Issues adding your AWS account to Deep Security

Applies to Deep Security as a Service only

When adding your AWS account to Deep Security, you may encounter the following issues.

In this article:

AWS is taking longer than expected

Causes:

1. The template is still running

While the Cloud Formation Template is running, Deep Security has no information on how far it has progressed or when it will finish. Deep Security is notified when the template has completed successfully. Because of this, Deep Security has a timeout that is triggered if the template has not completed within the expected time. If the timeout was triggered it doesn’t mean the template has failed, AWS could just be taking longer than usual.

To check the status of the template, go to the Cloud Formation section of the AWS console. From there, look for the Status of the Stack Named DeepSecuritySetup. If the status field shows CREATE_IN_PROGRESS then the template is still running and more time is required.

2. The template has failed to complete

If the status field in the Cloud Formation section of the AWS console shows ROLLBACK_IN_PROGRESS, ROLLBACK_COMPLETE, or CREATE_FAILED then the template creation has failed within AWS. If this happens, go to the Events tab in the Cloud Formation interface to find more information about why the template failed.

Contact Deep Security technical support for help. Sign in to Deep Security as a Service, and click Support in the upper-right corner.

Resource is not supported in this region

Cause:

The Cloud Formation Template creates a Lambda function to create the cross-account role. AWS Lambda is not currently supported in all regions, so if the Cloud Formation Template is run in a region that does not support Lambda then it will fail to create the cross-account role. By default, the link provided by the wizard will run the Cloud Formation Template in the US East (N. Virginia) region. The other regions that currently support Lambda are:

  • Asia Pacific (Singapore)
  • Asia Pacific (Sydney)
  • Asia Pacific (Tokyo)
  • EU (Frankfurt)
  • EU (Ireland)
  • US East (N. Virginia)
  • US West (Oregon)

Template validation issue

Cause:

The user running the Cloud Formation Template doesn’t have the required permissions to run the template.

In the IAM console, scroll down and find the user that is currently logged in and running the template. Open the user properties by double-clicking on the user. Scroll down to the Managed Policies and Inline Policies section and click the Show Policy link on any policies visible. All of the permissions listed below must be contained in at least one of the polices attached to the user.

  • cloudformation:CreateStack
  • cloudformation:DescribeStackEvents
  • cloudformation:DescribeStacks
  • cloudformation:EstimateTemplateCost
  • cloudformation:GetTemplate
  • cloudformation:GetTemplateSummary
  • cloudformation:ListStackResources
  • cloudformation:ListStacks
  • ec2:CreateTags
  • ec2:DescribeAvailabilityZones
  • ec2:DescribeImages
  • ec2:DescribeInstances
  • ec2:DescribeRegions
  • ec2:DescribeSecurityGroups
  • ec2:DescribeSubnets
  • ec2:DescribeTags
  • ec2:DescribeVpcs
  • iam:AddRoleToInstanceProfile
  • iam:AttachRolePolicy
  • iam:CreateInstanceProfile
  • iam:CreatePolicy
  • iam:CreateRole
  • iam:DeleteInstanceProfile
  • iam:DeleteRole
  • iam:DeleteRolePolicy
  • iam:GetRole
  • iam:GetRolePolicy
  • iam:PassRole
  • iam:PutRolePolicy
  • iam:RemoveRoleFromInstanceProfile
  • lambda:InvokeFunction
  • lambda:CreateFunction
  • lambda:GetFunctionConfiguration
  • sts:AssumeRole
  • sts:DecodeAuthorizationMessage

Deep Security was unable to add your AWS account

The information that Deep Security received from AWS was incomplete.

If this happens, close the wizard and try running it again from the beginning as there might be a temporary system problem.

If the error happens a second time, contact technical support (sign in Deep Security as a Service, and click Support in the upper-right corner).