Add an AWS account using an access key
Follow the instructions below to add an AWS account to Deep Security Manager using an access key. Use an access key if your Deep Security Manager is on a server outside of AWS, or if you have tried another method and it doesn't work. For all other scenarios, we recommend you use another method for adding AWS accounts. (Access keys are discouraged because the keys need to be updated periodically (for security reasons), which creates management overhead.)
The term 'AWS Primary Account' will be used throughout this topic to describe the AWS account that contains the EC2 and WorkSpace instances that you want to add to the manager.
Next, configure an IAM policy
- In the Amazon Web Services Console, go to the IAM service.
- In the left navigation pane, click Policies.
If this is your first time on this page, you'll need to click Get Started.
- Click Create policy.
- Select the JSON tab.
- Copy the following JSON code into the text box:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "cloudconnector",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeTags",
"iam:ListAccountAliases",
"iam:GetRole",
"iam:GetRolePolicy",
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "*"
}
]
}The "sts:AssumeRole" permission is required only if you plan on adding more AWS accounts to the manager (using cross account roles).
The "iam:GetRole" and "iam:GetRolePolicy" permissions are optional, but recommended because they allow Deep Security to determine whether you have the correct policy when an update to the manager occurs that requires additional AWS permissions.
- Click Review policy.
- Give the policy a name and description. Example name: Deep_Security_Policy.
- Click Create policy. Your policy is now ready to use.
Next, create an IAM user with an access key ID and secret
- Go to the IAM service.
- Click Users.
- Click Add user.
- Enter a user name. Example: Deep_Security_IAM_User.
- For Access type, select Programmatic access.
- Click Next: Permissions.
- Click the Attach existing policies directly box.
- Find the IAM policy you just created and select the check box next to it.
- Click Next: Review.
- Click Create user. Your access key ID and secret access key are shown in the table.
- Copy the access key ID and secret access key to a safe location. You'll need them later.
Next, add the access key to the manager
- Log in to Deep Security Manager.
- Click Administration at the top.
- Click System Setting on the left.
- Click the Advanced tab in the main pane.
- Scroll to the bottom and look for the Manager AWS Identity heading.
- Next to Access Key - The Access Key of an AWS User used for the manager identity, enter the access key of the IAM user you created previously.
- Next to Secret Key - The Secret Access Key of an AWS User used for the manager identity, enter the secret key of the IAM user that you created previously.
- Click Save.
Finally, add your AWS Primary Account and its access key to the manager
- Click Computers at the top.
- Click Add > Add AWS Account.
- Select Use AWS Access Keys.
- Enter your AWS Primary Account's IAM user Access Key ID and Secret Access Key that you created previously.
- If your AWS Primary Account includes Amazon WorkSpaces, select Include Amazon WorkSpaces to include them with your Amazon EC2 instances. By enabling the check box, you ensure that your Amazon WorkSpaces appear in the correct location in the tree structure in Deep Security Manager and are billed at the correct rate.
Your AWS Primary Account's Amazon EC2 instances and Amazon WorkSpaces are loaded.
After completing the above tasks, proceed to Install the agent on your Amazon EC2 and WorkSpace instances if you have not done so already.