Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
This branch is up to date with amit-schnitzer/dome9-serverless-onboarding:master.

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Dome9 Serverless onboarding Automation of AWS Accounts

This solution automatically enables "serverless" feature across multiple onboarded Dome9 accounts

The script probes all AWS accounts that have already been onboarded into Dome9 and checks whether "serverless" feature is enabled or not.
Accounts that aren't enabled, are being proceccesed and enabled one by one. The script is using AWS credentials of the root account of "AWS organization" and onboards each sub account in the organization by assuming the default role "OrganizationAccountAccessRole" in each such subaccount and by running a CFT stack that creates the necassery roles and access policies for Dome9 to monitor "serverless" inside the account. The script was built to prompt for AWS credentials (i.e. Access Key and Secret) if it fails to do so with the pre-loaded ones. This is also adequate for situations where you are oboarding multiple accounts with different Root acount credentials.


Dome9 V2 API Credentials
Cross-Account role in each sub account with proper permissions (onboarding-policy.json file includes minimum permissions policy)
git 2.17 or later
aws cli version 2 or later Python v3.8 or later with the following

  • pip
  • boto3
  • botocore
  • requests
  • argparse


The following assumptions are made about the environment to be successful running the script.
AWS accounts have been already onboarded into Dome9 - either manually or using Onboarding-Scripts
Any sub account in AWS Organizations has a cross-account access role in the child account with a consistent name (e.g. the default "OrganizationAccountAccessRole"). The parent account will assume the role in the child account. Not having a consistent role name will require running the script multiple times.


Step 1: Clone the repo

Clone this repo into your local environment:
git clone
Navigate to the script subdirectory:
cd dome9-serverless-onboarding

Step 2: Create and export Dome9 API Credentials

Generate a Dome9 API token here
Add your token to environment variable
export d9id=12345678-1234-1234-1234-123456789012 export d9secret=abcdefghijklmnopqrstuvwx

Step 3: AWS Credentials

export AWS_ACCESS_KEY_ID=AK00012300012300TEST
export AWS_SECRET_ACCESS_KEY=Nnnnn12345nnNnn67890nnNnn12345nnNnn67890
Attach the following IAM Policy to the service-linked role or IAM user that you created.


"Version": "2012-10-17",
"Statement": [
        "Sid": "onboarding1",
        "Effect": "Allow",
        "Action": [
        "Resource": "*"
        "Sid": "onboarding2",
        "Effect": "Allow",
        "Action": "sns:Publish",
        "Resource": "arn:aws:sns:*:*:*"

} '''


In order to run the script simply type "python3" in the working directory

Please log any issues here!


No description, website, or topics provided.






No releases published


No packages published


  • Python 100.0%