CloudGuard Dome9 Troubleshooting AWS Permissions problems
The key missing troubleshooting (diagnostic) step/s
Are my account permission errors being caused by AWS cloud resource-level issues (e.g., resource-level IAM policies)?
- On the Cloud Accounts page (https://secure.dome9.com/v2/cloud-account/index), click on the relevant account ID (left margin).
- On the Cloud Account (Regional) Details page, click the "show more" link (top-left).
- On the "Missing Permissions" Page, click on the ("(show entities)" link (right margin).
- Review the list of affected cloud resources and associated "Fail Messages":
- Compare the list of affected resources to the total population of resources of that type in the affected cloud account (e.g., using https://secure.dome9.com/v2/protected-asset/index).
- If the list of affected cloud resources represents the entire population of resources of that type in the affected cloud account, then a cloud account-level problem (e.g., a missing permission on Dome9-Connect) is the most likely cause.
- If the list of affected cloud resources is less than the entire population of resources of that type in the affected cloud account, then the source of the problem must necessarily be specific to the individual affected cloud resources (e.g., resource-level IAM "deny" policies, "ghost" resources that were deleted incorrectly/incompletely and so continue to trigger permission errors, "cross-account" resource deployment or resource sharing/reference issues, etc.).
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.