Open menu

AWS integration

Last updated: 13 January 2020

The Conformity Bot will ingest meta-data via API calls from AWS Accounts you have added to your organization.

Trend Micro Cloud One™ – Conformity’s data access requirements are determined at an Account level by the product subscriptions enabled for each account.

Supported regions

Conformity Security Statement

AWS Well-Architected Tool

Package Type Access Setup
Security Base AWS Custom Policy
Real-time monitoring Add-on Real-Time Threat Monitoring settings
Cost Optimisation Add-on Access AWS Cost Billing Bucket

Supported regions

The Conformity Bot can ingest data from all but 3 AWS supported regions.

Unsupported regions

  1. 2 China regions
  2. AWS GovCloud (US)

Conformity Security Statement

Last updated 21 Oct 2019

Conformity takes the security of its customers seriously and is currently preparing for SOC 2. We will complete our SOC 2 gap assessment in November 2019 and be in a position to advise completion shortly afterward. Our application is built on AWS, complies with AWS best practices and runs on AWS services that are accredited for SOC 1, 2 and 3 and ISO 27001:2013. Additionally, we have a formal bug bounty program in place with BugCrowd.

How does Conformity access my AWS account?

Conformity uses a AWS Custom Policy to view your AWS account metadata - there is no read or write access to your data.

What data does Conformity capture and how is it stored?

Conformity only accesses the metadata associated with your AWS infrastructure. For example, we recognize that your AWS account has twelve S3 buckets and twenty EC2 instances, however, we cannot see the data/applications associated with these resources.

We retain metadata for active accounts for a 12-month period after which it is automatically deleted. For events, you can query logs to view the last 500 events via UI and 1200 via API. If you choose to deactivate an account, all your data is automatically deleted at the time of deactivation.

Does anyone at Conformity look at this data?

No, Conformity staff don’t have access to view your dashboard or account information. Authorized members of our technical team have limited access to view metadata associated with your accounts, for example, the number of compliance checks performed. However, our staff cannot see the specific violations associated with your AWS account.

Metadata

We understand that the infrastructure configurations (metadata) could be considered sensitive and we have several layers of security in place to ensure that this metadata is captured, stored and accessed securely.

Customer metadata is encrypted at all touchpoints in our AWS infrastructure. From data collection, using signed requests and the AWS Security Token Service (STS), to the use of encryption at rest using the AWS Key Management Service. All internal staff must comply with our strong password policies and have MFA enabled. All access to Conformity infrastructure is monitored and access levels are reviewed on a regular basis, with the principle of least privilege enforced. Only senior Conformity engineers have access to production systems.

It’s important to note that Conformity staff do not have access to the customer’s Conformity account unless the customer chooses to grant their Technical Account Manager read-only access - which is at the discretion of the customer.

AWS Well-Architected Tool

  • How does the AWS-Well Architected Tool Work?
  • How do I start using the tool?

Trend Micro Cloud One™ – Conformity has integrated with the AWS Well-Architected Tool to ensure customers conduct 360-degree workload reviews in AWS to assure that their resources are complying with the AWS Well-Architected Framework.

How does the AWS Well-Architected Tool work?

The AWS Well-Architected Tool uses the AWS Well-Architected Framework to compare your cloud application environment against best practices across five architectural pillars: security, reliability, performance efficiency, operational excellence, and cost optimization.

Users answer a series of questions to review and evaluate their workloads and receive step-by-step guidance to improve them in return.

How do I start using the AWS Well-Architected Tool?

  1. Update the Custom Policy: to allow Conformity to access data from the AWS Well-Architected Tool. The new permissions are:
    • wellarchitected:ListWorkloads
    • wellarchitected:GetWorkload
  2. Make sure that the following Rules are enabled in Conformity. For more info, see: Configure Rules.

    1.WellArchitected-001: AWS Well-Architected Tool is in Use

By configuring this Rule, you enable Conformity to detect if the AWS Well-Architected Tool is in use.

2.WellArchitected-002: AWS Well-Architected Tool Findings

Configuring this Rule enables Conformity to present a summary of the findings of your AWS accounts from the tool.

Click on the Resolve button to view the Knowledge Base pages for step-by-step guidance on using the tool and resolving the failure.

Once you have enabled the Rules and you have updated the Custom Policy, you will be able to use the AWS Well-Architected Tool with Conformity.