Add AWS cloud accounts

You can add your AWS account to Deep Security. This imports all your Amazon EC2 instances into Deep Security Manager. Your EC2 instances appear on the left under Computers > your_AWS_account > your_region > your_VPC > your_subnet.

From there, you can manage them like any other computer.

If you previously added Amazon EC2 instances as individual computers, and they are part of your AWS account, after importing the account, the instances are moved into the tree structure described above.

There are several ways to add AWS accounts to Deep Security Manager:

If you are using Deep Security as a Service, see the Deep Security as a Service version of this article.

• Method: Manager instance role and cross-account role. Use this method if you want to add one or more AWS accounts that do not host Deep Security Manager. With this method, you assign a manager instance role to the EC2 instance that hosts Deep Security Manager. This role is then referenced in cross-account roles under your other AWS accounts, enabling access to all of them.
  You can use this method with these deployment methods:
  • Deep Security AMI from AWS Marketplace
  • Deep Security on-premise, hosted inside AWS
• Method: IAM user and cross-account role. Use this method if you want to add several AWS accounts, and your Deep Security Manager is hosted outside of AWS. With this method, you designate one of your AWS accounts as the 'primary' account, and create an IAM user in this account that is configured to assume cross-account roles to your other AWS accounts.
  Use this method with these deployment methods:
  • Deep Security VM for Azure Marketplace
  • Deep Security on-premise, hosted outside AWS
• Method: Manager instance role (single AWS account). Use this method if you want to add the AWS account where Deep Security Manager is hosted. With this method, you assign a manager instance role to the EC2 instance that hosts Deep Security Manager. Deep Security Manager then uses this role to access the AWS account.
  You can use this method with these deployment methods:
  • Deep Security AMI from AWS Marketplace
  • Deep Security on-premise, hosted inside AWS
• Method: AWS access keys. This method works with all deployment types, but is only recommended under these circumstances:
  • your Deep Security Manager is hosted outside of AWS and you only have one AWS account to add
    OR
  • you have tried another method and it doesn't work

  For all other scenarios, we recommend you use another method. Specifying access keys in Deep Security Manager is discouraged because the keys need to be updated periodically (for security reasons), which creates management overhead.
  With this method, you log in to the AWS account that holds your Amazon EC2 instances and you create an IAM user and access keys. You then specify the access keys in Deep Security Manager, which uses them to access the IAM user and associated AWS account. You can repeat these steps for each AWS account you want to add.

  You can use this method with all deployment methods, specifically: 

  • Deep Security AMI from AWS Marketplace
  • Deep Security on-premise
  • Deep Security Manager VM for Azure Marketplace

Method: Manager instance role and cross-account role

The instructions below assume you have two different AWS accounts...

• AWS DSM Account (where Deep Security Manager resides)
• AWS Account A

...and you want to protect the Amazon EC2 instances in both accounts with Deep Security.

Follow these high-level steps, which are described in detail below:

• Step 1. Log in to the AWS DSM Account, create an IAM policy, create a manager instance role that references the IAM policy and attach it to the Deep Security Manager EC2 instance.
• Step 2. Log in to AWS Account A, configure an IAM policy, and create a cross-account role that references the manager instance role.
• Step 3. In Deep Security Manager, indicate that you're using a manager instance role, and then add AWS DSM Account and AWS Account A.

After completing these steps, Deep Security Manager can use the manager instance role to access AWS DSM Account and see its Amazon EC2 instances. Additionally, Deep Security Manager can access the resources under AWS Account A (indirectly) by way of the cross-account roles that reference the manager instance role.

Step 1. Log in to AWS DSM Account and complete these tasks:

First, log in to AWS DSM Account (the account under which your Deep Security Manager is located) and configure an IAM policy:

1. Log in to your Amazon Web Services Console and go to the IAM service.
2. In the left navigation pane, click Policies.

   If this is your first time on this page, you'll need to click Get Started.

