Endpoint Security (EPS) - AMS Advanced Onboarding Guide

Endpoint Security (EPS)

Resources that you provision in your AMS Advanced environment automatically include the installation of an endpoint security (EPS) monitoring client. This process ensures that the AMS Advanced-managed resources are monitored and supported 24x7. In addition, AMS Advanced monitors all agent activity, and an incident is created if any security event is detected.


Security incidents are handled as incidents; for more information, see Incident response.

Endpoint Security provides anti-malware protection, specifically, the following actions are supported:

  • EC2 instances register with EPS

  • EC2 instances deregister from EPS

  • EC2 instances real-time anti-malware protection

  • EPS agent-initiated heartbeat

  • EPS restore quarantined file

  • EPS event notification

  • EPS reporting

AMS Advanced uses Trend Micro for endpoint security (EPS). These are the default EPS settings. To learn more about Trend Micro, see the Trend Micro Deep Security Help Center; note that non-Amazon links may change without notice to us.

AMS Advanced Multi-Account Landing Zone (MALZ) default settings are described in the following sections; for non-default AMS multi-account landing zone EPS settings, see AMS Advanced Multi-Account Landing Zone EPS non-default settings.


You can bring your own EPS, see AMS bring your own EPS.

General EPS settings

Endpoint security general network settings.

EPS defaults
Setting Default

Firewall Ports (Instances’ Security Group)

EPS Deep Security Manager agents (DSMs) must have port 4120 open for the Agent/Relay to Manager communication, and port 4119 for the Manager Console. EPS Relays must have port 4122 open for the Manager/Agent to Relay communication. No specific ports should be open for customer instance inbound communication because agents initiate all requests.

Communication Direction

Agent/Appliance Initiated

Heartbeat Interval

Ten minutes

Number of missed heartbeats before an alert


Maximum allowed drift (difference) between server times


Raise offline errors for inactive (registered, but not online) virtual machines


Default policy

Base policy (described next)

Activation of multiple computers with the same host name

Is allowed

Alerts for pending updates are raised

After seven days

Update source

Trend Micro Update Server (https://ipv6-iaus.trendmicro.com/iau_server.dll/)

Event or log data deletion

Events and logs are deleted from the DSM database after seven days.

Agent software versions are held

Up to five

Most recent rule updates are held

Up to ten

Logs storage

By default, log files are stored securely in Amazon S3, but you can also archive them to Amazon Glacier to help meet audit and compliance requirements.

Base policy

Endpoint security base policy default settings.

EPS base policy
Setting Default

Enabled Modules


Disabled Modules

Web Reputation


Intrusion Protection

Integrity Monitoring

Log Inspection

Application Control


Endpoint security anti-malware settings.

EPS anti-malware defaults
Setting Default Notes

Real-Time Scan

Scan everything

Quarantine all suspected viruses. Enable IntelliTrap and spyware/grayware protection.

Spyware and Grayware trigger Anti-Malware and result in a quarantine of the item.

Every Day/All Day (24 hours)

Manual Scan

Scan everything

Must be requested, then follows default real-time scan configuration.

Scheduled Scan

Scan everything

Set for the last Sunday of every month, 6am.

Smart Protection



Quarantined Files

Trend Micro Deep Security Manager (DSM)

Appx 1GB of disk reserved for quarantine.

Scan Limitation

Trend Micro DSM

Scan files of all sizes.

Allowed Spyware or Grayware



Local Event Notification