name: Specify the name of the stack. Example: FSSStorage2
    • S3BucketToScan: Specify the name of your S3 bucket to scan, as it appears in S3. You can only specify one bucket. Example: my-s3-bucket-to-scan-02

      The S3 bucket name cannot contain a period or "dot" (.) character.

    • ObjectFilterPrefix: Optional. Provide a prefix of the objects you want to scan. If the s3:ObjectCreated:* event of the scanning bucket is partially in use, either provide a prefix that is not in use or use TriggerWithObjectCreatedEvent.

    • KMSKeyARNForBucketSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt S3 bucket objects if you have enabled SSE-KMS
    • TriggerWithObjectCreatedEvent: Optional. If the s3:ObjectCreated:* event of the scanning bucket is in use, set this to false. For more details on how to trigger the scan afterward, see s3:ObjectCreated:* event in use.
    • ReportObjectKey: Optional. Enable this to report the object keys of the scanned objects to File Storage Security backend services. File Storage Security can then display the object keys of the malicious objects in the response of events API.
    • ScanOnGetObject: Optional. Enable this to scan the objects when you get them. For more details, see Scan on getObject request. (In preview)

      screen shot

    • ScannerAWSAccount: Leave this field as-is. It is auto-populated with the name of the AWS account where the associated scanner stack is installed.

    • ScannerSQSURL: Leave this field as-is. It is auto-populated with the full URL of the Simple Queue Service (SQS) used by the associated scanner stack.
    • ScannerLambdaAliasARN: Leave this field as-is. It is auto-populated with the the ScannerLambda alias ARN of the associated scanner stack.
    • KMSKeyARNForQueueSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt messages in SQS queues if you have enabled server-side encryption. Use the same KMS master key that you used in the corresponding scanner stack.
    • PermissionsBoundary: Optional. Provide the ARN of a policy that will be used to set the permissions boundary for all the roles that will be created. For more details, see AWS permissions control and Permissions boundaries for IAM entities.
    • AdditionalIAMPolicies: Optional. Provide a list of IAM policy ARNs to attach to all the roles that will be created. For more details, see AWS permissions control.
    • Resource prefixes: Optional. Either leave these fields empty or specify the prefix of each resource type. For details, see Resource prefixes.
    • Storage stack dead-letter queue: Optional. Either leave these fields empty or specify the ARN of each resource. For details, see Storage stack dead-letter queue.
    • Deploy in VPC: Optional. Either leave these fields empty or specify the VPC subnet IDs and the security group IDs. For details see Deploy in VPC.
    • Stack package location: Leave this field as-is. It is for internal use by File Storage Security.
    • Version: Leave this field as-is. It is for versioning.
    • File Storage Security management account: Leave this field as-is. The account number is: 415485722356. You'll be granting this account permission to manage your storage stack. More specifically, this account has permission to:

      • Obtain the storage and scanner stacks' Lambda logs.
      • Update the ScannerLambda function, anti-malware pattern layers, and license layer in the stacks.
      • Send some of your organization's data to its own AWS SNS topic. For details on the data we collect, see our Data collection disclosure.
    • Trend Micro Cloud One region: Leave this field as-is. It specifies the region to which the scanner and storage stacks will connect to for Cloud One services such as the File Storage Security console, event management services, and telemetry services. For more information, see Cloud One regions.

    • ExternalID: Leave this field as-is. It is required for security purposes. For details, see Why do you need to use an external ID?
    • At the bottom of the page, select the I acknowledge [...] check box.
    • Select Create stack.

      screen shot

      The stack installs. The installation could take several minutes. You'll know when everything is deployed when you see the CREATE_COMPLETE message for the storage stack.

      screen shot

You have now installed the storage stack. You are now ready to configure the ARN.

Step 2: Configure the storage stack's ARN

You must configure the storage stack's Amazon Resource Name (ARN) in the File Storage Security console. The ARN ties the storage stack to its designated scanner stack.

  1. In AWS, go to CloudFormation > your storage stack, if you're not there already.
  2. In the main pane, select the Outputs tab.

    screen shot

  3. Copy and paste the StorageStackManagementRoleARN value into the File Storage Security console.

    If the dialog box is not visible, select Add Storage again to see it.

    screen shot

  4. Select Submit.

    screen shot

You have now specified the storage stack's ARN. The scanner stack is now aware of the storage stack. You are now ready to test the storage stack installation.

Step 3: (Optional) Update KMS key policy if enabling scanner queue encryption

You only need this step if you deploy the storage stack in a different AWS account from the scanner stack. And you also want to enable server-side encryption for SQS queues.

You must update the key policy of the KMS key using for scanner queue encryption in AWS console.

  1. In AWS, go to CloudFormation > your storage stack, if you're not there already.
  2. In the main pane, select the Outputs tab.

    screen shot

  3. Copy the BucketListenerRoleARN value. You will need it when updating the key policy.

  4. Go to Key Management Service > your key in Customer managed key, if you're not there already. You might need to switch to a different AWS account if you deployed your scanner stack in a different account.
  5. Edit Key policy and insert a new Statement object in it.

    json { "Sid": "Grant bucketListener permission", "Effect": "Allow", "Principal": { "AWS": <BucketListenerRoleARN> }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" }

  6. Select Save changes.

Step 4: Test the storage stack installation

To test the storage stack installation, you'll need to generate a malware detection by adding the eicar file to the S3 bucket to scan. For details, see Generate your first detection.