CloudGuard Dome9 Help

Onboard an AWS Account


This topic explains how to add an AWS cloud account to CloudGuard Dome9. This onboarding process will add all regions and Security Groups in the AWS account to the Dome9 console, and enable you to manage the AWS Security Groups from Dome9.

This is an essential and prerequisite step to managing Dome9 regions, security groups and instances.

Dome9 Operational Modes for AWS accounts

Dome9 has two operation modes for managing AWS accounts. The process of onboarding your cloud account to Dome9 varies according to the operational mode you want to use.

  • Read-Only - in this mode you can monitor and visualize your accounts in Dome9, run compliance tests on them, and receive alerts, notifications and reports of activities and changes to cloud entities, but you cannot actively manage them from Dome9

  • Full-Protection - in this mode you have all the capabilities of Read-Only mode but, in addition, you can use Dome9 to actively enforce access and tamper protection on your assets, manage your Security Groups, and control direct access to your cloud assets

See AWS Security Group Management Considerations for more details on operation mode considerations.

You can change the operational mode for an account once it has been onboarded to Dome9.

Notes before starting

Before beginning this procedure, decide which operation mode you wish to use for the account. SeeAWS Security Group Management Considerations

  • You can choose an operation mode for each account separately, so some can be Read-Only, while others are Full-Protection.
  • If you use the Read-Only mode for an account, all Security Groups in the account will be Read-Only in Dome9 (you will actively manage them in the AWS console or some other application). However, if you use the Full-Protection mode for the account, you can choose to manage each Security Group separately as either Read-Only or Full-Protection.
  • At the end of the onboarding process all Security groups will initially be in Read Only mode in Dome9, regardless of the operation mode for the account. You can then change individual Security Groups to Full-Protection (for accounts in Full-Protection); see Full Protection mode - Tamper Protection in Dome9 for details.
  • The Dome9 operation mode can be changed after your account has been onboarded.

For details about policies see Dome9 AWS Policies & Permissions

For onboarding an AWS GovCloud account, see Onboard an AWS GovCloud or AWS China account

Onboard an AWS account

Follow these steps to onboard your AWS account to Dome9. Onboarding an AWS account involves adding an IAM Policy and an IAM Role for Dome9 to use. Dome9 does not make these changes directly to your account, so the steps will instruct you how to make the required changes yourself (and provide you with the JSON files that you will need). The steps below are for both Dome9 operational modes (some steps are applicable only for Full-Protection; these will be indicated).

See also

Dome9 AWS Policies & Permissions

AWS Security Group Management Considerations