Add AWS cloud accounts

You can watch Deep Security 12 - Scoping Environment Pt. 1 - Identifying Workloads on YouTube to review considerations when scoping your environment, as it relates to identifying workloads

When you add an AWS account to Deep Security, all the Amazon EC2 and Amazon WorkSpace instances under that account are imported into Deep Security Manager and become visible in one of these locations:

  • EC2 instances appear on the left under Computers > your_AWS_account > your_region > your_VPC > your_subnet
  • Amazon WorkSpaces appear on the left under Computers > your_AWS_account > your_region > WorkSpaces

Once imported, the EC2 and WorkSpace instances can be managed like any other computer. These instances are tree structures and are treated as computer groups.

If you previously added Amazon EC2 instances or Amazon WorkSpaces as individual computers, and they are part of your AWS account, after importing the account, the instances are moved into the tree structure described above.

Topics in this section:

What are the benefits of adding an AWS account?

The benefits of adding an AWS account (through Deep Security Manager > Computers > Add AWS Account) instead of adding individual EC2 instances and WorkSpaces (through Deep Security Manager > Computers > Add Computer), are:

  • Changes in your EC2 and WorkSpaces inventory are automatically reflected in Deep Security Manager. For example, if you delete a number of EC2 or WorkSpace intances in AWS, those instances disappear automatically from the manager. By contrast, if you use Computers > Add Computer, EC2 and WorkSpace instances that are deleted from AWS remain visible in the manager until they are manually deleted.
  • Your EC2 and WorkSpace instances are organized into AWS region > VPC > subnet in the manager, which lets you easily see which instances are protected and which are not. Without the AWS account, all your EC2 and WorkSpace instances appear at the same root level under Computers.
  • You get AWS metadata, which can be used in event-based tasks (EBTs) to simplify policy assignment. You can also use metadata with smart folders to organize your AWS instances.
  • Deep Security AMI from AWS Marketplace hourly pricing

What AWS regions are supported?

Deep Security Manager's Computers > Add > Add AWS Account option only supports AWS regions that use the global AWS Identity Access Management (IAM) service at iam.amazonaws.com. To determine whether your region uses the global service, see this table.

At the time or writing, the following regions do not use the global IAM service (iam.amazonaws.com):

  • China (Beijing)
  • China (Ningxia)
  • AWS GovCloud (US-East)
  • AWS GovCloud (US)

For the regions listed above, and any others that might not use the global IAM service, you can still load your EC2 and WorkSpace instances into the manager using the Deep Security REST API. Trend Micro has provided this sample script for your use.

Overview of methods for adding AWS accounts

There are several ways to add AWS accounts to Deep Security Manager:

  • Method: IAM user and cross-account role. Use this method if you want to add several AWS accounts, and Deep Security Manager is outside of AWS.

    You can use this method with:

    • Deep Security VM for Azure Marketplace
    • Deep Security on-premise on a server outside AWS
  • Method: AWS access keys. This method is only recommended if your Deep Security Manager is on a server outside of AWS and you only have one AWS account to add, or if you have tried another method and it doesn't work.

    For all other scenarios, we recommend you use another method. Specifying access keys in Deep Security Manager is discouraged because the keys need to be updated periodically (for security reasons), which creates management overhead.

    You can use this method with:

    • Deep Security AMI from AWS Marketplace
    • Deep Security on-premise
    • Deep Security Manager VM for Azure Marketplace

Next, create a cross account role that references the manager instance role:

You now have a cross account role under AWS Account A that includes the correct policy and references the manager instance role.

Add the AWS accounts to Deep Security Manager

First, indicate that you want to use a manager instance role:

Next, add the AWS DSM Account:

Deep Security Manager uses the manager instance role that is attached to its Amazon EC2 instance to add AWS DSM Account's EC2 and WorkSpace instances to Deep Security Manager.

