Trend Micro Cloud One™ – Conformity’s data access requirements are determined at an Account level by the product subscriptions enabled for each account.
|Security||Base||AWS Custom Policy|
|Real-time monitoring||Add-on||Real-Time Threat Monitoring settings|
|Cost Optimisation||Add-on||Access AWS Cost Billing Bucket|
The Conformity Bot can ingest data from the following regions:
How does Conformity access my AWS account?
Conformity uses an AWS Custom Policy to view your AWS account metadata - there is no read or write access to your data.
What data does Conformity capture and how is it stored?
Conformity only accesses the metadata associated with your AWS infrastructure. For example, we recognize that your AWS account has twelve S3 buckets and twenty EC2 instances, however, we cannot see the data/applications associated with these resources.
We retain metadata for active accounts for a 12-month period after which it is automatically deleted. For events, you can query logs to view the last 500 events via UI and 1200 via API. If you choose to deactivate an account, all your data is automatically deleted at the time of deactivation.
Does anyone at Conformity look at this data?
No, Conformity staff don’t have access to view your dashboard or account information. Authorized members of our technical team have limited access to view metadata associated with your accounts, for example, the number of compliance checks performed. However, our staff cannot see the specific violations associated with your AWS account.
We understand that the infrastructure configurations (metadata) could be considered sensitive and we have several layers of security in place to ensure that this metadata is captured, stored and accessed securely.
Customer metadata is encrypted at all touchpoints in our AWS infrastructure. From data collection, using signed requests and the AWS Security Token Service (STS), to the use of encryption at rest using the AWS Key Management Service. All internal staff must comply with our strong password policies and have MFA enabled. All access to Conformity infrastructure is monitored and access levels are reviewed on a regular basis, with the principle of least privilege enforced. Only senior Conformity engineers have access to production systems.
It’s important to note that Conformity staff do not have access to the customer’s Conformity account unless the customer chooses to grant their Technical Account Manager read-only access - which is at the discretion of the customer.
Trend Micro Cloud One™ – Conformity has integrated with the AWS Well-Architected Tool to ensure customers conduct 360-degree workload reviews in AWS to assure that their resources are complying with the AWS Well-Architected Framework.
How does the AWS Well-Architected Tool work?
The AWS Well-Architected Tool uses the AWS Well-Architected Framework to compare your cloud application environment against best practices across five architectural pillars: security, reliability, performance efficiency, operational excellence, and cost optimization.
Users answer a series of questions to review and evaluate their workloads and receive step-by-step guidance to improve them in return.
How do I start using the AWS Well-Architected Tool?
Make sure that the following Rules are enabled in Conformity. For more info, see: Configure Rules.
By configuring this Rule, you enable Conformity to detect if the AWS Well-Architected Tool is in use.
Configuring this Rule enables Conformity to present a summary of the findings of your AWS accounts from the tool.
Click on the Resolve button to view the Knowledge Base pages for step-by-step guidance on using the tool and resolving the failure.
Once you have enabled the Rules and you have updated the Custom Policy, you will be able to use the AWS Well-Architected Tool with Conformity.
Conformity’s API integration with the AWS Well-Architected Tool enables you to push a report of failed and successful checks from your Conformity accounts to your workload review. This report allows you to review checks more accurately with data-driven responses.
How does it work?
Checks generated from rules are mapped to a particular Well-Architected review question. The checks are also summarised by ‘Risk level’ and ‘Rule IDs’ to allow better visibility for remediation based on the review findings. This summary is then pushed to the ‘Notes’ field for the related question. For details, see our API Documentation for the Well-Architected Tool.