×
Fork me on GitHub

How to configure TrendMicro DeepSecurity for AWS using CloudFormation

TrendMicro DeepSecurity provides intrusion detection and threat mitigation for your virtual machine instances on AWS. In this blog, we will introduce you to the CloudFormation custom provider for TrendMicro DeepSecurity. With this provider you can deploy both EC2 instances and DeepSecurity policies and rules from a single CloudFormation template.

How Does It Work?

It is quite easy: you specify a CloudFormation resource of type Custom::DeepSecurity<Resource-Type>, as follows:

Policy:
Type: Custom::DeepSecurityPolicy
Properties:
  Value:
    name: My Managed Policy
    parentID: '{{lookup "policy" "Linux Server"}}'
    firewall:
      state: 'inherited'
      ruleIDs:
        - '{{lookup "firewallRule" "FTP Server"}}'
        - '{{lookup "firewallRule" "SMTP Server"}}'
    intrusionPrevention: 
      state: 'inherited'
      ruleIDs:
        - '{{lookup "intrusionPreventionRule" "Digium Asterisk RTP Comfort Noise Frame Processing Denial Of Service"}}'
  ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-deep-security-provider'

the provider supports all the resources of the DeepSecurity API. The name of the resource type you want to create is postfixed after Custom::DeepSecurity.

More examples can be found in the demo-stack.

In order to ease the re-use of existing policies and rules, the provider replaces {{lookup}} references with the id of the named resource. In the above example, you can see a lookup of the `Linx Server’ policy and two existing firewall rules.

Automatic EC2 Instance Detection

When you want DeepSecurity to automatically detect EC2 instances in your account, add a Custom::DeepSecurityAWSCloudAccount resource, as follows:

DeepSecurityAWSCloudAccount:
Type: Custom::DeepSecurityAWSCloudAccount
Properties:
  AWSAccountRequest:
    crossAccountRole:
      roleArn: !GetAtt 'DeepSecurityRole.Arn'
      externalId: !Ref StsExternalId
  ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-deep-security-provider'

DeepSecurityRole:
Type: AWS::IAM::Role
Properties:
  ManagedPolicyArns:
    - !Ref 'DeepSecurityPolicy'
  AssumeRolePolicyDocument:
    Version: '2012-10-17'
    Statement:
      - Effect: Allow
        Principal:
          AWS: arn:aws:iam::147995105371:root
        Action:
          - sts:AssumeRole
        Condition:
          StringEquals:
            sts:ExternalId:
              - !Ref 'StsExternalId'

As you can see, this effectively grants DeepSecurity access to your account.

Deploy The Provider

To deploy the provider, type:

git clone https://github.com/binxio/cfn-deep-security-provider.git
cd cfn-deep-security-provider
aws cloudformation create-stack \
        --capabilities CAPABILITY_IAM \
        --stack-name cfn-deep-security-provider \
        --template-body file://./cloudformation/cfn-resource-provider.yaml

aws cloudformation wait stack-create-complete  --stack-name cfn-deep-security-provider

This will deploy our pre-packaged provider from s3://binxio-public/lambdas/cfn-deep-security-provider-latest.zip.

Configuring Access

To allow the custom provider access, you need to create an API key and store it in the parameter store under the name /cfn-deep-security-provider/api-key.

aws ssm put-parameter --name /cfn-deep-security-provider/api-key --type SecureString --value="$API_KEY"

To create the AWS Cloud Accounts, you need to add an user to access the legacy API, and add the username, password and tenant name in the parameter store.

aws ssm put-parameter --name /cfn-deep-security-provider/user --type SecureString --value="$USERNAME"
aws ssm put-parameter --name /cfn-deep-security-provider/password --type SecureString --value="$PASSWORD"
aws ssm put-parameter --name /cfn-deep-security-provider/tenant --type SecureString --value="$TENANT"

Deploy The Demo

In order to deploy the demo, type:

aws cloudformation create-stack \
        --capabilities CAPABILITY_NAMED_IAM \
        --stack-name cfn-deep-security-provider-demp \
        --template-body file://./cloudformation/demo.yaml

aws cloudformation wait stack-create-complete  --stack-name cfn-deep-security-provider-demo

Conclusion

TrendMicro DeepSecurity provides intrusion detection and threat migitation for your virtual machine instances on AWS. This CloudFormation custom provider for TrendMicro DeepSecurity resources allows you to deploy both EC2 instances and DeepSecurity policies and rules from a CloudFormation template.

Picture of Mark van Holsteijn
Mark van Holsteijn
CTO