Onboard an AWS Account

In this topic:

    This topic explains how to add an AWS cloud account to Dome9. This onboarding process will add all regions and Security Groups in the AWS account to the Dome9 console, and enable you to manage the AWS Security Groups from Dome9.

    This is an essential and prerequisite step to managing Dome9 regions, security groups and instances.

    Dome9 Operational Modes for AWS accounts

    Dome9 has two operation modes for managing AWS accounts. The process of onboarding your cloud account to Dome9 varies according to the operational mode you want to use.

    • Read-Only - in this mode you can monitor and visualize your accounts in Dome9, run compliance tests on them, and receive alerts, notifications and reports of activities and changes to cloud entities, but you cannot actively manage them from Dome9

    • Full-Protection - in this mode you have all the capabilities of Read-Only mode but, in addition, you can use Dome9 to actively enforce access and tamper protection on your assets, manage your Security Groups, and control direct access to your cloud assets

    See AWS Security Group Management Considerations for more details on operation mode considerations.

    You can change the operational mode for an account once it has been onboarded to Dome9.

     

    Notes before starting

    • Before beginning this procedure, decide which operation mode you wish to use for the account. See AWS Security Group Management Considerations

    • You can choose an operation mode for each account separately, so some can be Read-Only, while others are Full-Protection.

    • If you use the Read-Only mode for an account, all Security Groups in the account will be Read-Only in Dome9 (you will actively manage them in the AWS console or some other application). However, if you use the Full-Protection mode for the account, you can choose to manage each Security Group separately as either Read-Only or Full-Protection.

    • At the end of the onboarding process all Security groups will initially be in Read Only mode in Dome9, regardless of the operation mode for the account. You can then change individual Security Groups to Full-Protection (for accounts in Full-Protection); see Set a Security Group to Full Protection mode in Dome9 for details.

    • The Dome9 operation mode can be changed after your account has been onboarded.

    For information about policies see Dome9 AWS Policies & Permissions.

     

    Onboard an AWS account

    Follow these steps to onboard your AWS account to Dome9. Onboarding an AWS account involves adding policies and roles for Dome9 to use. Dome9 can not make changes directly to your account, so the steps will instruct you how to make the required changes yourself (and provide you with the JSON files that you will need). The steps below are for both Dome9 operational modes (some steps are applicable only for Full-Protection; these will be indicated).

    1. On the Dome9 console navigate to Protect and select Add AWS Account.

    2. Select the Dome9 operation mode, Read-Only or Full-Protection, to be used for the account.

    3. Sign to the AWS console (aws.amazon.com) in a new browser tab or window (keep the Dome9 console open, as you will be switching between the two in the following steps).

    4. Click Services and select the IAM service.

    5. Select Policies and click Create Policy.

    6. Select the JSON tab.

    7. Copy the Read-Only policy document from the instructions on Dome9 console (step 5) and paste unchanged in the AWS console.

    8. On the AWS console, click Review Policy.

    9. Name the policy (we suggest dome9-readonly-policy) and click Create Policy.

    10. If you selected Full-Protection mode for the account do the following:

      1. In the AWS console, select Policies and click Create Policy.

      2. Select the JSON tab.

      3. Copy the write policy document from the Dome9 console (step 10) and paste unchanged in the AWS console.

      4. Click Review Policy.

      5. Name the policy (we suggest dome9-write-policy) and click Create Policy.

    11. In the Dome9 console, click NEXT.

    12. In the AWS console click Roles and then Create new Role.

    13. Select Role Type: Another AWS Account and, in the options, check the Require external ID option.

    14. Enter the following:

      1. Account ID: 634729597623

      2. External ID: copy the External Id from the Dome9 console

      3. Require MFA: NOT checked

    15. Click Next: Permissions.

    16. Select the following policies:

      1. SecurityAudit (AWS managed policy).

      2. AmazonInspectorReadOnlyAccess (AWS managed policy).

      3. dome9-readonly-policy, that you created before. You can search for ‘dome9’ in the filter

      4. dome9-write-policy, that you created before

    17. Click Next: Review.

    18. Enter a Role Name (we recommend Dome9-Connect) and click Create Role.

    19. Search for the Role Name you entered in the previous step (use the search box), and click on it.

    20. Copy the Role ARN value, and enter it in the Role ARN field in the Dome9 console.

    21. Optionally, name the account. This will be the name shown on the screen; giving meaningful names your accounts can help you distinguish them when they are displayed.

    22. Click 'Finish'

    23. Review the onboarded cloud account summary.

    24. At the end of the onboarding process all the Security Groups will be in Read Only mode. For accounts in Full-Protection mode, you can switch Security groups to Full-Protection mode (or back).

    Dome9-readonly-policy

    The Dome9-readonly-policy is a used by Dome9 to access information from your AWS account (for both operation modes). This information is used by all Dome9 for functions: compliance, network security, etc.

    dome9-readonly-policyXML Template

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Dome9ReadOnly",
                "Action": [
                    "cloudtrail:LookupEvents",
                    "elasticfilesystem:Describe*",
                    "firehose:Describe*",
                    "firehose:List*",
                    "kinesis:List*",
                    "kinesis:Describe*",
                    "kinesisvideo:Describe*",
                    "kinesisvideo:List*",
                    "logs:Describe*",
                    "logs:Get*",
                    "logs:FilterLogEvents",
                    "lambda:List*",
                    "s3:List*",
                    "sns:ListSubscriptions",
                    "sns:ListSubscriptionsByTopic"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }

    Version updates:

    Mar 05 2018 - Added Kinesis permissions.