- Overview of methods for adding AWS accounts
- What happens when you add an AWS account?
- What are the benefits of adding an AWS account?
- What AWS regions are supported?
There a few ways to add AWS accounts to Deep Security Manager:
- Add an AWS account using a manager instance role. Use this method if Deep Security Manager is inside AWS.
- Add an AWS account using an access key. Use this method if Deep Security Manager is outside AWS.
- Add an AWS account using a cross-account role. Use this method if you want to add multiple AWS accounts.
When you add an AWS account to Deep Security, all the Amazon EC2 and Amazon WorkSpace instances under that account are imported into Deep Security Manager and become visible in one of these locations:
- EC2 instances appear on the left under Computers > your_AWS_account > your_region > your_VPC > your_subnet
- Amazon WorkSpaces appear on the left under Computers > your_AWS_account > your_region >WorkSpaces
Once imported, the EC2 and WorkSpace instances can be managed like any other computer. These instances are tree structures and are treated as computer groups.
If you previously added Amazon EC2 instances or Amazon WorkSpaces as individual computers, and they are part of your AWS account, after importing the account, the instances are moved into the treestructure described above.
The benefits of adding an AWS account (through Deep Security Manager > Computers > Add AWS Account) instead of adding individual EC2 instances and WorkSpaces (through Deep Security Manager > Computers > Add Computer), are:
- Changes in your EC2 and WorkSpaces inventory are automatically reflected in Deep Security Manager. For example, if you delete a number of EC2 or WorkSpace instances in AWS, those instances disappear automatically from the manager. By contrast, if you use Computers > Add Computer, EC2 and WorkSpace instances that are deleted from AWS remain visible in the manager until they are manually deleted.
- Your EC2 and WorkSpace instances are organized into AWS region > VPC > subnet in the manager, which lets you easily see which instances are protected and which are not. Without the AWS account, all your EC2 and WorkSpace instances appear at the same root level under Computers.
- You get AWS metadata, which can be used in event-based tasks (EBTs) to simplify policy assignment. You can also use metadata with smart folders to organize your AWS instances.
Deep Security Manager's Computers > Add > Add AWS Account option only supports AWS regions that use the global AWS Identity Access Management (IAM) service at iam.amazonaws.com. To determine whether your region uses the global service, see this table.
At the time or writing, the following regions do not use the global IAM service (iam.amazonaws.com):
- China (Beijing)
- China (Ningxia)
- AWS GovCloud (US-East)
- AWS GovCloud (US)
For the regions listed above, and any others that might not use the global IAM service, you can still load your EC2 and WorkSpace instances into the manager using the Deep Security REST API. Trend Micro has provided this sample script for your use.