Onboard an AWS Account


This topic explains how to add an AWS cloud account to CloudGuard Dome9. This onboarding process will add all regions and Security Groups in the AWS account to the Dome9 console, and enable you to manage the AWS Security Groups from Dome9.

This is an essential and prerequisite step to managing Dome9 regions, security groups and instances.

Dome9 Operational Modes for AWS accounts

Dome9 has two operation modes for managing AWS accounts. The process of onboarding your cloud account to Dome9 varies according to the operational mode you want to use.

  • Read-Only - in this mode you can monitor and visualize your accounts in Dome9, run compliance tests on them, and receive alerts, notifications and reports of activities and changes to cloud entities, but you cannot actively manage them from Dome9

  • Full-Protection - in this mode you have all the capabilities of Read-Only mode but, in addition, you can use Dome9 to actively enforce access and tamper protection on your assets, manage your Security Groups, and control direct access to your cloud assets

See AWS Security Group Management Considerations for more details on operation mode considerations.

You can change the operational mode for an account once it has been onboarded to Dome9.

Notes before starting

Before beginning this procedure, decide which operation mode you wish to use for the account. SeeAWS Security Group Management Considerations

  • You can choose an operation mode for each account separately, so some can be Read-Only, while others are Full-Protection.
  • If you use the Read-Only mode for an account, all Security Groups in the account will be Read-Only in Dome9 (you will actively manage them in the AWS console or some other application). However, if you use the Full-Protection mode for the account, you can choose to manage each Security Group separately as either Read-Only or Full-Protection.
  • At the end of the onboarding process all Security groups will initially be in Read Only mode in Dome9, regardless of the operation mode for the account. You can then change individual Security Groups to Full-Protection (for accounts in Full-Protection); see Full Protection mode - Tamper Protection in Dome9 for details.
  • The Dome9 operation mode can be changed after your account has been onboarded.

For details about policies see Dome9 AWS Policies & Permissions

For onboarding an AWS GovCloud account, see Onboard an AWS GovCloud or AWS China account

Onboard procedure

The onboarding procedure is done from the Dome9 UI, with step-by-step instructions presented on-screen for both Read-Only and Full-Protection modes. In the course of this procedure, you will be instructed to perform some actions on the AWS Console, and some on the Dome9 UI. You will also enter some information. When you have done all this, you click FINISH, and the onboarding process starts. This can take a few minutes, depending on the number of resources in the account.

Dome9 does not make changes to the permissions or roles definitions in your AWS account; these are done by you, following the on-screen instructions.

See also

Dome9 AWS Policies & Permissions

AWS Security Group Management Considerations