Background:
Permission issues are one of the most common errors seen by users of N2WS Backup and this article explains
how you can use the IAM Policy Simulator to help you narrow down whether permissions are allowed by an IAM User or a Role.
This article will also discuss how to determine if a Role/user has permissions assigned through a Policy but is being denied by an AWS Organizations Service Control Policy rule (SCP).
Prerequisites in AWS:
To help you get started with the IAM Policy Simulator please see this AWS Article on its use and which permissions a user/role needs to run it.
This is a helpful AWS video on this topic.
Using IAM Policy to Troubleshoot N2WS Backup issues.
1. Login into AWS and then open a browser and go to the IAM Policy Simulator home page
2. In the left-hand pane select Role
3. Select the CPM instance Role or the Role that was denied access.
4. If the AWS Organizations SCP's checkbox is listed on the screen please make sure to select this. This is useful to show that there is a rule preventing the role from using the permission even if defined in the policy files associated with the role.
For more details on SCP rules see this link
5. In this example we will use the error message below where the Role has received access denied when calling ListObjectsV2 permission. This permission is inherited from the S3:ListBuckets permission.
2022-04-28 19:59:58,244:[140698990913280][----------] ERROR: s3sync_thread(agent.py:1869) fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
6. In the IAM Policy Simulator screen select the Service S3
7. Select the Action and select the ListBuckets permission.
8. Then click the Run Simulation button. You should get a return of allowed.
Troubleshooting :
If you get a denied message this is usually easily corrected by updating the CPM instance role or the user that recieved the denied message. You can obtain the latest N2WS CPM JSON policy files from this link:
If you receive this message Denied by AWS Organizations after running the simulation you need check in AWS Organizations and verify if you have a deny permission defined in a Service Control Policy which overrides the allow statement in the CPM JSON Policy files.
For more information on troubleshooting SCP policies please see this AWS article.