Integrate with AWS Control Tower

Integrate Deep Security with AWS Control Tower to ensure that every account added through Control Tower Account Factory is automatically provisioned in Deep Security, providing centralized visibility to the security posture of EC2 instances deployed in each account as well as the foundation for policy and billing automation.


The Lifecycle Hook solution provides a CloudFormation template which, when launched in the Control Tower Master Account, deploys AWS infrastructure to ensure Deep Security monitors each Account Factory AWS account automatically. The solution consists of 2 Lambda functions; one to manage our role and access Deep Security, and another to manage the lifecycle of the first Lambda. AWS Secrets Manager is leveraged to store the API key for Deep Security in the Master account and a CloudWatch Events rule is configured to trigger the customization Lambda when a Control Tower account is successfully deployed.

Once Deep Security is integrated with AWS Control Tower, it will be implemented in the following way:

  1. During stack launch, the lifecycle Lambda is executed for each existing Control Tower Account, including the Control Tower Master, Audit, and Log accounts.
  2. After launch, a CloudWatch Event rule triggers the lifecycle Lambda for each successful Control Tower CreateManagedAccount event.
  3. The lifecycle Lambda function retrieves the Deep Security Api Key from AWS Secrets Manager, then gets the External ID for your organization from the Deep Security API.
  4. The Lambda function assumes the ControlTowerExecution role in the target Managed Account in order to create the necessary cross account role and associated policy.
  5. A call is made to the Deep Security API to add this Managed Account to your tenant.

Integrate with AWS Control Tower

  1. Deploy Deep Security Manager to the AWS Control Tower designated shared security account. We recommend deploying Deep Security Quickstart into your Control Tower Security account and leveraging a public facing ELB in the quickstart deployment to create connectivity between workloads Managed Accounts and the Deep Security Manager.
  2. When the CloudFormation stack has launched successfully, record the DeepSecurityConsole value from the top level CloudFormation template. You will need this URL to sign in to the console and to configure the multi-account integration.
  3. In Deep Security Manager, go to Administration > User Management > API Keys and click New. Select a name for the key and the Full Access role. Be sure to save the key as it cannot be retrieved later. This key will be used to authenticate the automation from the AWS Control Tower Master to the console API. For more information, see Create an API key for a user.
  4. Sign in to the AWS Control Tower master account. Navigate to the CloudFormation Service, select the region in which AWS Control Tower was deployed, and launch the lifecycle template.
  5. In the lifecycle template, enter your API Key generated in step 3. Next, enter the FQDN of your console (without https://) which was displayed as the DeepSecurityConsole value recorded in step 2.
  6. Select the box acknowledging that AWS CloudFormation might create IAM resources. Select Create Stack, and the integration will start adding your AWS accounts to Deep Security.
  7. Once all your accounts have been imported, Install the agent and activate protection.

Upgrade the AWS Control Tower integration

As new capabilities are added to Deep Security, it might be necessary to update the permissions for the application's cross-account role. To update the role deployed by the lifecycle hook, update the Deep Security stack with the latest template, which can be found at its original URL. The parameter values should not be modified from their original values unless directed by Trend Micro Support. Updating the CloudFormation stack will update the role used by all existing accounts and the role created for future enrollments.

Remove AWS Control Tower integration

To remove the lifecycle hook, identify and delete the CloudFormation stack. Protection for Managed Accounts which have already been added will remain in place. For details on removing an AWS account from Deep Security see, Remove an AWS account.