Migrate cloud accounts to Trend Cloud One - Endpoint & Workload Security

Migrate to Trend Cloud One - Endpoint & Workload Security is a multi-step process.

You may have used cloud connectors to add cloud accounts to Deep Security. You can use the migration tool or migration API to migrate protected cloud accounts.

Prerequisites

• Check that you are running Deep Security Manager 20.0.635 (20 LTS Update 2022-04-21) or later.
• If you have not done so already, complete the earlier steps in Migrate to Trend Cloud One - Endpoint & Workload Security, including creating a Trend Cloud One account, creating an API key, and preparing a link to Workload Security.

If you are migrating AWS accounts

For information on migrating accounts that are not AWS, see Migrate other cloud accounts using the migration tool for details.

Limitations

The procedure used to migrate registered AWS accounts depends on how they were originally added to Deep Security Manager:

• AWS accounts added using access keys can be migrated using the migration tool or migration API.
• AWS accounts added using cross-account roles can be migrated using the migration tool or migration API. However, those cross-account roles need to be configured to trust the AWS principal of Workload Security in addition to the original principal of Deep Security Manager. See Migrate AWS accounts that were added using cross-account roles for details.
• AWS accounts added using manager instance roles are not supported on Workload Security. Migration of these accounts is not supported.
• Legacy AWS accounts that were added in Deep Security Manager 9.6 or earlier are not supported because they are not accessible via the API endpoint /api/awsconnectors.

Migrate AWS accounts that were added using cross-account roles

There are two ways to register AWS accounts to Workload Security:

• Create a new cross-account role for each AWS account.
• Reuse existing cross-account roles for Deep Security Manager.

Create a new cross-account role

With this method, instead of using the migration tool or API, you add new cross-account roles that allow Workload Security to access your AWS accounts. For instructions, see Add an AWS account using a cross-account role in the Workload Security help.

Reuse existing cross-account roles

With this method, you identify the original cross-account role, configure the trust relationship to Workload Security, and invoke the migration API:

1. Identify the cross-account role in your AWS account that allows Deep Security Manager to access it.

   You can find the role ARN in the Deep Security Manager console by right-clicking the AWS account and selecting Properties.

   The role ARN is in this format, arn:aws:iam::<AWS account ID>:role/<role name>

2. Note the AWS account of Workload Security and the external ID of your tenant. Refer to this article in the Workload Security help for the account ID and how to retrieve the external ID.
3. Log in to the AWS account.
4. In the AWS console, go to the IAM service.
5. In the left navigation pane, click Roles.
6. In the main pane, find the role name from step 1 and click it to open the summary page.
7. In the Trust relationships tab, click Edit trust relationship.
8. In the Policy Document, the trust relationship should look like this:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::<original Deep Security AWS Account>:root"
         },
         "Action": "sts:AssumeRole",
         "Condition": {
           "StringEquals": {
             "sts:ExternalId": "<original Deep Security External ID>"
           }
         }
       }
     ]
   }
   				

9. Add the noted Workload Security account (147995105371) and the external ID to the Policy Document (the first statement). It should look like this:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::147995105371:root"
         },
         "Action": "sts:AssumeRole",
         "Condition": {
           "StringEquals": {
             "sts:ExternalId": "<Workload Security External ID>"
           }
         }
       },
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::<original Deep Security AWS Account>:root"
         },
         "Action": "sts:AssumeRole",
         "Condition": {
           "StringEquals": {
             "sts:ExternalId": "<original Deep Security External ID>"
           }
         }
       }
     ]
   }
   			

10. Click Update Trust Policy to save the changes.
11. Repeat the preceding steps for each AWS account that you want to migrate to Workload Security.
12. Migrate the AWS accounts using the migration tool or migration API.

Migrate other cloud accounts using the migration tool

The Migrate to Trend Vision One Endpoint Security tool (formerly called Migrate to Workload Security) enables migration for both Trend Vision One Endpoint Security - Server & Workload Protection and for Trend Cloud One - Endpoint & Workload Security. Note that in addition the tool itself, the related role configurations have been renamed.

1. In the Deep Security Manager console, select Support > Migrate to Trend Vision One Endpoint Security.
2. On the Migrate to Trend Vision One Endpoint Security page, select the Cloud Accounts tab.
3. When all connected cloud accounts that support migration are displayed, select the accounts that you want to migrate and click Migrate Selected.
4. When the migration begins, click Refresh to check the migration status. Possible statuses are:
   • Migration requested: Cloud account migration to Workload Security has been requested but the migration hasn't started yet.
   • Migrating: Cloud accounts are being migrated to Workload Security and a full synchronization has been started. This process might take time to complete.
   • Migrated: Cloud accounts have been migrated successfully to Workload Security.
   • Failed: Cloud accounts have failed to migrate to Workload Security for some reason. Check the error code:
     • Error codes less than 900: There is a failure from Workload Security, see the fail system event for response detail or contact support.
     • Error codes greater than or equal to 900: Deep Security Manager has a problem communicating with Workload Security. Ensure that the Workload Security link is correctly configured or check server0.log for details.

Migrate VMware vCloud accounts

Currenlty, you cannot automatically migrate VMware vCloud accounts to Workload Security. However, you can create new VMware vCloud connectors in your Workload Security account to protect them. Trend Micro recommends setting it up the connectors before migrating the host.

For information on how to set up cloud connectors in Workload Security, see Add virtual machines hosted on VMware vCloud.