Support Center > Search Results > SecureKnowledge Details
CloudGuard Dome9 AWS Onboarding Troubleshooting Technical Level

AWS Onboarding Troubleshooting

AWS Onboarding Troubleshooting


This article provides information regarding AWS Onboarding troubleshooting.

Unable to add cloud account error:

This error indicates that there may be a permissions problem,

It can indicate that the AWS IAM Role is missing a mandatory policy, or that the "External ID" is different from the "External ID" given to the AWS IAM Role.

How to resolve this error

  1. Login to your AWS console (

  2. Click ‘Services’ and select the IAM service

  3. Click ‘Roles’ and search for the Role created for Dome9 ( Usually 'Dome9-Connect' ).

  4. On the Role 'permissions' tab verify you have all the required polices

    1. SecurityAudit (AWS Managed policy) - mandatory policy

    2. ’AmazonInspectorReadOnlyAccess’ (AWS managed policy). - mandatory policy (Required for AWS Inspector information).

    3. dome9-readonly-policy ( Created for Dome9 ) - mandatory policy

    4. dome9-write-policy( Created for Dome9 ) - (Required for Full protection mode)

  5. If any of the required polices is not attached, click Attach Policy to attach the missing policies.

  6. Verify the External ID on the Role - click on 'Trust relationships' tab.

  7. Verify the 'External ID' is the same as given on Dome9 console. ( Note - the 'External ID' must not be empty ).

  8. If the External ID is empty or needs to be modified, click Edit trust relationship and correct it as required.

  9. Copy the Role ARN again to Dome9 Console and the External ID.

  10. Click Finish.


Account already protected by Dome9 error


This error indicates that the AWS cloud account is already protected by Dome9.

It can be on the Dome9 account you are currently trying to add this cloud account on ,or on another Dome9 account.

How to resolve this error

First verify on Cloud Account page that you can find this cloud account,

If not contact your system administrator to verify if there is another Dome9 account for the company.

You are not subscribed to this service error


This error indicates that the AWS cloud account you are trying to connect is not in valid state,

In most cases it means that the registration process to AWS was not finished or that there is no verified defined payment method on the AWS cloud account.

When the AWS cloud account is not in a valid state it's functionality is limited.

How to resolve this error

First, verify the AWS cloud account registration is completed.

Then, if the registration is ok, verify the payment method is valid.

Try to onboard the account again from scratch

If there is still an exception,  try to delete all the created policies and to start the onboarding from scratch. See Onboard an AWS Account.

Contact Dome9 Support

If these steps do not resolve the issue, open a support ticket.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document