web
You’re offline. This is a read only version of the page.
close

Online Help Center

  • Search
  • Support
    • For Home
    • For Business
  • English (US)
    • Bahasa Indonesia (Indonesian)
    • Dansk (Danish)
    • Deutsch (German)
    • English (Australia)
    • English (US)
    • Español (Spanish)
    • Français (French)
    • Français Canadien
      (Canadian French)
    • Italiano (Italian)
    • Nederlands (Dutch)
    • Norsk (Norwegian)
    • Polski (Polish)
    • Português - Brasil
      (Portuguese - Brazil)
    • Português - Portugal
      (Portuguese - Portugal)
    • Svenska (Swedish)
    • ภาษาไทย (Thai)
    • Tiếng Việt (Vietnamese)
    • Türkçe (Turkish)
    • Čeština (Czech)
    • Ελληνικά (Greek)
    • Български (Bulgarian)
    • Русский (Russian)
    • עברית (Hebrew)
    • اللغة العربية (Arabic)
    • 日本語 (Japanese)
    • 简体中文
      (Simplified Chinese)
    • 繁體中文
      (Traditional Chinese)
    • 繁體中文 HK
      (Traditional Chinese)
    • 한국어 (Korean)
This website uses cookies for website functionality and traffic analytics. Our Cookie Notice provides more information and explains how to amend your cookie settings.
Learn More Yes, I agree
Table of Contents
The page you're looking for can't be found or is under maintenance
Try again later or go to the home page
Go to home page
Add an AWS account using a cross-account role
Follow the instructions below to add an AWS account using a cross-account role. Use a cross-account role if you want to add multiple AWS accounts.
The instructions below assume you want to add AWS accounts with these names:
  • AWS Primary Account
  • AWS Account A
Tip
Tip
You can also add a cross-account role through the Deep Security API. See Add the account through the API for details.

First, add the AWS Primary Account

  • Complete all the tasks in Add an AWS account using a manager instance role to add the AWS Primary Account.

Next, find the AWS Primary Account identifier

  1. Make sure you're logged in to the AWS Primary Account.
  2. Go to the IAM service.
  3. Click Roles.
  4. Find the manager instance role that you created in Add an AWS account using a manager instance role. For example: Deep_Security_Manager_Instance_Role
  5. Select the role in the list to reveal its details.
  6. Look for the Role ARN field at the top of the page. Its value is similar to:arn:aws:iam::1111111111:role/Deep_Security_Manager_Instance_Role
  7. Note the role's account ID in the ARN. It is the number (1111111111). You'll need it later to create the cross-account role.
  1. Make sure you're logged in to the AWS Primary Account.
  2. At the top-right of AWS, click Support > Support Center.
  3. Note the Account Number shown at the top-right (1111111111, in this example). You'll need it later to create the cross-account role.

Next, retrieve the external ID

  1. Log in to Deep Security Manager.
  2. Click Computers at the top.
  3. Click Add > Add AWS Account. A wizard appears.
  4. Click the eye icon next to the obscured external ID to reveal it. For more on this ID, see What is the external ID?
    Note
    Note
    If you don't see the eye icon, it might be because your Deep Security Manager AMI is out of date. To refresh it, perform a one-click upgrade.
  5. Copy the external ID to a secure place. You will need it in the next step to configure AWS Account A and any other AWS accounts you want to add.
  6. (Optional.) Close the wizard and the manager.

Next, configure an IAM policy for AWS Account A

Note
Note
This IAM policy is the same as the policy for the AWS Primary Account, except it does not require the sts:AssumeRole permission.
  1. Make sure you're logged in to AWS Account A.
  2. In the Amazon Web Services Console, go to the IAM service.
  3. In the left navigation pane, click Policies.
    Note
    Note
    If this is your first time on this page, you'll need to click Get Started.
  4. Click Create policy.
  5. Select the JSON tab.
  6. Copy the following JSON code into the text box:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "cloudconnector",
                "Action": [
                    "ec2:DescribeImages",
                    "ec2:DescribeInstances",
                    "ec2:DescribeRegions",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeTags",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeSecurityGroups",
                    "workspaces:DescribeWorkspaces",
                    "workspaces:DescribeWorkspaceDirectories",
                    "workspaces:DescribeWorkspaceBundles",
                    "workspaces:DescribeTags",
                    "iam:ListAccountAliases",
                    "iam:GetRole",
                    "iam:GetRolePolicy"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    Note
    Note
    The "iam:GetRole" and "iam:GetRolePolicy" permissions are optional, but recommended because they allow Deep Security to determine whether you have the correct policy when an update to the manager occurs that requires additional AWS permissions.
  7. Click Review policy.
  8. Give the policy a name and description. Example name: Deep_Security_Policy_Cross.
  9. Click Create policy. Your policy is now ready to use.

Next, create a cross-account role for AWS Account A

  1. Make sure you're logged in to AWS Account A.
  2. Go to the IAM service.
  3. In the left navigation pane, click Roles.
  4. In the main pane, click Create role.
  5. Click the Another AWS account box.
  6. In the Account ID field:
    • Enter the account ID of AWS Primary Account that you noted in a previous step. For example: 1111111111
  7. Next to Options, enable Require external ID. In the External ID field, enter the external ID you retrieved from the manager earlier.
  8. Click Next: Permissions.
  9. Select the IAM policy that you just created (the example name was Deep_Security_Policy_Cross) and then click Next: Review.
  10. On the Review page, enter a role name and description. Example role name: Deep_Security_Role_Cross.
  11. On the main role page, search for the role you just created (Deep_Security_Role_Cross).
  12. Click it.
  13. Find the Role ARN field at the top. It looks similar to: arn:aws:iam::2222222222:role/Deep_Security_Role_Cross
  14. Note the Role ARN value. You'll need it later.
You now have a cross-account role under AWS Account A that includes the correct policy and references the manager instance role of the AWS Primary Account.

Next, add AWS Account A to the manager

  1. Log in to Deep Security Manager.
  2. Click Computers at the top.
  3. Click Add > Add AWS Account.
  4. Select Use Cross Account Role.
  5. Enter AWS Account A's Cross Account Role ARN. You noted this earlier, when you created the cross-account role. In this example, it is arn:aws:iam::2222222222:role/Deep_Security_Role_Cross
  6. If AWS Account A includes Amazon WorkSpaces, select Include Amazon WorkSpaces to include them with your Amazon EC2 instances. By enabling the check box, you ensure that your Amazon WorkSpaces appear in the correct location in the tree structure in Deep Security Manager and are billed at the correct rate.
  7. Click Next. AWS Account A's Amazon EC2 instances and Amazon WorkSpaces are loaded.
You have now added AWS Account A to the manager.
After completing the above tasks, proceed to Install the agent on your Amazon EC2 and WorkSpace instances if you have not done so already.

Add the account through the API

  1. If you don’t yet have the external ID, call the Deep Security /api/awsconnectorsettings endpoint to retrieve it (the ExternalId parameter). For more on this ID, see What is the external ID?
  2. In AWS, specify the external ID in your cross-account role's IAM trust policy.
  3. Use the /api/awsconnectors API endpoint to add AWS accounts to Deep Security. Do not use the /rest/cloudaccounts/aws API because it has been deprecated. See Action required if you are using cross account roles with the API /rest/cloudaccounts/aws for details on how long the /rest/cloudaccounts/aws API will continue to be supported and tips on how to move to the new endpoint.
Online Help Center

Support
For Home For Business


Privacy Notice
© 2025 Trend Micro Incorporated. All rights reserved.
Table of Contents
Close