Give Deep Security access to AWS EC2 resources

Applies to Deep Security as a Service only

This article describes how to give Deep Security as a Service access to your Amazon Web Services (AWS) EC2 resources. The Add AWS Account wizard will lead you through the process.

Deep Security follows AWS best practices and uses a Cross Account Role to connect to your AWS resources. A Cross Account Role contains a policy with permissions like any other IAM role, but it allows a third party to access your AWS resources.

In this article:

Give Deep Security as a Service access to Amazon Web Services

  1. Click Start on the Add AWS Account page to launch an Amazon Cloud Formation Template which will creats the Cross Account Role with all of the permissions that Deep Security needs to connect to your AWS account.
  2. The Cloud Formation Template used by the wizard creates an AWS EC2 instance that runs for a very short period and then terminates itself.

You will be billed for the very small amount of AWS resources used when you run this template. You can view current prices for t1.micro instances on the Amazon EC2 Pricing page.

Deep Security IAM policy and EC2 permissions

As with all IAM roles there is a policy associated with the Deep Security role to provide it with permission to access AWS resources. This policy associated with the Deep Security role will have the following permissions to allow Deep Security to import information about your AWS account.

  • ec2:DescribeRegions
  • ec2:DescribeImages
  • ec2:DescribeInstances
  • ec2:DescribeTags
  • ec2:DescribeAvailabilityZones
  • ec2:DescribeSecurityGroups
  • ec2:DescribeSubnets
  • ec2:DescribeVpcs

This policy will also have the following permissions to allow Deep Security to check its permissions and make sure everything is configured properly. (These permissions are limited to viewing the Deep Security Role.)

  • iam:GetRole
  • iam:GetRolePolicy

AWS glossary

  • IAM – Amazon Identity and Access Management (IAM) is the section of the AWS console that deals with controlling access to AWS services and resources
  • Permission – An IAM Permission is a statement that defines who has access to an AWS resource.
  • Policy – An IAM Policy is a container for multiple permissions.
  • Role – An IAM Role is a container for policies and can be attached to a user to give them access to AWS resources.
  • Cloud Formation Template – A Cloud Formation Template is a mechanism that automates the creation of a set of AWS resources.

For information on troubleshooting, see Issues adding your AWS account to Deep Security.