Table of contents
Topics on this page

Migrate to the new cloud connector functionality

If you previously used the Add Cloud Account wizard to import Amazon Web Services resources into Deep Security as a Service, those resources are organized by AWS region on Computers. You may have run the wizard more than once if you have multiple AWS regions.

Workload Security the ability to display your AWS instances under your AWS account name, organized in a hierarchy that includes the AWS Region, VPC, and subnet.

Before migrating your AWS resources, you need to edit the policy that allows Workload Security to access your AWS account:

  1. Log in to your Amazon Web Services Console and go to Identity and Access Management (IAM).
  2. In the left navigation pane, click Policies.
  3. In the list of policies, select the policy that allows Workload Security to access your AWS account.
  4. Go to the Policy Document tab and click Edit.
  5. Edit the policy document to include this JSON code:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "cloudconnector",
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeImages",
                    "ec2:DescribeInstances",
                    "ec2:DescribeRegions",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeTags",
                    "ec2:DescribeVpcs",
                    "iam:ListAccountAliases",
                    "sts:AssumeRole"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }

    The "sts:AssumeRole" permission is required only if you are using cross-account role access. For more information on IAM roles, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles.

  6. Select Save as default version.

To migrate your AWS resources in the Workload Security console:

  1. In the Workload Security console, go to the Computers page.
  2. In the Computers tree, right-click an AWS region and select Upgrade to Amazon Account.
  3. Click Finish and then Close. Your AWS instances will now appear under your AWS account name, organized in a hierarchy that includes the AWS Region, VPC, and subnet.