Add AWS stacks | Trend Micro

Note

AWS Lambda is ending support of Python 3.6. As of July 18, 2022, Lambda will no longer apply security patches and updates to Python 3.6 runtime. As of August 17, 2022, we will no longer be able to update functions using Python 3.6 runtime. As a result:

The File Storage Security backend cannot update the license and pattern configured in the Lambda
After the license times out, the Lambda cannot scan files
If you do not update your Stack, we will still support and investigate File Storage Security issues. However, we do not recommend this.
If a problem occurs in your File Storage Security setup, you may have to update the Stack or rebuild it.

We recommend that you upgrade your existing Python 3.6 functions to Python 3.8 before August 17, 2022.

After deploying File Storage Security, you might want to add more stacks.

Topics:

How many stacks should I add?
Where can I add stacks?
Add an all-in-one stack
Add a scanner stack
Add a storage stack

How many stacks should I add?

Storage stacks

You'll need one storage stack per S3 bucket to scan.

There is no limit to the number of storage stacks you can add, but keep in mind that costs will go up as the number of stacks increases. If you have a lot of files to scan that are spread across many S3 buckets, consider deploying just one storage stack, and transferring files into its associated S3 bucket to scan and then back out after scanning. We provide a sample Lambda that automates some of this work. See Post-Scan Action: Promote or Quarantine on GitHub for details.

The number of storage stacks you deploy will not affect performance, so deploy as many or as few as you want.

Scanner stacks

Typically, you'll only need one scanner stack for your entire deployment regardless of size. This is because the scanner stack auto-scales to handle increases in load. (For details on performance, see How long do scans take?) There is no limitation on the number of storage stacks if the storage stacks and the scanner stack are in the same account. However, if the storage stacks and the scanner stack are deployed by different accounts, there is a maximum limit of 50 storage stacks to one scanner stack due to the Amazon SQS policy. The 1:50 ratio is imposed by an Amazon policy that limits the SQS ScannerQueue (in the scanner stack) to a maximum of 50 principals. For details on this policy, see this AWS topic: Quotas Related to Policies.

Account scanner stacks

Account scanner stacks are designed for enterprise customers who want to deploy once and protect all their buckets within their account. They allow you to scan all of the S3 buckets in all regions of your account. To add an Account scanner stack, please see Deploy account scanner stacks.

Where can I add stacks?

Unless otherwise noted below, you can add stacks anywhere in AWS, including: under separate AWS accounts, in separate AWS regions, or under the same AWS account. The storage stacks are aware of their respective scanner stack through an Amazon Resource Name (ARN).

Restrictions, stipulations, and recommendations

The stacks must reside in a supported AWS region. For details, see What regions are supported?
The storage stack must reside in the same region as your S3 bucket to scan.
For optimal performance, the storage and scanner stacks should reside in the same continental region, like the Americas. For details, see Performance across multiple regions.

Add an all-in-one stack

To add an all-in-one stack, see Deploy the all-in-one stack.

Add a scanner stack

To add a scanner stack, read these sections:

Step 1: Add the scanner stack
Step 2: Configure the scanner stack's ARN
Next steps (add storage)

Step 1: Add the scanner stack

Add the scanner stack following the instructions below.

Procedure

Sign in to File Storage Security, then select the Stack Management page.
Select AWS tab.
Select Deploy.

The Deploy dialog box appears.
Select Scanner Stack.

The Deploy Scanner Stack dialog box appears.
On the Deploy Scanner Stack dialog box:
- For Step 1:
  - Make sure you are signed in to the AWS account where you want to install the scanner stack.
- For Step 2:
  - Select the AWS region where you want to deploy the scanner stack. This region must:
    - be supported by File Storage Security. For details, see What regions are supported?.
  - (Optional) Select Review Stack to view the contents of the scanner stack before launching it.
- Select Launch Stack.
You are redirected to the AWS Quick create stack page.

Fill out the Quick create stack page as follows:

Stack name: Specify the name of the stack. Example: Scanner-TM-FileStorageSecurity
KMSKeyARNForQueueSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt messages in SQS queues if you have enabled server-side encryption. Use the same KMS master key if you deploy the corresponding storage stack.

