Configuring AWS for cross-account support
- Last UpdatedMar 14, 2025
- 3 minute read
In AWS, you must separately configure both the database (RDS) in its account, and the Imperva Gateway (EC2 instance) in its separate account.
To configure your AWS EC2 account (DAM Gateway and MX) for cross -account support:
- Configure a policy:
- In your AWS EC2 account, configure an existing policy or create a new one. Under IAM > Policies, select the policy.
- Under the Permissions tab, verify that the text below appears. If it does not, edit the text so that it appears exactly as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<<rdsAccount>>:role/<<rdsAccount-Role>>"
}
]
}
Where
<<rdsAccount>>
and<<rdsAccount-Role>>
are replaced by the values pertaining to your RDS account. - Save the changes in the normal way.
- Create a new role:
- Under IAM > Roles, click Create role.
- Click AWS Service.
- Under Use case, click EC2.
- Click Next.
- In the Add permissions window, check the box next to the policy you configured in step 1.
- Click Next.
- Type a Role name of your choice.
- Click Create role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
To configure your AWS RDS account (database) for cross-account support:
- Configure a policy:
- In your AWS RDS account, configure an existing policy or create a new one. Under IAM > Policies, select the policy.
- Under the permissions tab, verify that the text below appears. If it does not, edit the text so that it appears exactly as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBLogFiles",
"rds:DescribeDBInstances",
"rds:DownloadCompleteDBLogFile"
],
"Resource": "*"
}
]
}
- Save the changes in the normal way.
- Create a new role:
- Under IAM > Roles, click Create role.
- Click Custom Trust Policy.
- Under Custom trust policy, edit the text so that the line
Principal
relates to the<gwAccount>
and the<gwAccount-Role>
that resulted from the Gateway account configuration in Step 2 above. - Click Next.
- In the Add permissions window, check the box next to the policy you configured in step 1.
- Click Next.
- Type a Role name of your choice.
- Click Create role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<gwAccount>>:role/<<gwAccount-Role>>"
},
"Action": "sts:AssumeRole"
}
]
}
To configure your EC2 instances for the DAM Gateway and MX:
- After creating the EC2 instances in the normal way (For more information, see Deploying SecureSphere Servers on AWS), connect the Gateway to the role you created for the EC2 account in the first procedure above.
- Under EC2 > Instances, select your Gateway instance.
- Click Modify IAM role.
- From the IAM role drop down list, select your Gateway role.
- Click Update IAM role.