Topics on this page
About adding AWS accounts
Overview of methods for adding AWS accounts
There a few ways to add AWS accounts to Workload Security:
- Add an AWS account using the quick setup. Use this method to add one or more AWS accounts quickly.
- Add an AWS account using a cross-account role. Use this method if you want to add multiple AWS accounts, or if you don't want to use the quick setup.
What happens when you add an AWS account?
When you add an AWS account to Workload Security, all the Amazon EC2 and Amazon WorkSpace instances under that account are imported into Workload Security and become visible in one of these locations:
- EC2 instances appear on the left under Computers > your_AWS_account > your_region > your_VPC > your_subnet
- Amazon WorkSpaces appear on the left under Computers > your_AWS_account > your_region >WorkSpaces
Once imported, the EC2 and WorkSpace instances can be managed like any other computer. These instances are tree structures and are treated as computer groups.
If you previously added Amazon EC2 instances or Amazon WorkSpaces as individual computers, and they are part of your AWS account, after importing the account, the instances are moved into the tree structure described above.
What are the benefits of adding an AWS account?
The benefits of adding an AWS account (through the Workload Security console > Computers > Add AWS Account) instead of adding individual EC2 instances and WorkSpaces (through the Workload Security console > Computers > Add Computer), are:
- Changes in your EC2 and WorkSpaces inventory are automatically reflected in Workload Security. For example, if you delete a number of EC2 or WorkSpace instances in AWS, those instances disappear automatically from the Workload Security console. By contrast, if you use Computers > Add Computer, EC2 and WorkSpace instances that are deleted from AWS remain visible in the Workload Security console until they are manually deleted.
- Your EC2 and WorkSpace instances are organized into AWS region > VPC > subnet in the Workload Security console, which lets you easily see which instances are protected and which are not. Without the AWS account, all your EC2 and WorkSpace instances appear at the same root level under Computers.
- You get AWS metadata, which can be used in event-based tasks (EBTs) to simplify policy assignment. You can also use metadata with smart folders to organize your AWS instances.
- Your EC2 and WorkSpace instances are billed at the appropriate rate.
What AWS regions are supported?
Workload Security's Computers > Add > Add AWS Account option only supports AWS regions that use the global AWS Identity Access Management (IAM) service at
iam.amazonaws.com. To determine whether your region uses the global service, see this table.
At the time or writing, the following regions do not use the global IAM service (
- China (Beijing)
- China (Ningxia)
- AWS GovCloud (US-East)
- AWS GovCloud (US)
For the regions listed above, and any others that might not use the global IAM service, you can still load your EC2 and WorkSpace instances into Workload Security using the Deep Security REST API. Trend Micro has provided this sample script for your use.
Modify your AWS security group to allow outbound traffic over port 443
If you have AWS security groups that restrict outbound traffic, you need to allow outbound communication over port 443. To do so:
- Log in to your Amazon Web Services Console and click EC2.
- In the navigation pane, go to Network & Security > Security Groups.
- On the Security Group page, select the security group associated with your instances and edit the outbound rules for the group to allow traffic to all IPs over port 443.
You can also further restrict outbound traffic to only allow access to the Workload Security IPs used by Deep Security Agents.