What are the required minimal AWS permissions/roles for CPM operation?

You can apply all the required roles by using the JSON files inside the archive attached to this article (including the new permissions required for v4.0 and up).

Note that for some editions there is more then 1 json file.

If you are using FLR or Copy to S3 in the same account as N2WS server, then due to AWS changes you will add self-trust to the role, please see this KB for more info: FLR or Copy to S3 with Exception: could not assume role

How to Add permissions: 

1. Go to the IAM Console https://console.aws.amazon.com/iam/home

2. Go to 'Roles' and select user which requires the permission to assume the role.

3. Open 'Permissions' tab and click 'Add permissions'.

4. Select 'Attach existing policies directly' and click 'Create policy', you will need to create 2 policies in order to include all needed permissions needed.

5. In the opened window open 'JSON' tab, select all data and replace it with data from one of the JSON files you've downloaded previously, and click Review policy'.

6. Specify the name for the policy, enter the description if needed and click 'Create policy'. Follow the same steps to create the second policy that is needed.

7. Go back to the user settings and to the 'Permissions' tab and click 'Add permissions', select 'Attach existing policies directly' and search for the 2 policies you've created and add them both by checking he box next to them, then click Next:Review'.

8. Click 'Add permissions'.

9. If the permissions for your edition of CPM include 2 files, repeat the steps 3-8 for the second file

For assuming a role accounts:

You will also need to add trust relation to the target role, to allow the source role to assume it.

Please check this document for the procedure on establishing trust: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html#cli-role-prepare

KMS:

Different set of KMS related permissions is required for admin and non-admin users.

If you are an admin user, ListAliases & ListKeys are enough

Other users need these minimum KMS permissions:
- For backup and DR:
  "kms:CreateGrant",
  "kms:DescribeKey",
  "kms:GenerateDataKeyWithoutPlaintext",

  "kms:GenerateDataKeyPairWithoutPlaintext",
  "kms:ListAliases",
  "kms:ListKeys"
- For recovery:
   "kms:DescribeKey",
   "kms:ListAliases",
   "kms:ListKeys",
   "kms:ReEncryptFrom",
   "kms:ReEncryptTo"

---

Click below to see Azure minimal permissions KB Article

minimal Azure permissions/roles for n2WS operations

• Related Articles

• Minimal Azure permissions/roles for N2WS operations

  The required minimal IAM permissions json is attached to this KB article. You can find detailed steps in our User guide, Chapter 26: https://n2ws.com/support/documentation Or in the following KB Article: How to setup CPM on AWS to backup Azure ...

• How to use AWS IAM Policy Simulator to troubleshoot N2WS Backup permission issues.

  Background: Permission issues are one of the most common errors seen by users of N2WS Backup and this article explains how you can use the IAM Policy Simulator to help you narrow down whether permissions are allowed by an IAM User or a Role. This ...

• Cannot complete server configuration "please attach an IAM role to continue" - converting an IAM user to an IAM role

  On a new install or after upgrading CPM, you may be met with an error on step 3 of initial configuration which does not allow you to proceed. "It seems this instance does not have an IAM role associated with it. Please attach an IAM role to continue" ...

• How to Check for AWS Permissions

  Each account in N2WS is mapped to a specific Roles or IAM user in AWS, You can see the list of account and authentication types in the Account Tab: For each account, you can select it and then click on 'Check AWS Permissions' This will test the ...

• Permission check may fail with an error "Could not assume role"

  Issue: Permission check may fail with this error message: ERROR:  get_assume_role_credentials(aws_utils.py:1337)  Could not assume role arn arn:<AWS account ARN:RoleName> from account <CPM Account> (<CPM user>), reason User arn:<AWS account ARN:IAM ...