Convert Dome9 AWS Account Connection from IAM User to Cross Account Role

In this topic:

    Dome9 now supports connections to AWS accounts using AWS Cross Account Roles.

    Users who connected using IAM Users can now modify their Dome9 account to connect to their AWS accounts with Cross Account Roles. This is considered to be more secure than IAM User connections.

    The procedure below explains how to modify an account from IAM User to Cross Account Roles connections. The change cannot be reversed.

    The procedure has two stages:

    Stage 1: Change the account connection type in Dome9 (steps 1-6 and 19-21)

    Stage 2: Define the Role for Cross Account Role in AWS Console (steps 7-18)

    Stage 1: Change the account connection type in Dome9

    1. In the Dome9 console, navigate to Network Security, and select Cloud Accounts.

    1b. Select the AWS account to be converted, and then click EDIT CREDENTIALS in the upper right.

    2. Click Switch to IAM Role Method

    3. In the Cloud API Key window, click Generate. This will generate a new external ID. Copy and save this, as it will be needed later.

    4. A new External ID will be generated. Copy this external Id to a temporary location as you will need it shortly.

    5. The steps below will generate the AWS Role ARN.

    Next you will define the Cross Account Role in AWS using the AWS console.


    Stage 2: Define the Cross Account Role in the AWS Console

    6. Login to the AWS console (

    7. Click Services and select the IAM service

    8. Select Policies and click Create Policy.

    9. Click Create Your Own Policy.

    10. Name the policy (we suggest Dome9-Read-Only-Policy) and copy the appropriate policy document, use the latest policy document from Dome9 central, Add Account wizard.

    11. Click Create Policy. Repeat these steps for the Dome9-read-write-policy as well.

    12. Click Roles and Create New Role.

    13. Set the Role Name (we suggest Dome9-Connect) and click Next Step.

    14. Select Role for Cross-Account Access and then select Allows IAM users from a 3rd party AWS account to access this account.

    15. Enter the following details:

    • AccountId: 634729597623

    • External ID: enter the external id generated for you in the Dome9 account conversion screen (from step #5)

    • Require MFA: NOT checked

    16. Select the Dome9-Read-Only Policy that we created above, and attach it to the role.

    17. Select AWS Security Audit policy and attach it to the role.

    18. For Full Protection create the Dome9 full protection policy and attach it to the role. 19. Attach the Security Audit policy to the role.

    20. Copy the Role ARN and click Create Role.

    21. Enter the Role ARN in the field account conversion window in the Role ARN field (step #6, above).

    22. Click Save Changes. The process is complete.

    23. This step is optional. If the old AWS IAM user account that was previously used to connect to Dome9 is no longer used for anything else, it is a security best practice to remove it. Once the new Cross Account role integration method is fully tested, consider removing the unused AWS IAM user account.