3. Click Create Policy.
4. Select Create Your Own Policy.
5. Give the policy a name and description, then copy the following JSON code into the Policy Document area:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "cloudconnector",
               "Action": [
                   "ec2:DescribeImages",
                   "ec2:DescribeInstances",
                   "ec2:DescribeRegions",
                   "ec2:DescribeSubnets",
                   "ec2:DescribeTags",
                   "ec2:DescribeVpcs",
                   "ec2:DescribeAvailabilityZones",
                   "ec2:DescribeSecurityGroups",
                   "iam:ListAccountAliases",
   		 "sts:AssumeRole"
               ],
               "Effect": "Allow",
               "Resource": "*"
           }
       ]
   }

6. Click Review Policy
7. Give the policy a name and description. For example: Deep_Security_Policy.
8. Click Create Policy. Your policy is now ready to use.

Next, create an EC2 instance role for the EC2 instance where your Deep Security Manager is running:

1. Go to the IAM service.
2. Click Roles.
3. Click Create role.
4. Make sure the AWS service box is selected.
5. Click EC2 from the list of services. More options are revealed.
6. Click EC2 Allows EC2 instances to call AWS services on your behalf. Click Next: Permissions.
7. Select the check box next to the IAM policy you just created. Click Next: Review.
8. Enter a Role name and Role description.
   Example role name: Deep_Security_Manager_Instance_Role
9. Click Create role.
10. Select the role in the list to reveal its details.
11. Look for the Role ARN field at the top of the page. Its value is similar to:
    arn:aws:iam::1234567890:role/Deep_Security_Manager_Instance_Role
    
12. Note the role's account ID in the ARN. It is the number (1234567890). You'll need it later.

Next, attach the manager instance role to the EC2 instance:

1. Go to the EC2 service.
2. Click Instances on the left, and select the check box next to the EC2 instance that hosts your Deep Security Manager.
3. Click Actions > Instance Settings > Attach/Replace IAM Role.
4. From the IAM role drop-down list, select the manager instance role (Deep_Security_Manager_Instance_Role).
5. Click Apply.

You have now created a manager instance role with the correct IAM policy, and attached it to the Deep Security Manager's EC2 instance.

Step 2. Log in to AWS Account A and complete these tasks:

First, log out of AWS and log back in using AWS Account A. This is the account under which some or all of your Amazon EC2 instances are located.

Next, while logged in to AWS Account A, configure an IAM policy for AWS Account A. It is the same as the policy for AWS DSM account, except it does not require the sts:AssumeRole permission:

1. Log in to your Amazon Web Services Console and go to the IAM service.
2. In the left navigation pane, click Policies.

   If this is your first time on this page, you'll need to click Get Started.

3. Click Create policy.
4. Select the JSON tab.
5. Copy the following JSON code into the text box:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "cloudconnector",
               "Action": [
                   "ec2:DescribeImages",
                   "ec2:DescribeInstances",
                   "ec2:DescribeRegions",
                   "ec2:DescribeSubnets",
                   "ec2:DescribeTags",
                   "ec2:DescribeVpcs",
                   "ec2:DescribeAvailabilityZones",
                   "ec2:DescribeSecurityGroups",
                   "iam:ListAccountAliases"
               ],
               "Effect": "Allow",
               "Resource": "*"
           }
       ]
   }

6. Click Review policy.
7. Give the policy a name and description. Example name: Deep_Security_Policy_2.
8. Click Create policy. Your policy is now ready to use.

Next, create a cross-account role that references the manager instance role:

1. Go to the IAM service.
2. In the left navigation pane, click Roles.
3. In the main pane, click Create role.
4. Click the Another AWS account box.
5. In the Account ID field, enter the account ID of the manager instance role.
   If you are using Deep Security AMI from AWS Marketplace or an on-premise version of Deep Security Manager inside AWS, you should have noted the manager instance role's account ID when you created it previously. In this example, it is: 1234567890
   
6. Next to Options, enable Require external ID. In the External ID field, enter a long, random secret string.
7. Note the external ID. You'll need this information later.
8. Click Next: Permissions.
9. Select the IAM policy that you just created (the example name was Deep_Security_Policy_2) and then click Next: Review.
10. On the Review page, enter a role name and description. Example role name: Deep_Security_Role _2.
11. On the main role page, search for the role you just created (Deep_Security_Role_2).
12. Click it.
13. Find the Role ARN field at the top and note the value. You'll need it later. It looks similar to:
    arn:aws:iam::1234567890:role/Deep_Security_Role_2

You now have a cross-account role under AWS Account A that includes the correct policy and references the manager instance role.

