Views:

Review the outbound network traffic generated by the Agentless Vulnerability & Threat Detection deployment stack in your AWS environment.

When you deploy Agentless Vulnerability & Threat Detection to your AWS account, the scanning infrastructure generates outbound network traffic to AWS services and TrendAI Vision One™ cloud services. All outbound traffic uses HTTPS (TCP port 443) with TLS 1.2 or higher encryption.
Understanding this traffic is important for configuring firewall rules, network security groups, and compliance requirements in restricted network environments.
Important
Important
No inbound ports are opened on any deployed resource. All scanner components use security groups that deny inbound traffic.

Traffic categories

The Agentless Vulnerability & Threat Detection stack generates outbound traffic in four categories:
Category
Description
Frequency
OS packages
Standard operating system packages installed during scanner EC2 instance bootstrap, including AWS CLI, Docker runtime, and filesystem utilities. Sources are standard Amazon Linux package repositories.
Once per scanner instance launch
AWS services
AWS service API calls for compute, storage, security, and monitoring operations using the AWS SDK with IAM role-based authentication. Destinations are standard AWS regional endpoints.
Continuous
Container images
Scanner container image pulled from AWS Elastic Container Registry (ECR) Public Gallery when launching scanner EC2 instances. The image is cached locally for the instance lifetime.
Once per scanner instance launch
TrendAI Vision One™ services
Connections to TrendAI Vision One™ cloud services for scan result reporting, threat intelligence updates, and management telemetry. Authentication uses bearer tokens that are automatically rotated and stored in AWS Secrets Manager.
Per scan and periodic updates

Destination endpoints

The following table lists all destination endpoints that the Agentless Vulnerability & Threat Detection stack communicates with:
Destination
Port
Protocol
Purpose
sentry.{region}.cloudone.trendmicro.com
443
HTTPS
Sentry Backend API for pattern updates, Lambda updates, report submission, telemetry, and log forwarding
xlogr-{code}.xdr.trendmicro.com
443
HTTPS
Scan results, detection events, and asset lifecycle changes
api.{region}.xdr.trendmicro.com
443
HTTPS
TrendAI Vision One™ management API
*.{region}.amazonaws.com
443
HTTPS
AWS service endpoints including S3, Secrets Manager, SQS, EBS, EC2, Lambda, CloudWatch, Step Functions, STS, AppConfig, KMS, CloudFormation, EventBridge, SSM, Cost Explorer, IAM, and ECR
public.ecr.aws
443
HTTPS
Scanner container image from ECR Public Gallery
OS package repositories
443
HTTPS
Amazon Linux package repositories for OS package installation
Note
Note
No traffic is sent to third-party services outside of TrendAI Vision One™ and AWS.

Component inventory

The Agentless Vulnerability & Threat Detection stack deploys via four CloudFormation stacks. The following tables list the components in each stack that generate outbound traffic.

SentryShared stack

Component
Type
Purpose
CustomerTokenGenerator
Lambda
Generates XLogR authentication tokens via Sentry Backend API
CustomerTokenRotator
Lambda
Rotates XLogR tokens on a schedule
PatternUpdater
Lambda
Downloads latest anti-malware scan patterns from Sentry Backend
LambdaUpdater
Lambda
Checks for and applies Lambda function code updates
LogAndAlertForwarder
Lambda
Forwards audit logs and alerts to Sentry Backend
TelemetryForwarder
Lambda
Sends telemetry data to Sentry Backend
ReportSender
Lambda
Submits completed scan reports to Sentry Backend

SentrySet stack (per-region)

Component
Type
Purpose
Dispatcher
Lambda
Routes incoming scan events to the appropriate handler
RealTimeScanHandler
Lambda
Processes real-time EBS snapshot scan events
LifecycleEventHandler
Lambda
Tracks EC2, ECR, and Lambda asset lifecycle events and sends changes to XLogR
ScheduledScanHandler
Lambda
Initiates periodic full-account scans
ResourceCollector
Lambda
Enumerates scannable resources across the account

Scanner CSF (Cloud Scanner Framework)

Component
Type
Purpose
scanner-aws-parse-volume
Lambda
Reads EBS snapshots via EBS Direct API and parses partition metadata
scanner-aws-am-scan
Lambda
Anti-malware scanning using iCRC pattern engine
scanner-aws-vuln-scan
Lambda
Vulnerability scan
scanner-aws-build-report
Lambda
Aggregates scan results into final report
scanner-aws-send-xlogr
Lambda
Sends scan results to XLogR endpoints
EC2 Manager
Lambda
Launches and terminates scanner EC2 instances
Step Functions
State Machine
Orchestrates the scan pipeline

VPCStack (VPC Flow Log Processing)

Component
Type
Purpose
VPCFlowLogProcessor
Lambda
Reads VPC flow logs from S3 and sends to XLogR for network activity visibility
Note
Note
The SentryShared stack is deployed once per customer account. The SentrySet, Scanner CSF, and VPCStack are deployed per monitored region.

Data handling

The following data is transmitted from your AWS account to TrendAI Vision One™ cloud services:
  • Scan results including malware detections, vulnerability findings, and integrity changes
  • Asset inventory updates
  • VPC flow log summaries
  • Operational telemetry
Important
Important
Raw workload data such as file contents and disk images never leave your AWS account. All scanning occurs locally within your account.

Security considerations

  • All authentication tokens are stored in AWS Secrets Manager with KMS encryption
  • Customer tokens are automatically rotated
  • No credentials are hardcoded or logged
  • All traffic uses TLS 1.2 or higher encryption
  • Proxy configuration is supported through HTTP_PROXY and HTTPS_PROXY environment variables