Give Deep Security access to AWS EC2 resources

If you want to use Deep Security as a Service with your Amazon Web Services (AWS) EC2 resources, you must configure an Identity and Access Management (IAM) policy to grant permissions to access your EC2 servers.

Deep Security follows best practices, and uses a cross account role to connect to your AWS resources. A cross account role contains a policy with permissions like other IAM roles, except that it allows a third party (such as Deep Security as a Service) to access your AWS resources.

In this topic:

Create the IAM role for Deep Security

  1. In Deep Security Manager, go to Computers.
  2. Select Add > Add AWS Account.
  3. Click Start.

    Deep Security will use an Amazon CloudFormation template to create an AWS EC2 t1.micro instance that runs for a very short time to create an IAM role for Deep Security, and then terminates.

    You will be billed for the small amount of AWS resources used to run the t1.micro instance. For current prices, see the Amazon EC2 Pricing page.

    If AWS account creation fails, see Issues adding your AWS account to Deep Security.

  4. For agents in a VPC connecting to a relay (including DSaaS relays) through an AWS proxy, you must also configure the proxy settings.

Deep Security IAM policy and EC2 permissions

Like with all IAM roles, the role for Deep Security has an associated IAM policy. This policy grants permissions to allow Deep Security to import information about your AWS account:

  • ec2:DescribeRegions
  • ec2:DescribeImages
  • ec2:DescribeInstances
  • ec2:DescribeTags
  • ec2:DescribeAvailabilityZones
  • ec2:DescribeSecurityGroups
  • ec2:DescribeSubnets
  • ec2:DescribeVpcs

This policy will also allow Deep Security to view its permissions and configuration in order to verify them.

  • iam:GetRole
  • iam:GetRolePolicy