AWS Onboarding Troubleshooting

In this topic:

    The following article provide information regarding AWS Onboarding troubleshooting.

    Unable to add cloud account error:

    This error indicates that there may be a permissions problem,

    It can indicate that the AWS IAM Role is missing a mandatory policy, or that the "External ID" is different from the "External ID" given to the AWS IAM Role.

    How to resolve this error

    1. Login to your AWS console (

    2. Click ‘Services’ and select the IAM service

    3. Click ‘Roles’ and search for the Role created for Dome9 ( Usually 'Dome9-Connect' ).

    4. On the Role 'permissions' tab verify you have all the required polices

      1. SecurityAudit (AWS Managed policy) - mandatory policy

      2. AmazonInspectorReadOnlyAccess’ (AWS managed policy). - mandatory policy (Required for AWS Inspector information).

      3. dome9-readonly-policy ( Created for Dome9 ) - mandatory policy

      4. dome9-write-policy( Created for Dome9 ) - (Required for Full protection mode)

    5. If any of the required polices is not attached, use the attach Policy button in order to attach the missing policies.

    6. Now it would be better to verify the External ID on the Role - click on 'Trust relationships' tab.

    7. Verify the 'External ID' is the same as given on Dome9 console. ( Note - the 'External ID' must not be empty ).

    8. If the External ID is empty or needs to be modified click on Edit trust relationship and correct it as required.

    9. Copy the Role ARN again to Dome9 Console and the External ID.

    10. Click on Finish


    Account already protected by Dome9 error

    This error indicates that the AWS cloud account is already protected by Dome9.

    It can be on the Dome9 account you are currently trying to add this cloud account on ,or on another Dome9 account.

    How to resolve this error

    First verify on Cloud Account page that you can find this cloud account,

    If not contact your system administrator to verify if there is another Dome9 account for the company.


    You are not subscribed to this service error

    This error indicates that the AWS cloud account you are trying to connect is not in valid state,

    In most cases it means that the registration process to AWS was not finished or that there is no verified defined payment method on the AWS cloud account.

    When the AWS cloud account is not in a valid state it's functionality is limited.

    How to resolve this error

    First, verify the AWS cloud account registration is completed.

    Then, if the registration is ok, verify the payment method is valid.


    Try to onboard the account again from scratch

    If after all those steps still there is an exception please try to delete all the created policies and to start the on-boarding from scratch: Onboard an AWS Account


    Contact Dome9 Support

    If after all those steps you still get an exception please contact support: