Table of contents
Topics on this page
Requirements
Parameters
Deployment
Required AWS Permissions and Resources

Integrate Trend Cloud One with AWS SecurityHub

AWS Security Hub collects security data from AWS accounts, services, and supported third-party partner products to help you analyze security trends and identify the most significant security issues. When integrated with Trend Cloud One, it allows you to use the consolidates of your security findings of your containers inside AWS SecurityHub.

The following diagram depicts the integration architecture:

AWS SecurityHub

On the functional level, the following occurs:

  • A Lambda function is deployed.
  • All the required IAM resources for Trend Cloud One Workload Security are created.
  • A custom resource completes the integration by running a Lambda function.
  • The default AWS CloudTrail CloudFormation stack is deployed.

Requirements

Before starting the integration, ensure that you have the following:

In addition, ensure that your AWS CloudFormation stack name contains no more than 8 characters. For example, CloudOne.

You must deploy the AWS CloudFormation stack to one of the following regions based on your Trend Cloud One account region:

Trend Cloud One Region Code AWS Region Code
us-1 us-east-1
in-1 ap-south-1
gb-1 eu-west-2
au-1 ap-southeast-2
de-1 eu-central-1
jp-1 ap-northeast-1
sg-1 ap-southeast-1
ca-1 ca-central-1

Parameters

You must define the following parameters:

  • CloudOneApiKey - Trend Cloud One API key. For more information, see Requirements.
  • EnableSecurityHubIntegration - Enables AWS SecurityHub integration when set to true. If set to false, it is expected that you have done this already. The default value is false.

There is a number of parameters whose default values should be accepted, unless you want to host the templates yourself, in which case QSS3BucketName should define the AWS S3 bucket hosting these templates and QSS3KeyPrefix should define the key prefix or path of the root folder for the templates. For example, if the files are hosted in the bucket named my-bucket inside the trend-cloudone-securityhub folder, the QSS3BucketName value should be my-bucket and QSS3KeyPrefix value should be trend-cloudone-securityhub .

  • QSS3BucketName - The AWS S3 bucket name for the deployment assets. The value can include numbers, lowercase alpha characters, uppercase alpha characters, hyphens ( - ). The default value is cloudone-community.
  • QSS3KeyPrefix - The AWS S3 key prefix for the deployment assets. The value can include numbers, lowercase alpha characters, uppercase alpha characters, hyphens ( - ), dots ( . ), forward slash ( / ). The default value is "".

Deployment

To deploy via a Dashboard, launch an AWS CloudFormation stack.

To deploy via the CLI, execute the following:

#!/bin/bash
export STACK_NAME=ABI-TM-SECHUB
export TEMPLATE_URL=https://immersionday-workshopstrendmicro.
s3.amazonaws.com/abi/main.template.yaml
export CLOUDONE_API_KEY=<cloudone-api-key>
export CLOUDONE_REGION_ENDPOINT=<cloudone-ws-region-endpoint>
export DEPLOYSECURITYHUBINTEGRATION=<true|false>
aws cloudformation create-stack \
--stack-name $STACK_NAME \
--template-url $TEMPLATE_URL \
--parameters
ParameterKey=CloudOneAPIKey,ParameterValue=$CLOUDONE_API_KEY \
ParameterKey=CloudOneRegionEndpoint,ParameterValue=$CLOUDONE_REGION_ENDPOI
NT \
ParameterKey=DeploySecurityHubIntegration,ParameterValue=$DEPLOYSECURITYHU
BINTEGRATION \
ParameterKey=EnableSecurityHub,ParameterValue=$DEPLOYSECURITYHUBINTEGRATIO
N \
--capabilities CAPABILITY_NAMED_IAM

If your deployment fails or you decide to remove the stack, all modifications, including any kind of account integration, is reverted to the predeployment state.

Required AWS Permissions and Resources

To deploy the stack, you need the following permissions:

  • Permission to obtain a secret from the secret manager:

    • cloudformation:GetSecretValue

  • Permission to use a KMS key to decrypt the secret from the secret manager:

    • kms:Decrypt

  • Permissions to enable, disable, and list product and findings in AWS SecurityHub:

    • securityhub:ListEnabledProductsForImport
    • securityhub:EnableImportFindingsForProduct
    • securityhub:DisableImportFindingsForProduct

  • Permissions to create, update, delete, and describe AWS CloudFormation stacks:

    • cloudformation:CreateStack
    • cloudformation:UpdateStack
    • cloudformation:DeleteStack
    • cloudformation:DescribeStacks
  • Permissions to create, update, delete, and describe AWS CloudFormation StacksSet, StackInstance:
    • cloudformation:CreateStackSet
    • cloudformation:CreateStackInstances
    • cloudformation:DescribeStackSet
    • cloudformation:UpdateStackSet
    • cloudformation:UpdateStackInstances
    • cloudformation:DeleteStackSet
    • cloudformation:DeleteStackInstances
    • cloudformation:ListStackInstances
  • Permissions to retrieve all organizational unit IDs in the organization:
    • organizations:ListRoots
    • organizations:ListOrganizationalUnitsForParent
  • Permissions to create, update, and obtain the configuration of the Lambda function:
    • lambda:CreateFunction
    • lambda:UpdateFunctionCode
    • lambda:GetFunctionConfiguration
    • lambda:CreateAlias
    • lambda:UpdateFunctionConfiguration
  • Permissions to create an Amazon CloudWatch logs group and stream, as well as write logs from the Lambda function to the Amazon CloudWatch logs:
    • logs:CreateLogGroup
    • logs:CreateLogStream
    • logs:PutLogEvents
  • Permissions to download the code from an AWS S3 bucket:
    • s3:GetObject