Finally, add AWS Account A using its cross account role:

You have now added AWS DSM Account and AWS Account A to Deep Security Manager.

Method: IAM user and cross-account role

For an overview of this method, see Overview of methods for adding AWS accounts.

The instructions below assume that your Deep Security Manager is outside of AWS, and that you have two different AWS accounts that contain Amazon EC2 and WorkSpace instances that you want to protect. In this example, the account names are:

  • AWS Account X (primary)
  • AWS Account Y

Follow these high-level steps, which are described in detail below:

  1. Configure AWS Account X: Log in to AWS Account X (the primary account), configure an IAM policy, create an IAM user with an access keys.
  2. Configure AWS Account Y: Log in to AWS Account Y, configure an IAM policy, and create a cross account role to AWS Account X.
  3. Add the access keys to Deep Security Manager : In Deep Security Manager, add AWS Account X's access key ID and secret
  4. Add the AWS accounts to Deep Security Manager: In Deep Security Manager, add AWS Account X and Y.

After completing these steps, Deep Security Manager can use AWS Account X's access key ID and secret to log in to AWS Account X and see its Amazon EC2 and Amazon WorkSpace instances. Additionally, Deep Security Manager can access the resources under AWS Account Y (indirectly) by way of the cross account roles that reference AWS Account X.

Configure AWS Account X

First, while logged in to AWS Account X, configure an IAM policy:

  1. Log in to your Amazon Web Services Console and go to the IAM service.
  2. In the left navigation pane, click Policies.

    If this is your first time on this page, you'll need to click Get Started.

  3. Click Create policy.
  4. Select the JSON tab.
  5. Copy the following JSON code into the text box:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "cloudconnector",
                "Action": [
                    "ec2:DescribeImages",
                    "ec2:DescribeInstances",
                    "ec2:DescribeRegions",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeTags",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeSecurityGroups",
                    "workspaces:DescribeWorkspaces",
                    "workspaces:DescribeWorkspaceDirectories",
                    "workspaces:DescribeWorkspaceBundles",
                    "workspaces:DescribeTags",
                    "iam:ListAccountAliases",
                    "iam:GetRole",
                    "iam:GetRolePolicy",
                    "sts:AssumeRole"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }

    The "sts:AssumeRole" permission is required only if you are using cross account roles.

    The "iam:GetRole" and "iam:GetRolePolicy" permissions are optional, but recommended because they allow Deep Security to determine whether you have the correct policy when an update to the manager occurs that requires additional AWS permissions.

  6. Click Review policy.
  7. Give the policy a name and description. Example name: Deep_Security_Policy.
  8. Click Create policy. Your policy is now ready to use.

Next, create an IAM user with an access key ID and secret:

  1. Go to the IAM service.
  2. Click Users.
  3. Click Add user.
  4. Enter a user name. Example: Deep_Security_IAM_User.
  5. For Access type, select Programmatic access.
  6. Click Next: Permissions.
  7. Click the Attach existing policies directly box.
  8. Find the IAM policy you just created and select the check box next to it.
  9. Click Next: Review.
  10. Click Create user. Your access key ID and secret access key are shown in the table.
  11. Copy the access key ID and secret access key to a safe location. You'll need them later.

Next, determine AWS Account X's account ID:

  1. At the top-right of AWS, click Support > Support Center.
  2. Note the Account Number shown at the top-right (1234567890, in this example). You'll need it later to create the cross account role.

Configure AWS Account Y

First, while logged in to AWS Account Y, configure an IAM policy. It is the same as the policy for AWS Account X, except it does not require the sts:AssumeRole permission:

  1. Log in to your Amazon Web Services Console and go to the IAM service.
  2. In the left navigation pane, click Policies.

    If this is your first time on this page, you'll need to click Get Started.