Step 3. Log in to Deep Security and complete these tasks:

First, indicate that you want to use a manager instance role:

1. In Deep Security Manager, click Administration at the top.
2. Click System Settings on the left.
3. Click the Advanced tab in the main pane.
4. Scroll to the bottom and look for the Manager AWS Identity section.
5. Make sure Use Manager Instance Role is selected.
6. If Use Manager Instance Role does not appear, make sure that you attached the role to the EC2 instance where Deep Security Manager is installed, and then Restart the Deep Security Manager. On restart, Deep Security detects the role of the manager's EC2 instance and displays the Use Manager Instance Role option.
7. Click Save.

Next, add AWS DSM Account:

1. In Deep Security Manager, click Computers at the top.
2. In the main pane, click Add > Add AWS Account.
3. Select Advanced and then click Next.
4. Select Use Manager Instance Role.
5. Click Next.

Deep Security Manager uses the manager instance role that is attached to its Amazon EC2 instance to add AWS DSM Account's EC2 instances to Deep Security Manager.

Finally, add AWS Account A using its cross-account role:

1. Click Computers at the top.
2. Click Add > Add AWS Account.
3. Select Advanced and click Next.
4. Select Use Cross Account Role.
5. Enter AWS Account A's Cross Account Role ARN and External ID. You noted these earlier, when you created the cross-account role.
6. Click Next.
   AWS Account A's Amazon EC2 instances are loaded.
   

You have now added AWS DSM Account and AWS Account A to Deep Security Manager.

Method: IAM user and cross-account role

The instructions below assume that your Deep Security Manager is outside of AWS and that you have two different AWS accounts...

• AWS Account X (primary)
• AWS Account Y

...and you want to protect the Amazon EC2 instances in these two accounts with Deep Security.

Follow these high-level steps, which are described in detail below:

• Step 1. Log in to AWS Account X (the primary account), configure an IAM policy, create an IAM user with access keys.
• Step 2. Log in to AWS Account Y, configure an IAM policy, and create a cross-account role to AWS Account X.
• Step 3. In Deep Security Manager, add AWS Account X's access key ID and secret
• Step 4. In Deep Security Manager, add AWS Account X and Y.

After completing these steps, Deep Security Manager can use AWS Account X's access key ID and secret to log in to AWS Account X and see its Amazon EC2 instances. Additionally, Deep Security Manager can access the resources under AWS Account Y (indirectly) by way of the cross-account roles that reference AWS Account X.

Step 1. Log in to AWS Account X and complete these tasks:

First, while logged in to AWS Account X, configure an IAM policy:

1. Log in to your Amazon Web Services Console and go to the IAM service.
2. In the left navigation pane, click Policies.

   If this is your first time on this page, you'll need to click Get Started.

3. Click Create Policy.
4. Select Create Your Own Policy.
5. Give the policy a name and description, then copy the following JSON code into the Policy Document area:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "cloudconnector",
               "Action": [
                   "ec2:DescribeImages",
                   "ec2:DescribeInstances",
                   "ec2:DescribeRegions",
                   "ec2:DescribeSubnets",
                   "ec2:DescribeTags",
                   "ec2:DescribeVpcs",
                   "ec2:DescribeAvailabilityZones",
                   "ec2:DescribeSecurityGroups",
                   "iam:ListAccountAliases",
   		 "sts:AssumeRole"
               ],
               "Effect": "Allow",
               "Resource": "*"
           }
       ]
   }

6. Click Review Policy
7. Give the policy a name and description. For example: Deep_Security_Policy.
8. Click Create Policy. Your policy is now ready to use.

Next, create an IAM user with an access key ID and secret:

1. Go to the IAM service.
2. Click Users.
3. Click Add user.
4. Enter a user name. Example: Deep_Security_IAM_User.
5. For Access type, select Programmatic access.
6. Click Next: Permissions.
7. Click the Attach existing policies directly box.
8. Find the IAM policy you just created and select the check box next to it.
9. Click Next: Review.
10. Click Create user. Your access key ID and secret access key are shown in the table.
11. Copy the access key ID and secret access key to a safe location. You'll need them later.

Next, determine AWS Account X's account ID:

1. At the top-right of AWS, click Support > Support Center.
2. Note the Account Number shown at the top-right (1234567890, in this example). You'll need it later to create the cross-account role.

