Manually upgrade your AWS account connection

In older iterations of Deep Security as a Service, you could add an AWS account to Deep Security Manager by clicking Add AWS Account on the Computers page. This method used an AWS CloudFormation template to add your account. All of the AWS instances associated with your account would appear on the Computer page, listed under your AWS account name and regions.

Deep Security as a Service now includes the ability to display your AWS instances organized by region, VPC and subnet. The migration from the older type of AWS connection to the new method usually happens automatically. However, if Deep Security encounters a problem and cannot perform the migration automatically, it will produce an "AWS Account Migration Failed" alert. If you encounter this alert, follow the steps in this article to migrate your AWS account connection. The main cause of the migration failure is a lack of permissions for the AWS role listed in the alert message.

Verify the permissions associated with the AWS role

  1. Log in to your Amazon Web Services Console and go to the IAM service.
  2. In the left navigation pane, click Roles.
  3. Find the role that was identified in the alert message and click the role.
  4. Under Permissions, expand the "DeepSecurity" policy, and click Edit Policy.
  5. The policy in the "Action" section should be:
    "Action": [ 

The "sts:AssumeRole" permission is required only if you are using cross account roles.

The "iam:GetRole" and "iam:GetRolePolicy" permissions are optional, but recommended because they allow Deep Security to determine whether you have the correct policy when an update to the manager occurs that requires additional AWS permissions.

  1. Click Review policy and Save changes.
  2. Wait for up to 30 minutes and your connection should be upgraded. On the Computers tab in Deep Security Manager, your AWS instances are organized by region, VPC and subnet. Your Amazon WorkSpaces are organized by region and WorkSpace directory.