Support Center > Search Results > SecureKnowledge Details
CloudGuard Native AWS Onboarding Troubleshooting Technical Level

AWS Onboarding Troubleshooting

 This article provides information regarding AWS Onboarding troubleshooting.

Unable to add cloud account error:

This error indicates a possible permissions problem.

It can indicate that the AWS IAM Role is missing a mandatory policy, or that the External ID is different from the External ID given to the AWS IAM Role.

How to resolve this error

  1. Login to your AWS console (

  2. Click Services and select the IAM service.

  3. Click Roles and search for the Role created for CloudGuard Native (Usually, CloudGuard-Connect or Dome9-Connect).

  4. On the Role Permissions tab verify you have all the required polices:

    1. AmazonInspectorReadOnlyAccess (AWS-managed policy) - mandatory policy, required for AWS Inspector information
    2. CloudGuard-readonly-policy (Created for CloudGuard Native) - mandatory policy

    3. CloudGuard-write-policy (Created for CloudGuard Native) - optional, required only for Full Protection mode

  5. If any of the required polices is not attached, click Attach Policy to attach the missing policies.

  6. Verify the External ID on the Role and click the Trust relationships tab.

  7. Verify that the External ID is the same as given on CloudGuard Native console.
    Note: The External ID must not be empty.

  8. If the External ID is empty or needs to be modified, click Edit trust relationship and correct it as required.

  9. Copy the Role ARN and External ID and paste to CloudGuard Native console.

  10. Click Finish.


Account is already protected by CloudGuard Native error


This error indicates that the AWS cloud account is already protected by Dome9.

It can be on the CloudGuard Native account you are currently trying to add this cloud account on ,  or on another CloudGuard Native account.

How to resolve this error

First verify on Assets page that you can find this environment.

If you cannot, contact your system administrator to verify if there is another CloudGuard Native account for the company.

You are not subscribed to this service error


This error indicates that the AWS cloud account you are trying to connect is not in a valid state.

In most cases, it means that the registration process to AWS was not finished or that there is no verified defined payment method on the AWS cloud account.

When the AWS cloud account is not in a valid state its functionality is limited.

How to resolve this error

First, verify the AWS cloud account registration is completed.

Then, if the registration is correct, verify that the payment method is valid.

Try to onboard the account again from the beginning

If an exception persists, try to delete all the created policies and to start onboarding from the beginning. See Onboard an AWS Account.

Contact CloudGuard Native Support

If these steps do not resolve the issue, open a support ticket.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document