Step 2. Log in to AWS Account Y and complete these tasks:

First, while logged in to AWS Account Y, Configure an IAM policy. It is the same as the policy for AWS Account X, except it does not require the sts:AssumeRole permission:

1. Log in to your Amazon Web Services Console and go to the IAM service.
2. In the left navigation pane, click Policies.

   If this is your first time on this page, you'll need to click Get Started.

3. Click Create policy.
4. Select the JSON tab.
5. Copy the following JSON code into the text box:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "cloudconnector",
               "Action": [
                   "ec2:DescribeImages",
                   "ec2:DescribeInstances",
                   "ec2:DescribeRegions",
                   "ec2:DescribeSubnets",
                   "ec2:DescribeTags",
                   "ec2:DescribeVpcs",
                   "ec2:DescribeAvailabilityZones",
                   "ec2:DescribeSecurityGroups",
                   "iam:ListAccountAliases"
               ],
               "Effect": "Allow",
               "Resource": "*"
           }
       ]
   }

6. Click Review policy.
7. Give the policy a name and description. Example name: Deep_Security_Policy_2.
8. Click Create policy. Your policy is now ready to use.

Next, create a cross-account role that references the Account X:

1. Go to the IAM service.
2. In the left navigation pane, click Roles.
3. In the main pane, click Create role.
4. Click the Another AWS account box.
5. In the Account ID field, enter the account ID of AWS Account X (1234567890, in this example).
6. Next to Options, enable Require external ID. In the External ID field, enter a long, random secret string.
7. Note the external ID. You'll need this information later when adding this account to Deep Security Manager.
8. Click Next: Permissions.
9. Select the IAM policy that you created previously and then click Next: Review.
10. On the Review page, enter a role name and description. Example role name: Deep_Security_Role.
11. On the main role page, search for the role you just created (Deep_Security_Role).
12. Click it.
13. Find the Role ARN field at the top and note the value. You'll need it later when adding this account to Deep Security Manager. It looks similar to:

    arn:aws:iam::544739704774:role/Deep_Security_Role

Step 3. Log in to Deep Security Manager and add the access keys:

1. Click Administration at the top.
2. Click System Setting on the left.
3. Click the Advanced tab in the main pane.
4. Scroll to the bottom and look for the Manager AWS Identity heading.
5. Next to Access Key - The Access Key of an AWS User used for the manager identity, enter the access key of the IAM user you created previously.
6. Next to Secret Key - The Secret Access Key of an AWS User used for the manager identity, enter the secret key of the IAM user that you created previously.
7. Click Save.

Step 4. Still in Deep Security Manager, add AWS Account X and Y:

First, add Account X using its access keys:

1. Click Computers at the top.
2. Click Add > Add AWS Account.
3. Select Use AWS Access Keys.
4. Enter AWS Account X's IAM user Access Key ID and Secret Access Key that you created previously.
   AWS Account X's Amazon EC2 instances are loaded.

Next, add AWS Account Y using its cross-account role:

1. Click Computers at the top.
2. Click Add > Add AWS Account.
3. Select Use Cross Account Role.
4. Enter AWS Account Y's Cross Account Role ARN and External ID.
5. Click Next.
   AWS Account Y's Amazon EC2 instances are loaded.
   

You have now added AWS Account X and Y to Deep Security Manager.

Method: Manager instance role (single AWS account)

First, log in to AWS using the account that holds your Deep Security Manager and configure an IAM policy:

1. Log in to your Amazon Web Services Console and go to the IAM service.
2. In the left navigation pane, click Policies.

   If this is your first time on this page, you'll need to click Get Started.

3. Click Create policy.
4. Select the JSON tab.
5. Copy the following JSON code into the text box:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "cloudconnector",
               "Action": [
                   "ec2:DescribeImages",
                   "ec2:DescribeInstances",
                   "ec2:DescribeRegions",
                   "ec2:DescribeSubnets",
                   "ec2:DescribeTags",
                   "ec2:DescribeVpcs",
                   "ec2:DescribeAvailabilityZones",
                   "ec2:DescribeSecurityGroups",
                   "iam:ListAccountAliases"
               ],
               "Effect": "Allow",
               "Resource": "*"
           }
       ]
   }

6. Click Review policy.
7. Give the policy a name and description. Example name: Deep_Security_Policy_2.
8. Click Create policy. Your policy is now ready to use.

Next, create an IAM role that includes the IAM policy. This is called the 'manager instance role'.

