To better align with AWS best practices and improve AWS account security, we have made two changes to the process of adding a new AWS account into Deep Security using cross account roles:
-
We have implemented a restriction that the same AWS account role / external id combination cannot be used in more than one Deep Security as a Service account at the same time.
-
Previously when using a cross account role for authentication, Deep Security required two pieces of information: a role ARN, and an external ID trusted by the role. A new process has been introduced where Deep Security provides the external ID, and requires that the role provided has included this external ID in its trust policy. This change will provide stronger security in shared Deep Security environments, as well as ensure strong external IDs are always used.
We have introduced /api/awsconnectors which supports the new process to add AWS cloud accounts to Deep Security. Please see the online help center article for details.
With the introduction of /api/awsconnectors you will see that calls to /rest/cloudaccounts/aws will now include a Deprecation header. This will not immediately impact any functionality.
As of June 1, 2020, in Deep Security as a Service any calls to the deprecated /rest/cloudaccounts/aws that attempt to add an AWS cloud account using a cross account role with customer provided external id will fail as an invalid request. To resolve this issue you will be required to update your automation scripts to use the new API /api/awsconnectors to continue adding cloud accounts using a cross account role.
For on premise customers this change will apply in Deep Security 20.
If you have any questions or concerns, please contact Technical Support directly or your assigned Customer Service Manager.