Add AWS Cloud accounts

If you want to protect your AWS resources with Deep Security, you can connect your AWS account to Deep Security. Once the connection is established, your AWS resources appear on the Computers page in Deep Security Manager, where you can manage them like any other computer.

There are several methods you can use to connect to your AWS account to Deep Security Manager:

  • If you are using Deep Security AMI from AWS Marketplace, see Getting started with Deep Security AMI from AWS Marketplace.
  • If you are using Deep Security as a Service, you can:
    • Add your AWS account using the quick setup option. This is the easiest way to set up access. This option uses a CloudFormation template that steps you through creating a cross-account role that provides Deep Security Manager with access to your AWS account.
    • Add your AWS account using a cross-account role. With this method, you configure an IAM policy, manually set up a cross-account role that has the appropriate permissions for Deep Security, and then use that role to connect the Deep Security Manager to your AWS account.
    • Add your AWS account using the AWS access keys. Cross-account roles are the preferred method for connecting your AWS account to the manager but if you cannot use that method, you can configure an IAM policy and then use AWS access keys to set up the connection.
  • If you are using an on-premise installation of Deep Security Manager, you can:
    • Add your AWS account using a cross-account role. With this method, you configure an IAM policy, manually set up a cross-account role that has the appropriate permissions for Deep Security, and then use that role to connect the Deep Security Manager to your AWS account.
    • Add your AWS account using the AWS access keys. Cross-account roles are the preferred method for connecting your AWS account to the manager but if you cannot use that method, you can configure an IAM policy and then use AWS access keys to set up the connection.

Add your AWS account using the quick setup option

Applies to Deep Security as a Service only

  1. In the Deep Security Manager, go to the Computers page and click Add > Add AWS Account to open the Add AWS Cloud Account wizard.
  2. On the Setup Type page, select Quick.
  3. The next page describes what will happen during the setup process and provides a URL that you can send to your AWS administrator in case you do not have access to AWS. The URL is valid for one hour. Click Next.
  4. If you have not already signed into your AWS account you will be prompted to do so.
  5. Click Next on the Select Template page to accept the defaults.
  6. If your organization uses tags, you can add them on the Options page.
  7. Click Next.
  8. On the Review page, select the check box next to I acknowledge that this template might cause AWS CloudFormation to create IAM resources.
  9. Click Create.

When AWS finishes setting up a cross-account role, the Deep Security Manager wizard will display a success message. You can close the screen before the success message is displayed. The account will be added as soon as the cross-account role is set up. For more information on how this is done, see What does the cloud formation template do when I add an AWS account?

All AWS instances associated with your account will appear on the computers page in the Deep Security Manager, organized by region, VPC and subnet.

If you have already added individual AWS instances that are part of this Amazon account, they will be moved in the tree structure to appear under this account.

If your account does not appear on the Computers page within 10 minutes, or if you get an error message saying that the account could not be added, refer to Issues adding your AWS account to Deep Security for troubleshooting tips.

Configure an IAM policy

Unless you are using the quick setup option, you'll need to create a dedicated AWS policy for Deep Security Manager.

  1. Log in to your Amazon Web Services Console and go to Identity and Access Management (IAM).
  2. In the left navigation pane, click Policies.

    If this is your first time on this page, you'll need to click Get Started.

  3. Click Create Policy.
  4. Select Create Your Own Policy.
  5. Give the policy a name and description, then copy the following JSON code into the Policy Document area:
    {
       "Version":"2012-10-17",
       "Statement":[  
          {  
             "Sid":"cloudconnector",	
             "Effect":"Allow",
             "Action":[ 
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeRegions",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVpcs",
                "iam:ListAccountAliases",
                "sts:AssumeRole"
             ],
             "Resource":[  
                "*"
             ]
          } 
       ]
    }	

    The "sts:AssumeRole" permission is required only if you are using cross-account role access.

  6. Click Create Policy. Your policy is now ready to use.

Add your AWS account using a cross-account role

First, Configure an IAM policy.

Next, you will need to create the cross-account role:

  1. Log in to your Amazon Web Services Console.
  2. Go to Identity and Access Management (IAM).
  3. In the left navigation pane, click Roles.
  4. In the right pane, click Create New Role.
  5. Enter a Role name and then click Next Step.
  6. On the Select Role Type page, select Role for Cross-Account Access.
  7. Click the Select button next to Allows IAM users from a 3rd party AWS account to access this account.
  8. On the next page, enter this information and then click Next Step:
    • Account ID: If the Deep Security Manager is installed on AWS, enter the AWS Account ID of the account where the manager is located. For Deep Security as a Service, the Account ID is 147995105371. If your Deep Security Manager is not installed on AWS, use the AWS Account ID of the account that Deep Security Manager uses to access your AWS resources.
    • External ID: Enter a long, randomly generated secret string. You will need the External ID when adding the AWS account to Deep Security Manager.
  9. On the Attach Policy page, select the policy that you created for this role and then click Next Step.
  10. On the Review page, note the Role ARN because you will need it when adding your AWS account to Deep Security.

