Table of contents

Issues adding your AWS account to Workload Security

When adding your AWS account to Workload Security, you may encounter the following issues.

In this topic:

AWS is taking longer than expected

If AWS is taking longer than expected, it might be because:

  1. The template is still running.

    While the Cloud Formation Template is running, Workload Security has no information on how far it has progressed or when it will finish. Workload Security is notified when the template has completed successfully. Because of this, Workload Security has a timeout that is triggered if the template has not completed within the expected time. If the timeout was triggered it doesn’t mean the template has failed, AWS could just be taking longer than usual.

    To check the status of the template, go to the Cloud Formation section of the AWS console. From there, look for the Status of the Stack Named DeepSecuritySetup. If the status field shows CREATE_IN_PROGRESS then the template is still running and more time is required.

  2. The template has failed to complete.

    If the status field in the Cloud Formation section of the AWS console shows ROLLBACK_IN_PROGRESS, ROLLBACK_COMPLETE, or CREATE_FAILED then the template creation has failed within AWS. If this happens, go to the Events tab in the Cloud Formation interface to find more information about why the template failed.

    Contact Trend Micro technical support for help.

Resource is not supported in this region

The Cloud Formation Template creates a Lambda function to create the cross-account role. AWS Lambda is not currently supported in all regions, so if the Cloud Formation Template is run in a region that does not support Lambda then it will fail to create the cross-account role. By default, the link provided by the wizard will run the Cloud Formation Template in the US East (N. Virginia) region. The other regions that currently support Lambda are:

  • Asia Pacific (Singapore)
  • Asia Pacific (Sydney)
  • Asia Pacific (Tokyo)
  • EU (Frankfurt)
  • EU (Ireland)
  • US East (N. Virginia)
  • US West (Oregon)

Template validation issue

The user running the Cloud Formation Template doesn’t have the required permissions to run the template.

In the IAM console, scroll down and find the user that is currently logged in and running the template. Open the user properties by double-clicking on the user. Scroll down to the Managed Policies and Inline Policies section and click the Show Policy link on any policies visible. All of the permissions listed below must be contained in at least one of the polices attached to the user.

  • cloudformation:CreateStack
  • cloudformation:DescribeStackEvents
  • cloudformation:DescribeStacks
  • cloudformation:EstimateTemplateCost
  • cloudformation:GetTemplate
  • cloudformation:GetTemplateSummary
  • cloudformation:ListStackResources
  • cloudformation:ListStacks
  • ec2:CreateTags
  • ec2:DescribeAvailabilityZones
  • ec2:DescribeImages
  • ec2:DescribeInstances
  • ec2:DescribeRegions
  • ec2:DescribeSecurityGroups
  • ec2:DescribeSubnets
  • ec2:DescribeTags
  • ec2:DescribeVpcs
  • iam:AddRoleToInstanceProfile
  • iam:AttachRolePolicy
  • iam:CreateInstanceProfile
  • iam:CreatePolicy
  • iam:CreateRole
  • iam:DeleteInstanceProfile
  • iam:DeleteRole
  • iam:DeleteRolePolicy
  • iam:GetRole
  • iam:GetRolePolicy
  • iam:PassRole
  • iam:PutRolePolicy
  • iam:RemoveRoleFromInstanceProfile
  • lambda:InvokeFunction
  • lambda:CreateFunction
  • lambda:GetFunctionConfiguration
  • sts:AssumeRole
  • sts:DecodeAuthorizationMessage
  • workspaces:DescribeWorkspaces
  • workspaces:DescribeWorkspaceDirectories
  • workspaces:DescribeWorkspaceBundles
  • workspaces:DescribeTags

Workload Security was unable to add your AWS account

The information that Workload Security received from AWS was incomplete.

If this happens, close the wizard and try running it again from the beginning as there might be a temporary system problem.

If the error happens a second time, contact technical support.