TrendMicro DeepSecurity provides intrusion detection and threat mitigation for your virtual machine instances on AWS. In this blog, we will introduce you to the CloudFormation custom provider for TrendMicro DeepSecurity. With this provider you can deploy both EC2 instances and DeepSecurity policies and rules from a single CloudFormation template.
How Does It Work?
It is quite easy: you specify a CloudFormation resource of type Custom::DeepSecurity, as follows:
Policy:
Type: Custom::DeepSecurityPolicy
Properties:
Value:
name: My Managed Policy
parentID: '{{lookup "policy" "Linux Server"}}'
firewall:
state: 'inherited'
ruleIDs:
- '{{lookup "firewallRule" "FTP Server"}}'
- '{{lookup "firewallRule" "SMTP Server"}}'
intrusionPrevention:
state: 'inherited'
ruleIDs:
- '{{lookup "intrusionPreventionRule" "Digium Asterisk RTP Comfort Noise Frame Processing Denial Of Service"}}'
ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-deep-security-provider'
the provider supports all the resources of the DeepSecurity API.
The name of the resource type you want to create is postfixed after Custom::DeepSecurity
.
More examples can be found in the demo-stack.
In order to ease the re-use of existing policies and rules, the provider replaces {{lookup}}
references with the
id of the named resource. In the above example, you can see a lookup of the `Linx Server’ policy and two existing
firewall rules.
Automatic EC2 Instance Detection
When you want DeepSecurity to automatically detect EC2 instances in your account,
add a Custom::DeepSecurityAWSCloudAccount
resource, as follows:
DeepSecurityAWSCloudAccount:
Type: Custom::DeepSecurityAWSCloudAccount
Properties:
AWSAccountRequest:
crossAccountRole:
roleArn: !GetAtt 'DeepSecurityRole.Arn'
externalId: !Ref StsExternalId
ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-deep-security-provider'
DeepSecurityRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- !Ref 'DeepSecurityPolicy'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::147995105371:root
Action:
- sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId:
- !Ref 'StsExternalId'
As you can see, this effectively grants DeepSecurity access to your account.
Deploy The Provider
To deploy the provider, type:
git clone https://github.com/binxio/cfn-deep-security-provider.git
cd cfn-deep-security-provider
aws cloudformation create-stack
--capabilities CAPABILITY_IAM
--stack-name cfn-deep-security-provider
--template-body file://./cloudformation/cfn-resource-provider.yaml
aws cloudformation wait stack-create-complete --stack-name cfn-deep-security-provider
This will deploy our pre-packaged provider from s3://binxio-public/lambdas/cfn-deep-security-provider-latest.zip
.
Configuring Access
To allow the custom provider access, you need to create an API key
and store it in the parameter store under the name /cfn-deep-security-provider/api-key
.
aws ssm put-parameter --name /cfn-deep-security-provider/api-key --type SecureString --value="$API_KEY"
To create the AWS Cloud Accounts,
you need to [add an user] (Add and manage users) to access
the legacy API,
and add the username, password and tenant name in the parameter store.
aws ssm put-parameter --name /cfn-deep-security-provider/user --type SecureString --value="$USERNAME"
aws ssm put-parameter --name /cfn-deep-security-provider/password --type SecureString --value="$PASSWORD"
aws ssm put-parameter --name /cfn-deep-security-provider/tenant --type SecureString --value="$TENANT"
Deploy The Demo
In order to deploy the demo, type:
aws cloudformation create-stack
--capabilities CAPABILITY_NAMED_IAM
--stack-name cfn-deep-security-provider-demp
--template-body file://./cloudformation/demo.yaml
aws cloudformation wait stack-create-complete --stack-name cfn-deep-security-provider-demo
Conclusion
TrendMicro DeepSecurity provides intrusion detection and threat migitation for your virtual
machine instances on AWS. This CloudFormation custom provider for TrendMicro DeepSecurity resources
allows you to deploy both EC2 instances and DeepSecurity policies and rules from a
CloudFormation template.