How to update the AWS Role or IAM User Permissions for CPM 2.x

How to update the AWS Role or IAM User Permissions for CPM 2.x

Background:
This document details the steps needed to update the CPM IAM Role or IAM User Permissions. This is often needed when upgrading to a newer version of
CPM as added functionality requires additional AWS Permissions. For details on changes to CPM please visit the link for latest


Important Note: Begining with CPM 2.4 you can not use an IAM user and must instead use an IAM role and attach it to the CPM instance
or you may receive the error described in this KB article  

1. Please visit this link to obtain the JSON permissions files necessary to update the CPM User/Role permissions which will be needed later.
 Download the attachment at the bottom of the screen which has all the JSON files in it.

Note: We will be using the json file named "2.4.0_permissions_all.json” from the zip file. This grants all the necessary permissions for CPM to be able to
access all AWS objects.
2. Please log in to the AWS Console and under Services at the top of the screen go to Security Identity and Compliance, then select IAM.

3. Please select the "Policies" option in the left-hand pane.

4. Please search for and locate the Policy you are using for CPM, in this example “CPM2” and double-click on it.

5. Please click on the Edit Policy Button and please select the JSON tab.

6. In the JSON tab please select all ("ctrl  a "on your keyboard ) of the text in the JSON window ( including the brackets) and then click on the Delete key on your keyboard.

7. The JSON tab should be empty. Please locate the JSON file entitled "2.3.0_permissions_all.json" you downloaded in Step 1 of this procedure. 

Note: it is very Important to use notepad to open the JSON file, so when you copy and paste its contents into the JSON tab in the next step you do not add any formatting characters. Failure to do this can cause syntax errors when saving the policy and other issues. 

8. Copy the entire contents of the "2.3.0_permissions_all.json" into the JSON window and then please press the Review Policy button in the lower right-hand corner of the screen.

9. Click on the Save Changes button.

10. You will see a Summary screen after saving the changes.

11. The final step is to attach the edited "CPM2" Policy to either the CPM Instance Role or the IAM User/Role that the CPM ADMIN/Root account is using. In this example, the ole is named "CPMadminuser".  Please search for the Role and then click on it. 

12. Please click on the Attach Policy button.

13. Search for the policy named "CPM2" which was created in earlier steps.

14. Select the Policy and press the Attach Policy button at the bottom of the screen.

 15. You will get a summary page that the policy was successfully added to the Role.
16.  You can verify the newly applied Role/User permissions by performing a Check AWS Permissions job.
This can be done in the CPM Manager screen under Accounts, please click on the Accounts button at the top of the screen.

17. Please hit the "Check AWS Permissions" button next to the Account that the Role is applied to. 
 18. This will open the Permissions Check for Account screen. This will detail the Role's permissions and will assist you in determining what
is missing in the permissions. You may need to scroll down in the Permissions Check field to see what permissions may be missing. 

Note: You also have the option of downloading the file. 
 
Note: The above directions can be applied to adding additional permissions to an IAM User.
When you get to the section for attaching the new policy, select the IAM User instead of the
Role as detailed above.