Configure an IAM role

An IAM role is only required if you are deploying the Deep Security AMI from AWS Marketplace with Pay as You Go billing. If you are deploying with Bring Your Own License (BYOL) billing, or if you are deploying from a CloudFormation template, you do not need to create the IAM role. For details on billing methods, see About billing and pricing.

Before you can launch Deep Security AMI from AWS Marketplace, you must configure the AWS Identity and Access Management (IAM) permissions for the instance. The Deep Security Manager instance needs an IAM role with appropriate permissions and trust relationships associated with it to be able to authenticate to the AWS Marketplace Metering Service and record software usage. This means that your instance must have the following:

  • Internet connection to AWS services
  • IAM role with appropriate permissions and trust relationships associated with it at the time of launch

IAM role requirements

Required IAM permission The IAM role you associate with the instance has to have the following IAM permission: aws-marketplace:MeterUsage The recommended method for giving the IAM role this permission is to attach the AWS managed policy AWSMarketplaceMeteringFullAccess to the role.
Required trust relationship The IAM role has to have a trust relationship with the ec2.amazonaws.com service. For information on how to change which trusted principles can access an IAM role, see Modifying a Role (AWS Management Console).

After you have created the IAM role and attached the AWSMarketplaceMeteringFullAccess policy to it and added ec2.amazonaws.com as a trusted service, make sure you select that role from the IAM role list on the Configure Instance Details page before you launch the instance.

For more information on IAM roles, see the AWS article IAM Roles for Amazon EC2.