Views:
Important
Important
AWS Accounts in Trend Vision One are now managed by the Cloud Accounts app. To add new AWS accounts, see Adding an AWS account using CloudFormation.
You can still use APIs to add new accounts to Server & Workload Protection. However, Trend Micro recommends using the Cloud Accounts app, which provides access to more advanced cloud security and XDR capabilities. This topic is for reference only.
AWS Systems Manager Distributor is a feature integrated with AWS Systems Manager that you can use to securely store and distribute software packages in your accounts. By integrating Server & Workload Protection with AWS Systems Manager Distributor, you can distribute agents across multiple platforms, control access to managed instances, and automate your deployments.

Create an IAM policy Parent topic

Follow the instructions in Importing existing managed policies.
In the Import managed policies window, add the "AmazonSSMManagedInstanceCore" policy.

Create a role and assign the policy Parent topic

Follow the instructions in Creating a role for an AWS service.
In the Attach permissions policies window, add the “AmazonSSMManagedInstanceCore” permission.

Create parameters Parent topic

Procedure

  1. In your AWS console, navigate to AWS Systems Manager Application Management Parameter Store.
  2. There are 4 parameters that need to be created. Click Create parameter and enter the Name and Value as listed in the table below. The other fields can be left on their default values.
    Name
    Value
    dsActivationUrl
    On the Server & Workload Protection console, go to Support Deployment Scripts. Go to the top of the generated script and copy the dsActivationUrl.
    dsManagerUrl
    On the Server & Workload Protection console, go to Support Deployment Scripts. Go to the top of the generated script and copy the dsManagerUrl.
    dsTenantId
    On the Server & Workload Protection console, go to Support Deployment Scripts. Scroll to the bottom of the generated script and copy the tenantID.
    dsToken
    On the Server & Workload Protection console, go to Support Deployment Scripts. Scroll to the bottom of the generated script and copy the token.

What to do next

Note
Note
Make sure the values for dsActivationUrl and dsManagerUrl are entered exactly as they appear, taking care to include the trailing slash where applicable.

Create association Parent topic

Procedure

  1. In the AWS console, go to AWS Systems Manager Node Management Distributor.
  2. Select the TrendMicro-CloudOne-WorkloadSecurity package, then Install on a Schedule.
  3. The Create Association page opens. Fill in the required fields. For Installation Type, we recommend you use the In-place update option.
  4. Create a schedule. Leveraging a scheduled State Manager Association will ensure agents are always installed and up to date.
  5. Click Create Association.

What to do next

Protect your computers Parent topic

Trend Micro recommends configuring a cloud connector for each AWS account which will contain managed agents. It might also be necessary to create a policy specific to the systems which will be managed by Distributor.