Migrate cloud accounts to Workload Security
This is one part of the process for migrating from Deep Security to Workload Security. For a complete picture of the migration process, see Migrate from Deep Security to Workload Security.
You may have used cloud connectors to add cloud accounts to Deep Security. You can use the migration tool or migration API to migrate protected cloud accounts.
Prerequisites
- Check that you're running Deep Security Manager 20.0.635 (20 LTS Update 2022-04-21) or later.
- If you haven't done so already, complete the earlier steps described in Migrate from Deep Security to Workload Security, including creating a Trend Cloud One account, creating an API key, and preparing a link to Workload Security.
If you are migrating AWS accounts
If you are migrating accounts that are not AWS, please see Migrate other cloud accounts using the migration tool for details.
Limitations
The procedure used to migrate registered AWS accounts depends on how they were originally added to Deep Security Manager:
- AWS accounts added using access keys can be migrated using the migration tool or migration API.
- AWS accounts added using cross-account roles can be migrated using the migration tool or migration API. However, those cross-account roles need to be configured to trust the AWS principal of Workload Security in addition to the original principal of Deep Security Manager. See Migrate AWS accounts that were added using cross-account roles for details.
- AWS accounts added using manager instance roles are not supported on Workload Security. Migration of these accounts is not supported.
- Legacy AWS accounts that were added in Deep Security Manager 9.6 or earlier are not supported because they are not accessible via the API endpoint /api/awsconnectors.
Migrate AWS accounts that were added using cross-account roles
There are 2 ways to register AWS accounts to Workload Security:
- Create a new cross-account role for each AWS account.
- Re-use existing cross-account roles for Deep Security Manager.
Create a new cross-account role
With this method, instead of using the migration tool or API, you add new cross-account roles that allow Workload Security to access your AWS accounts. For instructions, see Add an AWS account using a cross-account role in the Workload Security help.
Re-use existing cross-account roles
With this method, you identify the original cross-account role, configure the trust relationship to Workload Security, and invoke the migration API:
- Identify the cross-account role in your AWS account that allows Deep Security Manager to access it.
You can find the role ARN in the Deep Security Manager console by right-clicking the AWS account and selecting Properties.
The role ARN is in this format, arn:aws:iam::<AWS account ID>:role/<role name>
- Note the AWS account of Workload Security and the external ID of your tenant. Refer to this article in the Workload Security help for the account ID and how to retrieve the external ID.
- Log in to the AWS account. In the AWS console, go to the IAM service.
- In the left navigation pane, click Roles.
- In the main pane, find the role name from step 1 and click it to open the summary page.
- In the Trust relationships tab, click Edit trust relationship.
- In the Policy Document, the trust relationship should look like this:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<original Deep Security AWS Account>:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<original Deep Security External ID>" } } } ] } - Add the noted Workload Security account (147995105371) and the external ID to the Policy Document (the first statement). It should look like this:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::147995105371:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<Workload Security External ID>" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<original Deep Security AWS Account>:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<original Deep Security External ID>" } } } ] } - Click Update Trust Policy to save the changes.
- Repeat this procedure for each AWS account that you want to migrate to Workload Security.
- Migrate the AWS accounts using the migration tool or migration API.
Migrate other cloud accounts using the migration tool
- In upper-right corner of the Deep Security Manager console, select Support > Migrate to Workload Security.
- The Migrate to Workload Security page appears. Click the Cloud Accounts tab.
- All connected cloud accounts that support migration are displayed. Select the accounts that you want to migrate and click Migrate Selected.
- The migration begins. Click the Refresh button to check the migration status. Possible statuses are:
- Migration requested: Cloud account migration to Workload Security has been requested but the migration hasn't started yet.
- Migrating: Cloud accounts are being migrated to Workload Security and a full synchronization has been started. This process might take time to complete.
- Migrated: Cloud accounts have been migrated successfully to Workload Security.
- Failed: Cloud accounts have failed to migrate to Workload Security for some reason. Check the error code:
- Error codes less than 900: There is a failure from Workload Security, see the fail system event for response detail or contact support.
- Error codes greater than or equal to 900: Deep Security Manager has a problem communicating with Workload Security. Please make sure the Workload Security Link is correctly configured, or check server0.log for details.
Migrate VMware vCloud accounts
VMware vCloud accounts currently cannot be migrated automatically to Workload Security. However, you can create new VMware vCloud connectors in your Workload Security account to protect them. This can be done before or after hosts are migrated and reactivated, but we recommend setting it up prior to host migration.
To learn how to set up cloud connectors in Workload Security, see this article in the Workload Security help: