The key missing troubleshooting (diagnostic) step/s
Are my account permission errors being caused by AWS cloud resource-level issues (e.g., resource-level IAM policies)?
- On the Assets > Environments page (https://secure.dome9.com/v2/cloud-account/index), click the relevant account ID.
- On the environment details page, click the Missing permission for ... Show more link.
- In the Missing Permissions table, click the ellipses next to the Resource name and select Show Entities.
- Review the list of affected cloud resources and associated "Fail Messages":
- Compare the list of affected resources to the total population of resources of that type in the affected cloud account (e.g., using https://secure.dome9.com/v2/protected-asset/index).
- If the list of affected cloud resources represents the entire population of resources of that type in the affected cloud account, then a cloud account-level problem (e.g., a missing permission on Dome9-Connect) is the most likely cause.
- If the list of affected cloud resources is less than the entire population of resources of that type in the affected cloud account, then the source of the problem must necessarily be specific to the individual affected cloud resources (e.g., resource-level IAM "deny" policies, "ghost" resources that were deleted incorrectly/incompletely and so continue to trigger permission errors, "cross-account" resource deployment or resource sharing/reference issues, etc.).
Note: The CloudGuard Administration Guide
has further information on permissions.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.