Cloud Accounts

In this topic:

    The Cloud Accounts page shows all of your Dome9 managed cloud accounts.

    If your accounts are fully managed by Dome9, you can also actively set the protection of your Security Groups from here.

    Value to customers

    In the Cloud Accounts section, you can see all of your cloud accounts, on all platforms, in a single place.

    In addition for managed accounts, you can also apply changes centrally to all these cloud accounts, by defining and applying changes in one place.


    Here are some typical use-cases to illustrate how controlling your Cloud Accounts from one central location can help you.

    • Search for Cloud Accounts - you can quickly search for specific cloud accounts across your entire cloud presence

    • Review security posture - you can assess your security position effectively by reviewing all your security groups protection state in one view

    • Apply uniform changes - if you expand or modify your cloud presence, for instance by adding additional services, or additional regions, you can modify the security policies consistently for all regions from one console

    • Respond to cloud account permissions behavior - if changes are made to one of your cloud accounts, inadvertently or maliciously, you will be notified immediately, and be able to take corrective action


    Actions from here

    View your Cloud Accounts

    The main page shows a list of all your Cloud accounts, on all cloud providers.

    Filter the list using the search box or filter options on the left. You can filter by Cloud Vendor, IAM Safety status, protection method (protected, read-only), and the number of assets or security groups.


    Filter the list of Cloud Accounts

    You can filter the list of accounts, using the filter panes on the left, or search for a specific account by name. 

    Use the Organizational Units filter to select accounts associated with specific Organizational Units, or the Filters pane to select accounts according to platform, Dome9 source (Compliance or Magellan), and other attributes.

    See Filtering


    Add a Cloud Account

    You can add cloud accounts, for all cloud providers, to Dome9, in Cloud Accounts page. This adds the accounts to the Dome9 Console view of all your accounts. You do not create accounts on the cloud provider here (this is done on the cloud provider site). When you add a cloud account to Dome9, you can choose to manage it from Dome9 (Full Protection) or monitor it (Read-Only).

    1. Navigate to the Cloud Account page. This shows a list of the accounts that have been added to Dome9.

    2. Click ADD CLOUD ACCOUNT, and select the cloud provider.

    3. Follow the instructions to onboard a cloud account to Dome9, for the selected cloud provider.

      Onboard an AWS Account

      Onboard an Azure Subscription to Dome9

      Onboard a Google Cloud Account to Dome9


    View recently accessed Cloud Accounts

    You can see the accounts you recently accessed.

    Click RECENT CLOUD ACCOUNTS, and select one of the accounts.


    View Cloud Account details

    You can view details for a cloud account.

    From the main page, click on a cloud account link, to show more details. The details are organized by region (according to the cloud provider's regions).

    The left side shows general information for the account, including the cloud account number, date added to Dome9, the number of instances and security groups. The information varies, according to the cloud platform.


    Update Account Permissions

    If the cloud account Dome9 policies have missing permissions (to permit Dome9 to view or manage your account), this message will be shown:

    In the case above, the permissions are related to the Dome9-Connect policy (an AWS policy which enables Dome9 to connect and manage your AWS accounts; see Onboard an AWS Account)

    Click Show more to see the missing permissions. The list shows the cloud resources that are missing each permission permission (lambda, in the example below), the permission type (tags), and the action for the resource that must be added (ListTags). It also shows the number of resources missing this permission (# Affected Entities); click on the link to see the specific resources.

    Click UPDATE PERMISSIONS to add the missing permissions to your account. This will open the onboarding procedure for the cloud provider (for AWS only); from there, follow the instructions to add the missing permissions to the Dome9 policy on your cloud account.

    To verify that the policies are updated (for AWS), see Dome9 AWS Policies & Permissions..

    Note: The system is unable to fetch updated data for entities which have missing permissions.


    Rename a Cloud Account name

    You can rename the name for cloud account. This changes the name as it appears on the Dome9 console, but not on the cloud provider.

    1. Hover over the account name

    2. Click 

    3. Make your changes.

    4. Click  to save the changes (or  to cancel the changes).


    Edit Account Credentials

    It is possible to change the AWS IAM Role for a cloud account. The role must exist in your AWS account.

    1. Click on an account in the list of accounts on the main Cloud Accounts page.

    2. Click EDIT CREDENTIALS in the upper right.

    3. In the AWS console, open your AWS account and navigate to the IAM page, select Roles, and the copy the ARN for the role you wish to apply to the account in Dome9. See AWS IAM Roles.

    4. Enter (or paste) the ARN value in the Role ARN field.

    5. Click SAVE CHANGES.


    Remove a Cloud Account

    Click Remove to detach the selected Cloud Account from Dome9. This does not delete the account or any of its resources on the cloud provider.


    Select the Default Protection Mode for new Security Groups in AWS Accounts

    You can select the Protection Mode that Dome9 will apply to new security groups detected in accounts. Security Groups are defined and applied for each region separately in AWS.

    You can choose from the following options:

    Read-Only - new Security Groups will be included in Dome9 in Read-Only mode, without changes to any of the rules

    Full Protection - new Security Groups will be included in Dome9 in Full Protection mode, without changes to any of the rules

    Region Lock - new Security Groups will be included in Dome9 in Full Protection mode, and all inbound and outbound rules will be cleared.

    You can also set or change the Protection Mode for existing Security Groups, in all regions,for all of your AWS accounts.

    To set or modify the Protection Mode:

    1. Select an account from the list of accounts on the main page. This will show the regions for the account, and the number of Security Groups defined for each region.

    2. Click EDIT for a region. This will show a list of the Security Groups defined for the region.

    3. Select a Protection Mode to be applied by default to new Security Groups for the region.

    4. Select a Protection mode for each of the existing Security Groups in the region (click select entire region to apply a mode to all Security Groups in the region).


      Note: The account must have a Write Policy to apply Full Protection to a Security Group (see How to set a Security Group to Full Protection mode in Dome9).

    5. Click SAVE.