Troubleshooting AWS Onboarding

This topic explains error messages and scenarios related to onboarding AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. accounts.

"Unable to add cloud account" Error

This error indicates that there may be a permissions problem.

It can indicate that the AWS IAMClosed Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Role is missing a mandatory policy, or that the "External ID" is different from the "External ID" given to the AWS IAM Role.

  1. Log in to the AWS console (aws.amazon.com).

  2. Select Services and select the IAM service.

  3. Click Roles and search for the Role created for CloudGuard (Usually, CloudGuard-Connect).

  4. On the Role Permissions tab, make sure that you have all the required polices:

    1. AmazonInspectorReadOnlyAccess (AWS managed policy) - mandatory policy required for AWS Inspector information

    2. CloudGuard-readonly-policy (Created for CloudGuard) - mandatory policy

    3. CloudGuard-write-policy (Created for CloudGuard) - optional, required only for Full Protection mode

  5. If one of the required policies is not attached, click Attach Policy to attach the missing policies.

  6. To verify the External ID on the Role, click the Trust relationships tab.

  7. Verify that the External ID is the same as given on the CloudGuard portal.

    Note - The External ID must not be empty.

  8. If the External ID is empty or needs to be modified, click Edit trust relationship and correct it as required.

  9. Copy the Role ARN and External ID and paste them to the CloudGuard portal.

  10. Click Finish.

"Account is already protected by CloudGuard" Error

This error indicates that the AWS environment is already protected by CloudGuard.

It can be on the CloudGuard account you are currently trying to add this environment to or on another CloudGuard account.

First, make sure that you can find this environment on the Environments page.

If you cannot, contact your system administrator to verify if there is another CloudGuard account for the company.

"You are not subscribed to this service" Error

This error indicates that the AWS environment you are trying to connect is not in a valid state.

In most cases, it means that the registration process to AWS was not finished or that there is no verified defined payment method in the AWS environment.

When the AWS environment is not in a valid state, its functionality is limited.

First, make sure the AWS environment registration is completed.

Then, if the registration is correct, make sure that the payment method is valid.

Onboard the Account Again

If an exception persists, delete all the created policies and start onboarding from the beginning. See Onboarding AWS Environments.

Contact Check Point Support

If all these steps do not resolve the issue, contact Check Point Support Center.