This error indicates that there may be a permissions problem.
It can indicate that the AWS IAM Role is missing a mandatory policy, or that the "External ID" is different from the "External ID" given to the AWS IAM Role.
How to resolve this error
- Log in to your AWS console (aws.amazon.com)
- Click ‘Services’ and select the IAM service
- Click ‘Roles’ and search for the Role created for CloudGuard (usually 'CloudGuard Dome9-Connect' ).
- On the Role 'permissions' tab verify you have all the required polices
- SecurityAudit (AWS Managed policy) - mandatory policy
- ’AmazonInspectorReadOnlyAccess’ (AWS managed policy). - mandatory policy (Required for AWS Inspector information).
- CloudGuard Dome9-readonly-policy (created for CloudGuard) - mandatory policy
- CloudGuard Dome9-write-policy (created for CloudGuard) - (Required for Full protection mode)
- If any of the required polices is not attached, use the attach Policy button in order to attach the missing policies.
- Verify the External ID on the Role - click 'Trust relationships' tab.
- Verify the 'External ID' is the same as given on CloudGuard console. (Note - the 'External ID' must not be empty ).
- If the External ID is empty or needs to be modified click on Edit trust relationship and correct it as required.
- Copy the Role ARN again to CloudGuard console and the External ID.
- Click Finish
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.