  3. Click Create policy.
  4. Select the JSON tab.
  5. Copy the following JSON code into the text box:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "cloudconnector",
                "Action": [
                    "ec2:DescribeImages",
                    "ec2:DescribeInstances",
                    "ec2:DescribeRegions",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeTags",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeSecurityGroups",
                    "workspaces:DescribeWorkspaces",
                    "workspaces:DescribeWorkspaceDirectories",
                    "workspaces:DescribeWorkspaceBundles",
                    "workspaces:DescribeTags",
                    "iam:ListAccountAliases",
                    "iam:GetRole",
                    "iam:GetRolePolicy"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }

    The "iam:GetRole" and "iam:GetRolePolicy" permissions are optional, but recommended because they allow Deep Security to determine whether you have the correct policy when an update to the manager occurs that requires additional AWS permissions.

  6. Click Review policy.
  7. Give the policy a name and description. Example name: Deep_Security_Policy_2.
  8. Click Create policy. Your policy is now ready to use.

Next, create a cross account role that references the Account X:

  1. Go to the IAM service.
  2. In the left navigation pane, click Roles.
  3. In the main pane, click Create role.
  4. Click the Another AWS account box.
  5. In the Account ID field, enter the account ID of AWS Account X (1234567890, in this example).
  6. Next to Options, enable Require external ID. In the External ID field, enter a long, random secret string.
  7. Note the external ID. You'll need this information later when adding this account to Deep Security Manager.
  8. Click Next: Permissions.
  9. Select the IAM policy that you created previously and then click Next: Review.
  10. On the Review page, enter a role name and description. Example role name: Deep_Security_Role.
  11. On the main role page, search for the role you just created (Deep_Security_Role).
  12. Click it.
  13. Find the Role ARN field at the top and note the value. You'll need it later when adding this account to Deep Security Manager. It looks similar to:
    arn:aws:iam::544739704774:role/Deep_Security_Role

Add the access keys to Deep Security Manager

  1. Log in to Deep Security Manager.
  2. Click Administration at the top.
  3. Click System Setting on the left.
  4. Click the Advanced tab in the main pane.
  5. Scroll to the bottom and look for the Manager AWS Identity heading.
  6. Next to Access Key - The Access Key of an AWS User used for the manager identity, enter the access key of the IAM user you created previously.
  7. Next to Secret Key - The Secret Access Key of an AWS User used for the manager identity, enter the secret key of the IAM user that you created previously.
  8. Click Save.

Add the AWS accounts to Deep Security Manager

First, add Account X using its access keys:

  1. Click Computers at the top.
  2. Click Add > Add AWS Account.
  3. Select Use AWS Access Keys.
  4. Enter AWS Account X's IAM user Access Key ID and Secret Access Key that you created previously.
  5. If your AWS account includes Amazon WorkSpaces, select Include Amazon WorkSpaces to include them with your Amazon EC2 instances. By enabling the check box, you ensure that your Amazon WorkSpaces appear in the correct location in the tree structure in Deep Security Manager and are billed at the correct rate.
    AWS Account X's Amazon EC2 instances and Amazon WorkSpaces are loaded.

Next, add AWS Account Y using its cross account role:

  1. Click Computers at the top.
  2. Click Add > Add AWS Account.
  3. Select Use Cross Account Role.
  4. Enter AWS Account Y's Cross Account Role ARN and External ID.
  5. If your AWS account includes Amazon WorkSpaces, select Include Amazon WorkSpaces to include them with your Amazon EC2 instances. By enabling the check box, you ensure that your Amazon WorkSpaces appear in the correct location in the tree structure in Deep Security Manager and are billed at the correct rate.
  6. Click Next.
    AWS Account Y's Amazon EC2 instances and Amazon WorkSpaces are loaded.

You have now added AWS Account X and Y to Deep Security Manager.

Method: AWS access keys

For an overview of this method, see Overview of methods for adding AWS accounts.

First, log in to AWS using the account that holds the Amazon EC2 instances and Amazon WorkSpaces that you want to protect.

