This error indicates that there may be a permissions problem.
It can indicate that the AWS IAM Role is missing a mandatory policy, or that the "External ID" is different from the "External ID" given to the AWS IAM Role.
How to resolve this error
- Login to your AWS console (aws.amazon.com)
- Click Services and select the IAM service
- Click Roles and search for the Role created for CloudGuard Dome9 ( Usually 'CloudGuard Dome9-Connect' ).
- On the Role 'permissions' tab verify you have all the required polices
- SecurityAudit (AWS Managed policy) - mandatory policy
- AmazonInspectorReadOnlyAccess (AWS managed policy). - mandatory policy (Required for AWS Inspector information).
- CloudGuard Dome9-readonly-policy ( Created for CloudGuard Dome9 ) - mandatory policy
- CloudGuard Dome9-write-policy ( Created for CloudGuard Dome9 ) - (Required for Full protection mode)
- If any of the required polices is not attached, use the attach Policy button in order to attach the missing policies.
- Now it would be better to verify the External ID on the Role - click on 'Trust relationships' tab.
- Verify the 'External ID' is the same as given on CloudGuard Dome9 console. ( Note - the 'External ID' must not be empty ).
- If the External ID is empty or needs to be modified click on Edit trust relationship and correct it as required.
- Copy the Role ARN again to CloudGuard Dome9 Console and the External ID.
- Click on Finish
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.