Get answers to frequently asked support questions for Cloud Security Posture.
What are the potential rule failures related to Agentless Vulnerability and Threat Detection?
The new Guided Exclusions feature is automatically enabled by default
to exclude AVTD resources and prevent failures from affecting the compliance and risk
scores
for your cloud accounts. For more information including disabling the exclusions,
see: Managing preferences.
The new Guided exclusions feature is automatically enabled by default to exclude
AVTD
resources inorder to prevent failures from affecting the compliance and risk scores
of your
cloud accounts. For more information including how to disable their exclusion.
Potential Rule Findings for Excluded Resources
The following potential rule findings have been reviewed by
Trend Micro team. When context of these resources is taken into account, these findings
are
not applicable and can be safely ignored:
Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Managed
Keys: AVTD resources are securely encrypted with default keys. In addition, the
environment variables do not contain any secrets, so adding additional encryption
using
customer-managed keys is not required.
SecretsManager-001: Secret Encrypted With KMS Customer Master Keys: AVTD resources
are securely encrypted with default keys so adding additional encryption using
customer-managed keys is not required.
Lambda-001: Lambda Using Latest Runtime Environment: AVTD ensures that all our
Lambdas use a Supported Runtime Environment with no End Of Life date. All
supported runtime environments receive frequent security updates from AWS.
Lambda-003: Lambda Tracing Enabled : AVTD ensures that this feature is throughly
tested before the release hence this additional visibility via Enabling Tracing is
not
required.
SecretsManager-002:Secret Rotation Enabled AVTD uses its own secrets feature instead
of the one provided by AWS hence enabling the AWS provided Secret Rotation feature
is not
required.
SecretsManager-003: Secret Rotation Interval AVTD uses its own secrets feature
instead of the one provided by AWS hence enabling the AWS provided Secret Rotation
feature
is not required.
S3-024: S3 Transfer Acceleration: The AVTD feature does not use the transfer
acceleration feature.
Lambda-006: Using an IAM Role For More Than One Lambda Function: AVTD employs a
strategy called "permission planes” where Lambda functions that require identical
permissions use a single IAM role. This ensures both efficiency and manageability
when
deploying to multiple regions e.g. reduction of the number of IAM roles used in a
customer’s
cloud account
Lambda-007:VPC Access for AWS Lambda Functions: AVTD does not utilize resources like
Redshift, ElastiCache, and RDS which may require a VPC implementation.
CFM-001: CloudFormation Stack Notification: AVTD Cloudformation stack is already
managed via V1 CAM instead AWS.
CFM-002: CloudFormation Stack Policy: AVTD Cloudformation stack is already managed
via V1 CAM instead AWS.
CFM-005:CloudFormation Stack Termination Protection: In order to give customers
control of the stacks in their environment, AVTD does allow users to deactivate and
remove
the stack from their account
S3-025: S3 Buckets Encrypted with Customer Provided Keys CMKs: AVTD is already
encrypted using S3-Managed Keys.
SQS-006:SQS Dead Letter Queue: AVTD implements Dead Letter Queue (DLQ) in some of
its SQS resources where applicable.
S3-013: S3 Bucket MFA Delete Enabled: Objects stored in AVTD S3s are Objects are
relatively short-lived hence enabling MFA Delete protection for accidental deletion
is not
required
S3-023: Object Lock: Objects stored in AVTD S3s are relatively short-lived and hence
Object lock for accidental deletion is not required.