Learn how to enable Agentless Vulnerability & Threat Detection in your AWS account and understand provider-specific feature requirements and limitations.
To start scanning for vulnerabilities and malware in your cloud resources, add your
AWS account to Trend Vision One in Cloud Accounts using the CloudFormation template. Enable Agentless Vulnerability & Threat Detection, and then click Scanner Settings to choose the resource types to scan and whether to scan for vulnerabilities, malware,
or both. Vulnerability scanning is enabled for all supported resources by default.
Anti-malware scanning is disabled by default. You can change the scanning configuration
at any time. For detailed instructions, see Adding an AWS account using CloudFormation.
Agentless Vulnerability & Threat Detection scans the following AWS resource types:
-
EBS volumes attached to EC2 instances
-
ECR images that have the "latest" tag
-
Lambda functions and attached Lambda layers
Agentless Vulnerability & Threat Detection works in AWS by taking a snapshot of EBS volumes and collecting ECR images, Lambda
function zip archives, and Lambda layers. The collected resources are then scanned
for vulnerabilities or malware. Lambda functions deployed with container images are
covered by ECR image scanning.
Scan results are sent to Trend Vision One and can be seen in Cloud Risk Management, Cyber Risk Overview, Threat and Exposure Management, and asset profile screens in Attack Surface
Discovery. After you patch vulnerabilities or remediate malware in EBS volumes, Lambda functions,
or Lambda layers, the detections no longer appear after the next daily scan. Vulnerability
detections in ECR images remain visible in for seven days after patching. Malware detections in ECR images remain visible in
for seven days after remediation.
The following table lists scanning limitations that apply to each supported AWS resource
type.
AWS resource scanning limitations
|
AWS resource
|
Limitations
|
|
EBS volumes
|
|
|
ECR images
|
|
|
Lambda functions and layers
|
|
For estimated costs of deploying Agentless Vulnerability & Threat Detection in your AWS accounts, see Agentless Vulnerability & Threat Detection estimated deployment costs for AWS.
For a list of operating systems supported by Agentless Vulnerability & Threat Detection see Agentless Vulnerability & Threat Detection supported operating systems.
Agentless Vulnerability & Threat Detection supports the following AWS regions.
Supported AWS regions
|
Region code
|
Region name (Location)
|
|
us-east-1
|
US East (N. Virginia)
|
|
us-east-2
|
US East (Ohio)
|
|
us-west-1
|
US West (N. California)
|
|
us-west-2
|
US West (Oregon)
|
|
af-south-1
|
Africa (Cape Town)
|
|
ap-east-1
|
Asia Pacific (Hong Kong)
|
|
ap-northeast-1
|
Asia Pacific (Tokyo)
|
|
ap-northeast-2
|
Asia Pacific (Seoul)
|
|
ap-northeast-3
|
Asia Pacific (Osaka)
|
|
ap-south-1
|
Asia Pacific (Mumbai)
|
|
ap-southeast-1
|
Asia Pacific (Singapore)
|
|
ap-southeast-2
|
Asia Pacific (Sydney)
|
|
ca-central-1
|
Canada (Central)
|
|
eu-central-1
|
Europe (Frankfurt)
|
|
eu-north-1
|
Europe (Stockholm)
|
|
eu-west-1
|
Europe (Ireland)
|
|
eu-west-2
|
Europe (London)
|
|
eu-west-3
|
Europe (Paris)
|
|
sa-east-1
|
South America (São Paulo)
|
|
me-central-1
|
Middle East (UAE)
|
|
me-south-1
|
Middle East (Bahrain)
|
Unsupported AWS Regions
|
Region code
|
Region name (Location)
|
|
ap-southeast-3
|
Asia Pacific (Jakarta)
|
|
eu-south-1
|
Europe (Milan)
|