Convert Dome9 AWS Account Connection from IAM User to Cross Account Role

 

Dome9 now supports connections to AWS accounts using AWS Cross Account Roles.

Users who connected using IAM Users can now modify their Dome9 account to connect to their AWS accounts with Cross Account Roles. This is considered to be more secure than IAM User connections.

The procedure below explains how to modify an account from IAM User to Cross Account Roles connections. The change cannot be reversed.

The procedure has two stages:

Stage 1: Change the account connection type in Dome9 (steps 1-7 and 20-22)

Stage 2: Define the Role for Cross Account Role in AWS Console (steps 8-19)

Stage 1: Change the account connection type in Dome9

1. In the CloudGuard Dome9 console, navigate to Cloud Inventory, and select Cloud Accounts.

2. Select the AWS account to be converted, and then click EDIT CREDENTIALS in the upper right.
   

3. Click Generate. This will generate a new external ID. Copy and save this, as it will be needed later.
   
   
   
   

4. Keep this box open, until the steps in the next stage are completed (during which the Role ARN value will be obtained).

Stage 2: Define the Cross Account Role in the AWS Console

1. Login to the AWS console (aws.amazon.com)

2. Click Services and select the IAM service.

3. Select Policies (on the left), and then click Create Policy.

4. Select the JSON tab, and paste this policy statement:

    {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "Dome9ReadOnly",
               "Action": [
                   "cloudtrail:LookupEvents",
                   "dynamodb:DescribeTable",
                   "elasticfilesystem:Describe*",
                   "elasticache:ListTagsForResource",
                   "firehose:Describe*",
                   "firehose:List*",
                   "guardduty:Get*",
                   "guardduty:List*",
                   "kinesis:List*",
                   "kinesis:Describe*",
                   "kinesisvideo:Describe*",
                   "kinesisvideo:List*",
                   "logs:Describe*",
                   "logs:Get*",
                   "logs:FilterLogEvents",
                   "lambda:List*",
                   "s3:List*",
                   "sns:ListSubscriptions",
                   "sns:ListSubscriptionsByTopic",
                   "waf-regional:ListResourcesForWebACL"
               ],
               "Effect": "Allow",
               "Resource": "*"
           }
       ]
   }       
           

5. Click Review Policy.
6. Name the policy (we suggest Dome9-Read-Only-Policy) and then click Create Policy.

7. Repeat the preceding steps, to create another policy, using this policy statement, and name the policy Dome9-read-write-policy.

        {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "Dome9Write",
               "Action": [
                   "ec2:AuthorizeSecurityGroupEgress",
                   "ec2:AuthorizeSecurityGroupIngress",
                   "ec2:CreateSecurityGroup",
                   "ec2:DeleteSecurityGroup",
                   "ec2:RevokeSecurityGroupEgress",
                   "ec2:RevokeSecurityGroupIngress",
                   "ec2:ModifyNetworkInterfaceAttribute",
                   "ec2:CreateTags",
                   "ec2:DeleteTags"
               ],
               "Effect": "Allow",
               "Resource": "*"
           }
       ]
   }  

8. In the AWS IAM console, select Roles, and then click Create New Role.

9. Select Another AWS account for the type of trusted entity.

10. Enter the following details:
    
    • Account Id: 634729597623
    • External ID: enter the external id generated for you in the Dome9 account conversion screen (from stage 1, above)
    • Require MFA: NOT checked
11. Click Next: Permissions.
12. Select the Dome9-Read-Only Policy,created above, the AWS SecurityAudit and AmazonInspectorReadOnlyAccess policies, and (optionally, if the account is in Full Protection), the Dome9-read-write-policy.
13. Click Next: Tags, and then Next: Review.
14. Enter a name for the role, and then click Create Role.

15. In the Summary page, select the new role, and copy the Role ARN.

16. In the Dome9 console, enter the Role ARN value in the Edit Role Credentials box for the AWS account (step 4, in the previous stage) 
17. Click SAVE CHANGES.
18. This step is optional. If the old AWS IAM user account that was previously used to connect to Dome9 is no longer used for anything else, it is a security best practice to remove it. Once the new Cross Account role integration method is fully tested, consider removing the unused AWS IAM user account.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.