web
You’re offline. This is a read only version of the page.
close

Online Help Center
  • Search
  • Support
    • For Home
    • For Business
  • English (US)
    • Bahasa Indonesia (Indonesian)
    • Dansk (Danish)
    • Deutsch (German)
    • English (Australia)
    • English (US)
    • Español (Spanish)
    • Français (French)
    • Français Canadien
      (Canadian French)
    • Italiano (Italian)
    • Nederlands (Dutch)
    • Norsk (Norwegian)
    • Polski (Polish)
    • Português - Brasil
      (Portuguese - Brazil)
    • Português - Portugal
      (Portuguese - Portugal)
    • Svenska (Swedish)
    • ภาษาไทย (Thai)
    • Tiếng Việt (Vietnamese)
    • Türkçe (Turkish)
    • Čeština (Czech)
    • Ελληνικά (Greek)
    • Български (Bulgarian)
    • Русский (Russian)
    • עברית (Hebrew)
    • اللغة العربية (Arabic)
    • 日本語 (Japanese)
    • 简体中文
      (Simplified Chinese)
    • 繁體中文
      (Traditional Chinese)
    • 繁體中文 HK
      (Traditional Chinese)
    • 한국어 (Korean)
This website uses cookies for website functionality and traffic analytics. Our Cookie Notice provides more information and explains how to amend your cookie settings.
Learn More Yes, I agree
Table of Contents
The page you're looking for can't be found or is under maintenance
Try again later or go to the home page
Go to home page
Add an AWS account using a manager instance role
Follow the instructions below to add an AWS account to Deep Security Manager using a manager instance role. Use this method if Deep Security Manager is running inside of AWS.
Note
Note
The term 'AWS Primary Account' will be used throughout this topic to describe the AWS account under which your Deep Security Manager is located.

First, log in to the AWS Primary Account

  1. Go to Amazon Web Services at https://aws.amazon.com/.
  2. Sign in using your AWS Primary Account.

Next, configure an IAM policy

  1. In the Amazon Web Services Console, go to the IAM service.
  2. In the left navigation pane, click Policies.
  3. Click Create policy.
  4. Select the JSON tab.
  5. Copy the following JSON code into the text box:
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "cloudconnector",
            "Action": [
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeRegions",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVpcs",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeSecurityGroups",
                "workspaces:DescribeWorkspaces",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeTags",
                "iam:ListAccountAliases",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
    The "sts:AssumeRole" permission is required only if you plan on adding more AWS accounts to the manager (using cross account roles).
    The "iam:GetRole" and "iam:GetRolePolicy" permissions are optional, but recommended because they allow Deep Security to determine whether you have the correct policy when an update to the manager occurs that requires additional AWS permissions.
  6. Click Review policy.
  7. Give the policy a name and description. Example name: Deep_Security_Policy.
  8. Click Create policy. Your policy is now ready to use.

Next, create a manager instance role

  1. Go to the IAM service.
  2. Click Roles.
  3. Click Create role.
  4. Make sure the AWS service box is selected.
  5. Click EC2 from the list of services. More options are revealed.
  6. Click EC2 Allows EC2 instances to call AWS services on your behalf. Click Next: Permissions.
  7. Select the check box next to the IAM policy you just created. Click Next: Review.
  8. Enter a Role name and Role description. Example role name: Deep_Security_Manager_Instance_Role
  9. Click Create role.

Next, attach the manager instance role to the manager in AWS

  1. Go to the EC2 service.
  2. Click Instances on the left, and select the check box next to the EC2 instance where your Deep Security Manager is installed.
  3. Click Actions > Instance Settings > Attach/Replace IAM Role.
  4. From the IAM role drop-down list, select the manager instance role (Deep_Security_Manager_Instance_Role).
  5. Click Apply.
You have now created a manager instance role with the correct IAM policy, and attached it to the Deep Security Manager's EC2 instance.

Next, configure the manager instance role in the manager

  1. In Deep Security Manager, click Administration at the top.
  2. Click System Settings on the left.
  3. Click the Advanced tab in the main pane.
  4. Scroll to the bottom and look for the Manager AWS Identity section.
  5. Make sure Use Manager Instance Role is selected.
    Note
    Note
    If Use Manager Instance Role does not appear, make sure that you attached the role to the EC2 instance where Deep Security Manager is installed, and then Restart the Deep Security Manager . On restart, Deep Security detects the role of the manager's EC2 instance and displays the Use Manager Instance Role option.
  6. Click Save.

Finally, add the AWS Primary Account to the manager

  1. In Deep Security Manager, click Computers at the top.
  2. In the main pane, click Add > Add AWS Account.
  3. Select Use Manager Instance Role.
  4. If the AWS Primary Account includes Amazon WorkSpaces, select Include Amazon WorkSpaces to include them with your Amazon EC2 instances. By enabling the check box, you ensure that your Amazon WorkSpaces appear in the correct location in the tree structure in Deep Security Manager and are billed at the correct rate.
  5. Click Next.
Deep Security Manager uses the manager instance role that is attached to its Amazon EC2 instance to add the AWS Primary Account's EC2 and WorkSpace instances to Deep Security Manager.
You have now added the AWS Primary Account to Deep Security Manager. The Amazon EC2 instances and Amazon WorkSpaces under this AWS account are loaded.
After completing the above tasks, proceed to Install the agent on your Amazon EC2 and WorkSpace instances if you have not done so already.
Online Help Center
Support
For Home For Business
Privacy Notice
© 2025 Trend Micro Incorporated. All rights reserved.
Table of Contents
Close