Deep Security Manager 10 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.

What does the cloud formation template do when I add an AWS account?

The cloud formation template creates a cross-account role that has both a unique external ID and a policy that allows Deep Security to access your AWS resources.

To accomplish this, the template first creates a temporary role with the necessary Deep Security permissions. Using this role, it starts an EC2 instance that performs the following actions:

Creates the cross-account role for Deep Security.
Obtains the Amazon Resource Name (ARN) of the cross-account role.
Sends the ARN to the Deep Security API.

Once the above is finished, the EC2 instance shuts itself down.

The EC2 instance cannot delete the original temporary role: after your AWS account has been added to Deep Security, you must remove it by deleting the cloud formation stack.

For more details, you can view the content of the cloud formation template directly in AWS by editing it during the template selection process.