The Cloud Accounts feature allows you to easily connect your cloud providers with
Trend Cloud One so that Cloud One can provide protection for the resources in your
cloud accounts.
Supported cloud providers
Currently, the common Cloud Accounts feature is used for File Storage Security protection
on AWS and Google Cloud Platform (GCP). More support and integration will be added
in the future. For the remainder of the Cloud One services, please connect your cloud
accounts directly in those services.
- Workload Security: https://cloudone.trendmicro.com/docs/workload-security/computers-add/
- Network Security: https://cloudone.trendmicro.com/docs/network-security/add_cloud_accounts_appliances/
- File Storage Security (AWS and Azure): https://cloudone.trendmicro.com/docs/file-storage-security/
- Conformity: https://cloudone.trendmicro.com/docs/conformity/add-cloud-account/
- Cloud Sentry: https://cloudone.trendmicro.com/docs/cloud-sentry/
What permissions does Cloud One require?
The required read-only permissions can be found in the setup instructions for each
cloud provider.
When adding your GCP account, you'll be required to grant Cloud One the viewer role. This does not grant permission to modify any resources or data.
Permissions for Cloud One - Network Security
Write permissions are required for hosted infrastructure deployments.
Below is a breakdown of what write-access permissions are requested, and what they
enable. Network Security can still read information about the customer environment
without write permissions.
|
Permission Requested
|
Reason
|
|
cloudformation:CreateStack
|
These permissions grant Cloud One the ability to use CloudFormation to maintain the subnets and VPC
Endpoints for Network Security with hosted infrastructure.
Cloud One uses CloudFormation templates for this to get the
advantages of Infrastructure as Code for the security subnets
and endpoints.
AWS will limit Cloud One CloudFormation stacks to only the other
permissions listed here.
|
|
cloudformation:DeleteStack
|
|
|
ec2:CreateSubnet
|
These permissions grant Cloud One the ability to create subnets
and VPC Endpoints in order to deploy Network Security with hosted infrastructure in your
account.
These are required for Cloud One to deploy the necessary
resources in your AWS account to inspect traffic using Network
Security with hosted infrastructure.
|
|
ec2:CreateTags
|
|
|
ec2:CreateVpcEndpoint
|
|
|
ec2:DeleteSubnet
|
|
|
ec2:DeleteVpcEndpoints
|
|
|
logs:CreateLogGroup
|
These permissions grant Cloud One the ability to send logs to
CloudWatch Logs in your AWS account for Network
Security with hosted infrastructure.
These logs will include items such as flows that Network Security
blocks.
|
|
logs:CreateLogStream
|
|
|
logs:PutLogEvents
|
How does this connect to my cloud provider?
Cloud One uses OpenID Connect (OIDC) to create a trust relationship between Cloud
One, which acts as the external identity provider, and a third party cloud provider,
such as AWS or GCP.