If you are using an on-premise installation of Deep Security, you may need to configure the manager identity, which specifies the manager credentials that are allowed to assume the permission of the cross-account role. To configure the manager identity, go to Administration > System Settings > Advanced and scroll to the Manager AWS Identity section. There, you can choose between these two settings:

  • Use Manager Instance Role: The more secure option to configure cross-account access. Attach a policy with the sts:AssumeRole permission to the Deep Security Manager's instance role, then select this option. Does not appear if the Deep Security Manager does not have an instance role, or if you're using an Azure Marketplace or on-premise installation of Deep Security Manager.
  • Use AWS Access Keys: Create the keys and attach a policy with the sts:AssumeRole permission before you select this option, and then type the Access Key and Secret Key. Does not appear if you're using an Azure Marketplace or on-premise installation of Deep Security Manager.

Then, add your AWS account to Deep Security:

  1. In the Deep Security Manager, go to the Computers page and click Add > Add AWS Account to open the Add AWS Cloud Account wizard.
  2. If you are using Deep Security as a Service, select Advanced and click Next.
  3. In the Access Information area, select Use Cross Account Role. Enter the Cross Account Role ARN and External ID associated with the account you created in the previous procedure and then click Next.
  4. Deep Security Manager will verify the connection to the AWS account and display a success message. Click Close.

All AWS instances associated with your account will appear on the computers page in the Deep Security Manager, organized by region, VPC and subnet.

If you have already added individual AWS instances that are part of this Amazon account, they will be moved in the tree structure to appear under this account.

Add your AWS account using a manager instance role

The instance that is running Deep Security Manager must have an instance role. For information on instance roles, see IAM Roles for Amazon EC2.

You must set up the instance role before launching the instance. The instance role cannot be changed after the instance has started. The instance must be in the same account as the one running Deep Security Manager.

Next, Configure an IAM policy and attach the policy that you created to the role that the Deep Security Manager is using.

Finally, add your AWS account to Deep Security:

  1. In the Deep Security Manager, go to the Computers page and click Add > Add AWS Account to open the Add AWS Cloud Account wizard.
  2. If you are using Deep Security as a Service, select Advanced and click Next.
  3. In the Access Information area, select Use Manager Instance Role and then click Next.
  4. Deep Security Manager will verify the connection to the AWS account and display a success message. Click Close.

All AWS instances associated with your account will appear on the computers page in the Deep Security Manager, organized by region, VPC and subnet.

If you have already added individual AWS instances that are part of this Amazon account, they will be moved in the tree structure to appear under this account.

Add your AWS account using the AWS access keys

First, Configure an IAM policy and then create a dedicated user account for the manager to access your cloud account:

  1. Log in to your Amazon Web Services Console
  2. Go to Identity and Access Management (IAM) and click Users.
  3. Click Create New Users to open the Create User page.
  4. Enter a username and select the Generate an access key for each User option.
  5. Click Download Credentials to download the generated user Security credentials (Access Key and Secret Key) and then close the dialog.
  6. Back on the Users page, click on the user to display the user properties, then scroll to the Permissions section of the page.
  7. In the expanded Permissions section, click Attach Policy at the bottom of the window to display the Attach Policy page.
  8. Select the IAM policy you created and click Attach Policy to apply the policy to the new user.

The Amazon Web Services account is now ready for access by the Deep Security Manager.

Next, go to Administration > System Settings > Advanced, scroll to the Manager AWS Identity section, select User AWS Access Keys and enter the Access Key and Secret Key of the AWS user used for the Deep Security Manager.

Finally, add your AWS account to Deep Security:

  1. In the Deep Security Manager, go to the Computers page and click Add > Add AWS Account to open the Add AWS Cloud Account wizard.
  2. If you are using Deep Security as a Service, select Advanced and click Next.
  3. In the Access Information area, select Use AWS Access Keys: Specify the Access Key ID and Secret Access Key that you generated when you created the AWS user account for Deep Security in the previous procedure and then click Next.
  4. Deep Security Manager will verify the connection to the AWS account and display a success message. Click Close.

All AWS instances associated with your account will appear on the computers page in the Deep Security Manager, organized by region, VPC and subnet.

If you have already added individual AWS instances that are part of this Amazon account, they will be moved in the tree structure to appear under this account.

Remove a cloud account from the manager

Removing a cloud provider account from Deep Security Manager permanently removes the account from the Deep Security database. Your account with your cloud provider is unaffected and any Deep Security agents that were installed on the instances will still be installed, running, and providing protection (although they will no longer receive security updates.) If you decide to re-import computers from the Cloud Provider Account, the Deep Security Agents will download the latest Security Updates at the next scheduled opportunity.

  1. Go to the Computers page, right-click on the Cloud Provider account in the navigation panel, and select Remove Cloud Account.
  2. Confirm that you want to remove the account.
  3. The account is removed from the Deep Security Manager.