Tip

KMSKeyARNsForTopicSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt messages in the SNS ScanResultTopic if you have enabled server-side encryption. Use the same KMS master key if you deploy the corresponding storage stack. If multiple storage stacks were deployed with different KMS master keys, provide the list ARNs of KMS master keys used to encrypt messages in the SNS ScanResultTopic.

aws-quick-create-stack-scanner-stack-name=1aa693d5-7de2-4481-9dc2-95b14313395a.png

ScannerEphemeralStorage: The size of the scanner lambda function's temp directory in MB. The default value is 512, but it can be any whole number between 512 and 2048 MB. Configure a large ephemeral storage to scan larger files in zip files. For more information, see Configuring ephemeral storage. (In preview)
PermissionsBoundary: Optional. Provide the ARN of a policy that will be used to set the permissions boundary for all the roles that will be created. For more details, see AWS permissions control and Permissions boundaries for IAM entities.
AdditionalIAMPolicies: Optional. Provide a list of IAM policy ARNs to attach to all the roles that will be created. For more details, see AWS permissions control.
Resource prefixes: Optional. Either leave these fields empty or specify the prefix of each resource type. For details, see Resource prefixes.
Deploy in VPC: Optional. Either leave these fields empty or specify the VPC subnet IDs and security group IDs. For details see Deploy in VPC.
Stack package location: Leave this field as-is. It is for internal use by File Storage Security.
Version: Leave this field as-is. It is for versioning.
File Storage Security management account: Leave this field as-is. The account number is: 415485722356. You'll be granting this account permission to manage your scanner stack. More specifically, this account has permission to:
- Obtain the storage and scanner stacks' Lambda logs.
- Update the ScannerLambda function, anti-malware pattern layers, and license layer in the stacks.
- Send some of your organization's data to its own AWS SNS topic. For details on the data we collect, see our Data collection disclosure.
Trend Micro Cloud One region: Leave this field as-is. It specifies the region to which the scanner and storage stacks will connect to for Cloud One services such as the File Storage Security console, event management services, and telemetry services. For more information, see Cloud One regions.
ExternalID: Leave this field as-is. It is required for security purposes. For details, see Why do you need to use an external ID?
At the bottom of the page, select the I acknowledge [...] check box.
Select Create stack.

aws-quick-create-stack-scanner-Create-stack-button=938c1fa9-2591-46a8-8708-59d03a2ae5e0.png

The scanner stack installs. The installation could take several minutes. You'll know when everything is deployed when you see the CREATE_COMPLETE message for the scanner stack.

What to do next

You have now installed the scanner stack. You are now ready to configure the ARN.

Step 2: Configure the scanner stack's ARN

You must configure the scanner stack's Amazon Resource Name (ARN) in the File Storage Security console.

Procedure

In AWS, go to CloudFormation > your scanner stack, if you're not there already.
In the main pane, select the Outputs tab.
Copy and paste the ScannerStackManagementRoleARN value into the File Storage Security console.

Tip

If the dialog box is not visible, select Deploy > Scanner Stack again to see it.
Select Submit.

What to do next

You have now specified the scanner stack's ARN.

Next steps (add storage)

At this point, the scanner stack is fully installed, but is not associated with any storage stacks, so no scanning will take place. To associate the scanner stack with a storage stack and get scanning working, you'll need to add a storage stack.

Add a storage stack

To add a storage stack, read these sections:

Multi-stack architecture
Step 1: Add the storage stack
Step 2: Configure the storage stack's ARN
Step 3: (Optional) Update KMS key policy if enabling scanner queue encryption
Step 4: (Optional) Update KMS key policy if enabling SNS ScanResultTopic encryption
Step 5: (Optional) Update Scanner stack if enabling SNS ScanResultTopic encryption and the KMS Key ARN has not been set to Scanner stack yet
Step 6: Test the storage stack installation

Multi-stack architecture

The illustration below shows a typical multi-stack architecture. You can see that there are multiple storage stacks spread across several AWS accounts, all connected to the same scanner.

Because all scanning is completed within a single AWS account, security activities such as audits and configurations are more manageable.

arch-aws-multi=9146eb6b-ff44-4ad2-82e7-13b84d25bd0d.png

Step 1: Add the storage stack

After reviewing the multi-stack architecture, you are ready to add the storage stack. Follow the instructions below.

Procedure

Sign in to File Storage Security, then select the Stack Management page.
On the left, select the scanner stack to associate with the new storage stack.
Select Add Storage.

The Add Storage dialog box appears.
On the Add Storage dialog box:
- For Step 1:
  - Make sure you are signed in to the AWS account where you want to install the storage stack.
- For Step 2:
  - Select the AWS region that corresponds to your S3 bucket to scan's region. For supported regions, see What regions are supported?
  - (Optional) Select Review Stack to view the contents of the storage stack before launching it.
  - (Optional) Select Share Link to obtain a link to the storage stack's CloudFormation template in AWS. You can share this link with others who need an additional storage stack either under the same AWS account or a different account.
- Select Launch Stack.
You are redirected to the AWS Quick create stack page.
Fill out the Quick create stack page as follows:
- Stack name: Specify the name of the stack. Example: FSSStorage2
- S3BucketToScan: Specify the name of your S3 bucket to scan, as it appears in S3. You can only specify one bucket. Example: my-s3-bucket-to-scan-02
- ObjectFilterPrefix: Optional. Provide a prefix of the objects you want to scan. If the s3:ObjectCreated:* event of the scanning bucket is partially in use, either provide a prefix that is not in use or use TriggerWithObjectCreatedEvent.
- KMSKeyARNForBucketSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt S3 bucket objects if you have enabled SSE-KMS
- KMSKeyARNForTopicSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt the SNS ScanResultTopic if you have enabled SNS encryption.
- TriggerWithObjectCreatedEvent:　Optional. If the s3:ObjectCreated:* event of the scanning bucket is in use, set this to false. For more details on how to trigger the scan afterward, see s3:ObjectCreated:* event in use.
- ReportObjectKey:　Optional. Enable this to report the object keys of the scanned objects to File Storage Security backend services. File Storage Security can then display the object keys of the malicious objects in the response of events API.
- ScanOnGetObject: Optional. Enable this to scan the objects when you get them. For more details, see Scan on getObject request. (In preview)
- ScanResultTagFormat: The format of the scan result tags tagged on the scanned object. Select Separated tags to add each FSS tag as a standalone tag. Select Merged tag to add all FSS tags in one tag. Select No tag to disable the tagging feature. For more information, see View tags
- ScannerAWSAccount: Leave this field as-is. It is auto-populated with the name of the AWS account where the associated scanner stack is installed.
- ScannerSQSURL: Leave this field as-is. It is auto-populated with the full URL of the Simple Queue Service (SQS) used by the associated scanner stack.
- ScannerLambdaAliasARN: Leave this field as-is. It is auto-populated with the the ScannerLambda alias ARN of the associated scanner stack.
- KMSKeyARNForQueueSSE: Optional. Either leave this field empty or specify the ARN of the KMS master key used to encrypt messages in SQS queues if you have enabled server-side encryption. Use the same KMS master key that you used in the corresponding scanner stack.
- PermissionsBoundary: Optional. Provide the ARN of a policy that will be used to set the permissions boundary for all the roles that will be created. For more details, see AWS permissions control and Permissions boundaries for IAM entities.
- AdditionalIAMPolicies: Optional. Provide a list of IAM policy ARNs to attach to all the roles that will be created. For more details, see AWS permissions control.
- Resource prefixes: Optional. Either leave these fields empty or specify the prefix of each resource type. For details, see Resource prefixes.
- Storage stack dead-letter queue: Optional. Either leave these fields empty or specify the ARN of each resource. For details, see Storage stack dead-letter queue.
- Deploy in VPC: Optional. Either leave these fields empty or specify the VPC subnet IDs and the security group IDs. For details see Deploy in VPC.
- Stack package location: Leave this field as-is. It is for internal use by File Storage Security.
- Version: Leave this field as-is. It is for versioning.
- File Storage Security management account: Leave this field as-is. The account number is: 415485722356. You'll be granting this account permission to manage your storage stack. More specifically, this account has permission to:
  - Obtain the storage and scanner stacks' Lambda logs.
  - Update the ScannerLambda function, anti-malware pattern layers, and license layer in the stacks.
  - Send some of your organization's data to its own AWS SNS topic. For details on the data we collect, see our Data collection disclosure.
- Trend Micro Cloud One region: Leave this field as-is. It specifies the region to which the scanner and storage stacks will connect to for Cloud One services such as the File Storage Security console, event management services, and telemetry services. For more information, see Cloud One regions.
- ExternalID: Leave this field as-is. It is required for security purposes. For details, see Why do you need to use an external ID?
- At the bottom of the page, select the I acknowledge [...] check box.
- Select Create stack.
  
