{"id":21359375,"url":"https://github.com/trendmicro/cloudone-workload-controltower-lifecycle","last_synced_at":"2025-07-13T01:31:11.244Z","repository":{"id":42011395,"uuid":"273124266","full_name":"trendmicro/cloudone-workload-controltower-lifecycle","owner":"trendmicro","description":null,"archived":false,"fork":false,"pushed_at":"2024-03-28T18:32:26.000Z","size":2326,"stargazers_count":2,"open_issues_count":1,"forks_count":2,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-04-15T00:18:46.375Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trendmicro.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-06-18T02:35:24.000Z","updated_at":"2022-04-18T17:23:16.000Z","dependencies_parsed_at":"2024-03-28T20:01:27.688Z","dependency_job_id":null,"html_url":"https://github.com/trendmicro/cloudone-workload-controltower-lifecycle","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trendmicro%2Fcloudone-workload-controltower-lifecycle","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trendmicro%2Fcloudone-workload-controltower-lifecycle/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trendmicro%2Fcloudone-workload-controltower-lifecycle/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trendmicro%2Fcloudone-workload-controltower-lifecycle/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trendmicro","download_url":"https://codeload.github.com/trendmicro/cloudone-workload-controltower-lifecycle/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225849900,"owners_count":17534058,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-22T05:28:00.644Z","updated_at":"2024-11-22T05:28:01.255Z","avatar_url":"https://github.com/trendmicro.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cloud One Workload Security Control Tower lifecycle implementation guide\n\n[Cloud One Workload Security] helps to detect and protect against malware, exploitation of vulnerabilities, and unauthorized \nchanges to your Windows and Linux systems as well as containers. \n\n[Cloud One Workload Security]: https://cloudone.trendmicro.com\n\nThis guide provides details on how to integrate provisioning of Workload Security with [AWS Control Tower] to ensure \nthat every account added through Control Tower Account Factory is automatically provisioned in Workload Security, \nproviding centralized visibility to the security posture of ec2 instances deployed in each account as well as the \nfoundation for policy and billing automation. This solution can be leveraged to manage AWS account provisioning for \ncustomer managed instances of Deep Security Software as well. See the \n[Deep Security Software](#Deep Security Software Deployments) section for additional guidance.\n\n[AWS Control Tower]:https://aws.amazon.com/controltower/\n\n\n## Overview\n\nThe Lifecycle Hook solution provides a cloudformation template which, when launched in the Control Tower Master Account, \ndeploys AWS infrastructure to ensure Workload Security monitors each Account Factory AWS account automatically. The \nsolution consists of 2 lambda functions; one to manage our role and access Workload Security, and another to manage the \nlifecycle of the first lambda. AWS Secrets Manager is leveraged to store the API key for Workload in the Master account \nand a CloudWatch Events rule is configured to trigger the customization lambda when a Control Tower account is \nsuccessfully deployed.\n\n### Usage\n\nYou will first need to [generate an API key for Workload Security]. Once you've created the API key, log into the \nControl Tower master account and [launch the lifecycle template]. Select the AWS region for your Control Tower \ndeployment before entering the Workload ApiKey and completing the launch stack wizard. On the last page of the wizard, \nbe sure to select the checkbox to acknowledge that this template may create IAM resources. Once the stack is complete, \nwork with application teams to automate [agent installation] and activate protection.\n\n[generate an API key for Workload Security]:https://aws.amazon.com/controltower/\n[launch the lifecycle template]:https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://s3.amazonaws.com/trend-micro-cloud-one-workload-controltower-lifecycle/Trend-Micro-Workload-LifeCycle.yaml\u0026stackName=WorkloadLifeCycleHook\n[agent installation]:https://help.deepsecurity.trendmicro.com/agent-install.html\n\n### Implementation\n\nDuring stack launch, the lifecycle lambda will be executed for each existing Control Tower Account, including the \nControl Tower Master, Audit, and Log accounts. After launch,, a cloudwatch event rule will trigger the lifecycle lambda \nfor each successful Control Tower CreateManagedAccount event. The lifecycle lambda function will retrieve the Workload \nApiKey from AWS Secrets Manager, then get the External ID for your organization from the Workload API. Next the lambda \nfunction will assume the ControlTowerExecution role in the target Managed Account in order to create the necessary cross \naccount role and associated policy. Finally, a call will be made to the Workload API to add this Managed Account to your  \nWorkload Security tenant.\n\n### Upgrade\n\nAs new capabilities are added to Workload Security, it may be necessary on occasion to update the permissions for the \napplication's cross account role. To update the role deployed by the lifecycle hook, update the Workload stack with the \nlatest template which can be found at its original url. The parameter values should not be modified from their original \nvalues unless directed by Trend Micro Support. Updating the cloudformation stack will update the role used by all existing \naccounts and the role created for future enrollments. \n\n[original url]:https://s3.amazonaws.com/trend-micro-cloud-one-workload-controltower-lifecycle/Trend-Micro-Workload-LifeCycle.yaml\n\n### Removal\n\nTo remove the lifecycle hook, identify and delete the cloudformation stack. Protection for Managed Accounts which  \nhave already been added will remain in place. For details on removing an AWS account from Workload Security see \nthe help documentation.\n\n\n[removing an account subscriptio]:https://www.cloudWorkload.com/help/organisation/subscriptions.html\n\n\n### Deep Security Software Deployments\n\nSome organizations may choose to host the Deep Security Software which manages agent policy and protection into their \nown AWS account instead of using the hosted solution. This product is available in a pay as you go or bring your own \nlicense model from the [AWS Marketplace]. Trend Micro recommends deploying the [Deep Security Quickstart] into your \nControl Tower Security account and either leveraging a public facing ELB in the quickstart deployment, or configuring \n[AWS PrivateLink] to create connectivity between workloads Managed Accounts and the Deep Security Manager console.\n\n[AWS Marketplace]:https://aws.amazon.com/marketplace/pp/Trend-Micro-Trend-Micro-Deep-Security/B01AVYHVHO\n[Deep Security Quickstart]:https://s3.amazonaws.com/awsmp-fulfillment-cf-templates-prod/d70fb77f-c90c-40e9-8cba-2d257a7b01d2.a79962c7-5e92-42f7-6484-e9ed7afcd8f6.template\n[AWS PrivateLink]:https://aws.amazon.com/privatelink/","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrendmicro%2Fcloudone-workload-controltower-lifecycle","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrendmicro%2Fcloudone-workload-controltower-lifecycle","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrendmicro%2Fcloudone-workload-controltower-lifecycle/lists"}