Next, configure an IAM policy:

  1. Log in to your Amazon Web Services Console and go to the IAM service.
  2. In the left navigation pane, click Policies.

    If this is your first time on this page, you'll need to click Get Started.

  3. Click Create policy.
  4. Select the JSON tab.
  5. Copy the following JSON code into the text box:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "cloudconnector",
                "Action": [
                    "ec2:DescribeImages",
                    "ec2:DescribeInstances",
                    "ec2:DescribeRegions",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeTags",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeSecurityGroups",
                    "workspaces:DescribeWorkspaces",
                    "workspaces:DescribeWorkspaceDirectories",
                    "workspaces:DescribeWorkspaceBundles",
                    "workspaces:DescribeTags",
                    "iam:ListAccountAliases",
                    "iam:GetRole",
                    "iam:GetRolePolicy"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }

    The "iam:GetRole" and "iam:GetRolePolicy" permissions are optional, but recommended because they allow Deep Security to determine whether you have the correct policy when an update to the manager occurs that requires additional AWS permissions.

  6. Click Review policy.
  7. Give the policy a name and description. Example name: Deep_Security_Policy_2.
  8. Click Create policy. Your policy is now ready to use.

Next, create an IAM user account:

  1. Go to the IAM service.
  2. Click Users.
  3. Click Add user.
  4. Enter a user name. Example: Deep_Security_IAM_User.
  5. For Access type, select Programmatic access.
  6. Click Next: Permissions.
  7. Click the Attach existing policies directly box.
  8. Find the IAM policy you just created and select the check box next to it.
  9. Click Next: Review.
  10. Click Create user. Your access key ID and secret access key are shown in the table.
  11. Copy the access key ID and secret access key to a safe location. You'll need them later.

Finally, add your AWS account to Deep Security:

  1. In the Deep Security Manager, click Computers at the top.
  2. In the main pane, click Add > Add AWS Account.
  3. Select Use AWS Access Keys.
  4. Specify the Access Key ID and Secret Access Key that you generated when you created the IAM user.
  5. If your AWS account includes Amazon WorkSpaces, select Include Amazon WorkSpaces to include them with your Amazon EC2 instances. By enabling the check box, you ensure that your Amazon WorkSpaces appear in the correct location in the tree structure in Deep Security Manager and are billed at the correct rate.
  6. Click Next.

Your Amazon EC2 instances and Amazon WorkSpaces under your AWS account are loaded.

Edit a cloud account

You can edit a cloud account's settings in Deep Security Manager. You might need to do this if, for example, your AWS account needs to be configured to include Amazon WorkSpaces. To edit a cloud account:

  1. Log in to Deep Security Manager.
  2. Click Computers at the top.
  3. On the left, right-click your cloud account name and select Properties.
  4. Edit the settings and click OK.

Remove a cloud account from the manager

Removing a cloud account from Deep Security Manager permanently removes the account from the Deep Security database as well as its underlying computers. Your account with your cloud provider is unaffected and any Deep Security Agents that were installed on the instances are still installed, running, and providing protection (although they will no longer receive security updates). If you decide to re-import computers from the cloud account, the Deep Security Agents download the latest security updates at the next scheduled opportunity.

  1. In Deep Security Manager, click Computers at the top.
  2. In the navigation panel, right-click the cloud account and select Remove Cloud Account.
  3. Confirm that you want to remove the account.
    The account is removed from the Deep Security Manager.

Synchronize an AWS account

When you synchronize (sync) an AWS account, Deep Security Manager connects to the AWS API to obtain and display the latest set of AWS EC2 and WorkSpace instances.

To force a sync immediately:

  1. In Deep Security Manager, click Computers.
  2. On the left, right-click your AWS account and select Synchronize Now.

There is also a background sync that occurs every 10 minutes, and this interval is not configurable. If you force a sync, the background sync is unaffected and continues to occur according to its original schedule.