  The stack installs. The installation could take several minutes. You'll know when everything is deployed when you see the CREATE_COMPLETE message for the storage stack.

What to do next

You have now installed the storage stack. You are now ready to configure the ARN.

Step 2: Configure the storage stack's ARN

You must configure the storage stack's Amazon Resource Name (ARN) in the File Storage Security console. The ARN ties the storage stack to its designated scanner stack.

Procedure

In AWS, go to CloudFormation > your storage stack, if you're not there already.
In the main pane, select the Outputs tab.
Copy and paste the StorageStackManagementRoleARN value into the File Storage Security console.

Tip

If the dialog box is not visible, select Add Storage again to see it.
Select Submit.

What to do next

You have now specified the storage stack's ARN. The scanner stack is now aware of the storage stack. You are now ready to test the storage stack installation.

Step 3: (Optional) Update KMS key policy if enabling scanner queue encryption

You only need this step if you deploy the storage stack in a different AWS account from the scanner stack. And you also want to enable server-side encryption for SQS queues.

You must update the key policy of the KMS key using for scanner queue encryption in AWS console.

Procedure

In AWS, go to CloudFormation > your storage stack, if you're not there already.
In the main pane, select the Outputs tab.
Copy the BucketListenerRoleARN value. You will need it when updating the key policy.
Go to Key Management Service > your key in Customer managed key, if you're not there already. You might need to switch to a different AWS account if you deployed your scanner stack in a different account.

Edit Key policy and insert a new Statement object in it.

{
  "Sid": "Grant bucketListener permission",
  "Effect": "Allow",
  "Principal": {
    "AWS": <BucketListenerRoleARN>
  },
  "Action": [
    "kms:Decrypt",
    "kms:GenerateDataKey"
  ],
  "Resource": "*"
}

Select Save changes.

Step 4: (Optional) Update KMS key policy if enabling SNS ScanResultTopic encryption

You only need this step if you deploy the storage stack in a different AWS account from the scanner stack. You should also enable server-side encryption for SNS scanResultTopic.

You must update the key policy of the KMS key used for SNS ScanResultTopic encryption in AWS console.

Procedure

In AWS, go to CloudFormation > your scanner stack.
In the main pane, select the Outputs tab.
Copy the ScannerExecutionRoleARN value. You need it to update the key policy.
Go to Key Management Service > your key in Customer managed key. You must be in the same AWS account that contains your storage stack.

Edit the Key policy and insert a new Statement object in it.

{
  "Sid": "Grant Scanner permission",
  "Effect": "Allow",
  "Principal": {
    "AWS": <ScannerExecutionRoleARN>
  },
  "Action": [
    "kms:Decrypt",
    "kms:GenerateDataKey"
  ],
  "Resource": "*"
}

Select Save changes.

Step 5: (Optional) Update Scanner stack if enabling SNS ScanResultTopic encryption and the KMS Key ARN has not been set to Scanner stack yet.

You only need this step if you deploy the storage stack in a different AWS account from the scanner stack and you didn't set the ARN of the KMS Key in the KMSKeyARNsForTopicSSE field of your scanner stack CloudFormation template. You should also enable server-side encryption for SNS scanResultTopic.

Procedure

In AWS, go to CloudFormation > your scanner stack.
In the main pane, select Update (top-right).
Select Use current template
In the KMSKeyARNsForTopicSSE field, do one of the following:
- If this field is blank, add the ARN of the KMS Key used for SNS ScanResultTopic encryption
- If this field is not blank, append the ARN of the KMS Key to this filed as a comma-separated list of ARNs.
Leave all remaining fields as they are.
Select Next.

On the Configure stack options page, select Next.

WARNING

In the Stack failure options section, ensure that Preserve successfully provisioned resources is not selected. Some resources do not support this option. When using AWS CLI to update stacks, ensure the --disable-rollback option is not selected.

On the Review your_stack_name page:
- Review your settings.
- Under Capabilities, select both I Acknowledge [...] check box(es).
- Select Update stack.
The stack is updated. If you're updating the all-in-one stack, its nested stacks are also updated.

Note

If you're a preview customer, the ScanningBucket that was included inside the storage stack is deleted.

Step 6: Test the storage stack installation

To test the storage stack installation, you need to generate a malware detection by adding the eicar file to the S3 bucket to scan. For details, see Generate your first detection.

How do I find a list of protected buckets?

You can find out which of your buckets are protected and which are not protected by using the File Stores API.