If you work with infrastructure, you will soon realize that managing a single web application and database server can easily get tricky when considering common concepts like high-availability clusters, zero-downtime deployments, and data redundancy. Implementing any or all of them could mean that the number of servers would skyrocket with every step. Multiply the increasing number of instances per environment with the various environments (dev, QA, staging, and production), ensuring that each workload is properly managed, protected, and patched, becomes a daunting task.
Trend Micro Cloud One™ – Workload Security provides a wide gamut of protection using security protection modules like:
- Anti-malware
- Web reputation
- Log inspection
- File integrity monitoring
- Application control
- Host-based firewall
- Intrusion prevention system (IPS)
- Live activity monitoring, for your workloads.
These modules together protect your workloads, from everyday malware, to Command and Control (C&C) callbacks by virtually patching your workloads. Trend Micro works with security researchers globally to validate exploits and vulnerabilities in order to build a digital vaccines that uses smart rules to detect and prevent attacks.
To aid with the visibility problem, Workload Security provides cloud connectors to Amazon Web Services (AWS), Microsoft Azure™, Google Cloud Platform™ (GCP), VMware vCenter and vCloud environments, to help you manage your workloads from a single dashboard. Users can simply use the connector to identify workloads that are managed and unmanaged by Workload Security. You can make use of Workload Security APIs and deployment scripts or use integrations provided for AWS Control Tower or AWS Systems Manager to deploy Workload Security agents and workload specific policies to protect critical workloads.
In this article, I will show you how you can configure your AWS account with Workload Security using a Python script.
To follow along with the demo, you will need access to a Trend Micro Cloud One™ account. You can sign up for a 30-day free trial of Trend Micro Cloud One here. After you login to your Trend Micro Cloud One account, you will see icons for the other security solutions included in the platform. For this demo, navigate to Workload Security.
On the top horizontal pane, click on “Administration”.
In the left pane of the screen, under User Management, select API Keys
A window with the list of existing API keys is shown in the right window. Select “New” and create an API Key.
Click “Next.”
Click on “Copy to Clipboard” to copy the API secret key. This API secret key will be required as an input to the Python script that we will be running shortly. It is recommended to store this key securely as it could be used for various automation tasks in Trend Micro Cloud One.
Click “Close.”
The next step is to clone the WorkloadSecurityConnector-AWS GitHub repository here.
Once you have the GitHub repository cloned, navigate to the folder, and run the following command:
pip install -r requirements.txt
You will need to configure the tool with the config.json file found within the folder.
The field dsmHost is set to https://cloudone.trendmicro.com to communicate with
Workload Security.
The API secret key we copied to the clipboard earlier replaces the value <Your-API-Key> for the field c1wsApiKey.
The other two fields, awsDisplayName and awsAccountId, are AWS specific values. The awsDisplayName is the display name for the AWS account you are about to add to Workload Security and awsAccountId is the account ID. To find your AWS account ID, run the following AWS Command Line Interface (CLI) command:
aws sts get-caller-identity --query Account --output text
Your account ID is the 12-digit number returned from the AWS CLI command.
If the machine you are using is an Amazon Elastic Compute Cloud (EC2) instance, you can use an AWS Identity and Access Management (IAM) instance role to proceed with the next step. Set the useInstanceRole flag to true.
Note: The Python script supports other options for authentication and authorization like using an AWS IAM access and secret key or a cross-account IAM role. For the purposes of this demo, we recommend using an Amazon EC2 machine with an appropriate instance role attached to it.
If your AWS account utilizes Amazon WorkSpaces, we recommend turning the workspacesEnabled flag to true for visibility into its instances.
Once the config.json file is configured, save the file, and then run the following command:
python3 workloadsecurityconnector_aws.py
Your Workload Security dashboard should soon start to populate your Amazon EC2 and Amazon WorkSpaces instances across all AWS regions on the “Computers” tab of the console.
How it works
The Python utility script calls Workload Security/ Trend Micro™ Deep Security™ Software APIs to connect your AWS account to the dashboard. Connecting AWS accounts enable the visibility into your Amazon EC2 instances and Amazon WorkSpaces so that you can manage agents from various AWS accounts remotely, from a single console.
For the integration, the Python script creates the following:
- IAM user with programmatic access (API access and secret keys)
- IAM policy that is attached to the newly created IAM user account
The IAM policy created for this integration is as follows:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Action": [ "ec2:DescribeInstances", "ec2:DescribeImages",
"ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets",
"ec2:DescribeTags", "workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles" ], "Resource": "*" } ] }
FYI–If you have any inputs, comments, or feedback on this article, please do not hesitate to reach out to us or raise an issue on the GitHub repository.
Conclusion
As shown above, Workload Security integrates seamlessly with your on-premises and cloud datacenters in just a few steps, allowing you to continue building quickly while meeting security needs. Implementing Workload Security at the onset of your build process allows you to innovate with the peace of mind that your workloads are secure and properly configured. See, security doesn’t have to be a roadblock—in fact, when implemented properly, it can allow you to deliver quicker and with higher confidence.
Learn more about how Workload Security can enable efficient innovation here or check out our video resources that cover the how-tos and common use cases:
Video: Workload Security for Data Center (2:36)
Video: Workload Security for Cloud Migration (4:00)
Video: Workload Security for Containers (2:43)
Video: Workload Security for DevOps (4:02)