Manually upgrade your AWS account connection

Applies to Deep Security as a Service only

In older iterations of Deep Security as a Service, you could add an AWS account to Deep Security Manager by clicking Add AWS Account on the Computers page. This method used an AWS CloudFormation template to add your account. All of the AWS instances associated with your account would appear on the Computer page, listed under your AWS account name and regions.

Deep Security as a Service now includes the ability to display your AWS instances organized by region, VPC and subnet. The migration from the older type of AWS connection to the new method usually happens automatically. However, if Deep Security encounters a problem and cannot perform the migration automatically, it will produce an "AWS Account Migration Failed" alert. If you encounter this alert, follow the steps in this article to migrate your AWS account connection. The main cause of the migration failure is a lack of permissions for the AWS role listed in the alert message.

Verify the permissions associated with the AWS role

  1. Log in to your Amazon Web Services Console and go to Identity and Access Management (IAM).
  2. In the left navigation pane, click Roles.
  3. Find the role that was identified in the alert message and click the role.
  4. Under Inline Policies for policy "DeepSecurity", click Edit Policy.
  5. The policy the in "Action" section should be:
    "Action": 
    "ec2:DescribeRegions",
    "ec2:DescribeImages",
    "ec2:DescribeInstances",
    "ec2:DescribeTags",
    "ec2:DescribeAvailabilityZones",
    "ec2:DescribeSecurityGroups",
    "ec2:DescribeSubnets",
    "ec2:DescribeVpcs",
    "iam:ListAccountAliases"
    ]
    
  6. Click Apply Policy.
  7. Wait for up to 30 minutes and your connection should be upgraded. On the Computers tab in Deep Security Manager, your AWS instances will be organized by region, VPC and subnet.