Next, attach the manager instance role to the EC2 instance where Deep Security Manager is hosted:

1. Log in to AWS using the account that holds your Deep Security Manager.
2. Go to the EC2 service.
3. Click Instances on the left, and select the check box next to the EC2 instance that hosts your Deep Security Manager.
4. Click Actions > Instance Settings > Attach/Replace IAM Role.
5. From the IAM role drop-down list, select the manager instance role.
6. Click Apply.

Finally, add your AWS account to Deep Security Manager:

1. In the Deep Security Manager, click Computers at the top.
2. Click Add > Add AWS Account
3. Select Use Manager Instance Role.
4. If Use Manager Instance Role does not appear, make sure that you attached the manager instance role to the EC2 instance where Deep Security Manager is installed, and then Restart the Deep Security Manager. On restart, Deep Security detects the role of the manager's EC2 instance and displays the Use Manager Instance Role option.
5. Click Next.

Your Amazon EC2 instances under your AWS account are loaded.

Method: AWS access keys

First, log in to AWS using the account that holds the Amazon EC2 instances that you want to protect.

Next, configure an IAM policy:

1. Log in to your Amazon Web Services Console and go to the IAM service.
2. In the left navigation pane, click Policies.

   If this is your first time on this page, you'll need to click Get Started.

3. Click Create policy.
4. Select the JSON tab.
5. Copy the following JSON code into the text box:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "cloudconnector",
               "Action": [
                   "ec2:DescribeImages",
                   "ec2:DescribeInstances",
                   "ec2:DescribeRegions",
                   "ec2:DescribeSubnets",
                   "ec2:DescribeTags",
                   "ec2:DescribeVpcs",
                   "ec2:DescribeAvailabilityZones",
                   "ec2:DescribeSecurityGroups",
                   "iam:ListAccountAliases"
               ],
               "Effect": "Allow",
               "Resource": "*"
           }
       ]
   }

6. Click Review policy.
7. Give the policy a name and description. Example name: Deep_Security_Policy_2.
8. Click Create policy. Your policy is now ready to use.

Next, create an IAM user account:

1. Go to the IAM service.
2. Click Users.
3. Click Add user.
4. Enter a user name. Example: Deep_Security_IAM_User.
5. For Access type, select Programmatic access.
6. Click Next: Permissions.
7. Click the Attach existing policies directly box.
8. Find the IAM policy you just created and select the check box next to it.
9. Click Next: Review.
10. Click Create user. Your access key ID and secret access key are shown in the table.
11. Copy the access key ID and secret access key to a safe location. You'll need them later.

Finally, add your AWS account to Deep Security:

1. In the Deep Security Manager, click Computers at the top.
2. In the main pane, click Add > Add AWS Account.
3. Select Advanced and click Next.
4. Select Use AWS Access Keys.
5. Specify the Access Key ID and Secret Access Key that you generated when you created the IAM user.
6. Click Next.

Your Amazon EC2 instances under your AWS account are loaded.

Edit a cloud account

You can edit a cloud account's settings in Deep Security Manager:

1. Log in to Deep Security Manager.
2. Click Computers at the top.
3. On the left, right-click your cloud account name and select Properties.
4. Edit the settings and click OK.

Remove a cloud account from the manager

Removing a cloud account from Deep Security Manager permanently removes the account from the Deep Security database as well as its underlying computers. Your account with your cloud provider is unaffected and any Deep Security Agents that were installed on the instances are still installed, running, and providing protection (although they will no longer receive security updates). If you decide to re-import computers from the cloud account, the Deep Security Agents download the latest security updates at the next scheduled opportunity.

1. In Deep Security Manager, click Computers at the top.
2. In the navigation panel, right-click the cloud account and select Remove Cloud Account.
3. Confirm that you want to remove the account.
   The account is removed from the Deep Security Manager.

Synchronize an AWS account

When you synchronize (sync) an AWS account, Deep Security Manager connects to the AWS API to obtain and display the latest set of AWS EC2 and WorkSpace instances.

To force a sync immediately:

1. In Deep Security Manager, click Computers.
2. On the left, right-click your AWS account and select Synchronize Now.

There is also a background sync that occurs every 10 minutes, and this interval is not configurable. If you force a sync, the background sync is unaffected and continues to occur according to its original schedule.