Use the AMS "bring your own end point security" (BYOEPS) feature to replace the default Trend Micro Deep Security agent with your own end point security solution, or Trend Micro license. If you already have cost effective licenses for products other than Trend Micro Deep Security, or a team that provides your EPS, or if you want to use a specific EPS tool, then use BYOEPS in your instances.
BYOEPS works at the account level. Your instances in the account either use BYOEPS or the default, AMS-managed EPS:
multi-account landing zone (MALZ): You designate application accounts that use BYOEPS or managed EPS.
single-account landing zone (SALZ): Your AMS accounts use BYOEPS or managed EPS.
BYOEPS, reduces your AWS bill by the cost for Trend Micro Deep Security. You continue to incur a cost for EPS because the AMS-managed EPS is still required to protect AMS-created and maintained EC2 instances that are required for access management (bastions, and management hosts). To calculate the total cost impact, you must account for the cost of licenses for your new tool, and the cost of managing EPS at the service levels that you need.
The use of BYOEPS changes the AMS roles and responsibilities for security management:
R stands for responsible party that does the work to achieve the task.
C stands for consulted; a party whose opinions are sought, typically as subject matter experts; and with whom there is bilateral communication.
I stands for informed; a party which is informed on progress, often only on completion of the task or deliverable.
| Security management | Customer | AWS Managed Services |
|---|---|---|
Maintaining valid licenses of Managed EPS for EC2 instances of AMS Shared Services |
R |
C |
Configure Managed EPS for EC2 instances of AMS Shared Services |
I |
R |
Update Managed EPS for EC2 instances of AMS Shared Services |
I |
R |
Monitoring malware on EC2 instances of AMS Shared Services |
I |
R |
Maintaining and updating virus signatures for EC2 instances of AMS Shared Services |
I |
R |
Remediating instances infected with malware for EC2 instances of AMS Shared Services |
C |
R |
When you use BYOEPS, you lose one of the security controls offered by AMS. You still have security management provided through tools such as Amazon GuardDuty, Amazon Macie, and process controls, such as reviews of IAM configurations. The use of BYOEPS doesn't affect AMS compliance certifications and attestations. However, many security framework and certifications have requirements for protection from malware and malicious code. To help keep your account secure and in compliance, evaluate your planned controls to make sure that they meet the security requirements for your workload's compliance certifications.
Turn on BYOEPS for your account
The process to turn on BYOEPS contains three stages and uses several RFCs. Review the following information to learn about the three stages required to turn on BYOEPS. Then, coordinate with your CSDM to turn on BYOEPS for your account.
Stage 1: Prerequisites
The default Amazon EC2 instance profile is
customer-mc-ec2-instance-profile. If you use a different Amazon EC2 instance profile in addition to the default profile, then allow thessm:GetParameteraction for the/ams/end-point-securityresource to your EC2 instance profile.If you can't update EC2 instance profiles, then submit an RFC that specifies the instance profiles that you need to update.
Understand the scope of this change.
Deployments through an AMS automated change type (CT) allow you to specify the AMI used in creation.
To use BYOEPS with accounts that use AMS-managed EPS, you must work with AMS to uninstall the Trend Micro agents from those EC2 instances, and to update the AMS code (for example, boot scripts) on those instances. These actions might require a reboot, so it's a best practice to perform these actions as part of a maintenance window. Contact your CSDM to identify a maintenance window to perform this activity and to create a migration plan. For the migration plan, consider the following questions:
How many instances do you need to migrate? Divide the total number of instances into smaller, incremental batches.
How will you divide the instances in batches? For example, you might divide by resource groups and create a list to share with the AMS operations team.
How much time will each batch take? How much total time is required? Consider that you might want to install your preferred EPS tooling in the same maintenance window. How much time will this take?
Your CSDM shares the migration plan with the AMS operations team. If your instance fleet is above 50, then work with your CSDM to create a planned event using the planned event management (PEM) process. For more information, see Planned event management in AWS Managed Services
AMS Operations coordinates with your CSDM and advises how to submit RFCs in accordance with your maintenance windows, based upon the number of instances in your account.
Update EC2 instance launch automations or processes using custom or AMS AMIs to use AMS AMIs released after December 2020.
Stage 2: Enable BYOEPS in your account
When you use BYOEPS in your account, the responsibilities that AMS has for security management changes. Consult your security and cloud platform team before you enable BYOEPS.
To request BYOEPS for your account, submit a "MOO" update RFC (Management | Other | Other | Update) with ct-0xdawir96cy7k, with the following details:
Please enable BYOEPS for this account/these accounts Account IDs:IDs for the accounts for BYOEPS.
AMS deploys parameter store updates to the account and updates the default instance profile and policy.
Note
Accounts with new instance launches that use the latest AMS AMIs can skip Trend Micro agent installation. AMIs older than December 2020 don't support the BYOEPS feature. Update automations that use old AMIs to use the latest AMS AMIs with BYOEPS feature support.
For existing EC2 instance handling, see Stage 3: Instance migrations
Stage 3: Instance migration
Use one of the following options to migrate your instances, depending on your use case. If you are unsure of which option to choose, contact your CA or CSDM.
Accounts with EC2 instances that use AMS-managed EPS
During the maintenance window, in alignment with planning from Stage 1, the following actions are performed on each instance that needs to be onboarded to BYOEPS in the batches that have been communicated by your CSDM:
Performed by AMS: Update AMS code (boot scripts, modules, and so on) to the latest versions. This is required because old AMS boot scripts don't have BYOEPS feature support and re-install Trend Micro agent on every boot. Also, uninstall the Trend Micro Agent.
Performed by you: Install and configure your preferred EPS tool.
Important
Trend Micro Agent provides malware protection. Make sure that you install an appropriate replacement to secure your instances.
Accounts without EC2 instances that use AMS-managed EPS
Accounts with new instance launches that use the latest AMS AMIs can skip Trend Micro agent installation. AMIs older than December 2020 don't support the BYOEPS feature. Update automations that use old AMIs to use the latest AMS AMIs with BYOEPS feature support.
Add your agent on EC2 instances
You can use AMS Patterns to deploy agents of tools such as CrowdStrike or Qualys, Submit a service request for assistance.
