AMS bring your own EPS
You can use the AMS "bring your own end point security" (BYOEPS) feature to replace the default Trend Micro Deep Security agent with your own end point security solution, or Trend Micro license.
If you already have cost effective licenses for products other than Trend Micro Deep Security, or a team that provides your EPS, or if you want to use a specific EPS tool, use BYOEPS in your instances.
BYOEPS works at an account level and your instances in the account either use BYOEPS or the default, AMS-managed EPS:
multi-account landing zone (MALZ): You designate application accounts where you use BYOEPS or managed EPS.
single-account landing zone (SALZ): Your AMS accounts use BYOEPS or managed EPS.
If you use BYOEPS, your AWS bill reduces by the cost for Trend Micro Deep Security; however, you still incur a cost for EPS as the AMS-managed EPS is still required for protecting AMS-created and maintained EC2 instances required for access management (bastions, and management hosts). To calculate the total cost impact, you need to account for the the cost of licenses for your new tool, and the cost of managing EPS at the service levels you need.
The use of BYOEPS changes the AMS roles and responsibilities for security management:
R stands for responsible party that does the work to achieve the task.
C stands for consulted; a party whose opinions are sought, typically as subject matter experts; and with whom there is bilateral communication.
I stands for informed; a party which is informed on progress, often only on completion of the task or deliverable.
| Security management | Customer | AWS Managed Services |
|---|---|---|
Maintaining valid licenses of Managed EPS for EC2 instances of AMS Shared Services |
R |
C |
Configure Managed EPS for EC2 instances of AMS Shared Services |
I |
R |
Update Managed EPS for EC2 instances of AMS Shared Services |
I |
R |
Monitoring malware on EC2 instances of AMS Shared Services |
I |
R |
Maintaining and updating virus signatures for EC2 instances of AMS Shared Services |
I |
R |
Remediating instances infected with malware for EC2 instances of AMS Shared Services |
C |
R |
When you use BYOEPS, you lose one of the security controls offered by AMS but have security management provided using tools such as AWS GuardDuty, AWS Macie; and process controls such as reviews of IAM configuration to ensure the security of your AWS account. AMS compliance certifications and attestations are not affected if you use BYOEPS. However, many security framework and certifications have requirements for protection from malware and malicious code. To ensure account security and compliance, evaluate and ensure that your planned controls meet the security requirements for compliance certifications needed for your workload.
Using BYOEPS
After ensuring that you want to use your own EPS solution, you are ready to request and begin using AMS BYOEPS.
Pre-requisites:
If you use an EC2 instance profile that is in addition to the default EC2 instance profile,
customer-mc-ec2-instance-profile, allow thessm:GetParameteraction for the/ams/end-point-securityresource, to your EC2 instance profile.Update EC2 instance launch automations or processes using custom or AMS AMIs to use AMS AMIs released after December 2020.
Enable BYOEPS:
The use of BYOEPS changes the AMS responsibilities for Security Management. Consult your security and cloud platform team before enabling BYOEPS.
Request use of BYOEPS by submitting a "MOO" update RFC (Management | Other | Other | Update) with ct-0xdawir96cy7k, with the following details:
Please enable BYOEPS for this account/these accounts Account IDs:IDs for the accounts for BYOEPS..
Accounts with EC2 instances using AMS-managed EPS:
If the accounts that you want BYOEPS for are using AMS-managed EPS, you need to work with AMS to uninstall the Trend Micro agents from those EC2 instances, and update the AMS code (i.e. boot scripts) on those instances. It is best to do this as part of a maintenance window as it may require a reboot. After AMS receives the MOO RFC, your cloud service delivery manager (CSDM) contacts you to decide on a maintenance window to perform this activity, and create a migration plan. A few things to consider as you plan:
How many instances do you need to migrate in total? Divide the total number of instances into smaller, incremental batches.
How would you divide the instances in batches? Options could be by resource groups, creating a list that can be shared with Operations etc.
How much time would each batch take? How much total time is required? Consider that you might want to install your preferred EPS tooling in the same maintenance window. How much time would this take?
You will share this information with the AMS Operations engineers performing the migration. A spreadsheet, or some clear communication to your CSDM.
During the maintenance window, the following actions are performed on each instance that needs to be on-boarded to BYOEPS:
Performed by AMS: Update AMS code (boot scripts, modules, and so forth.) to the latest. This is required because old AMS boot scripts do not have BYOEPS feature support and will re-install Trend Micro agent on every boot. Also, uninstall the Trend Micro Agent.
Performed by You: Install, and configure your preferred EPS tooling.
Accounts without EC2 instances using AMS-managed EPS:
Accounts with new instance launches using the latest AMS AMIs can skip Trend Micro agent installation. Do not launch instances with AMIs older than December 2020 as they do not have the BYOEPS feature support. Update any automation using old AMIs to use the latest AMS AMIs with BYOEPS feature support. Once the feature is enabled, AMS confirms the action on the RFC.
Adding your agent on EC2 instances:
For help with deploying agents of tools such as Crowdstrike or Qualys, you can use AMS Patterns. Submit a service request for help.
