Troubleshooting AWS Storage Scan Instance Setup Error
While setting up or re-granting an AWS instance, there is a possibility the instance setup may fail with the following error message (the error message repeats for all AWS regions):
You can check the relevant error message on the AWS management console too. Log in to the AWS Management Console using the credentials of the AWS account you set up with Netskope for IaaS and navigate to Services > CloudFormation. Then, click Stacks. Navigate to your stack and look under the Events tab. You can see the following error message against CloudWatchEventTopicNskp Logical ID:
Status reason error message in plain text:
...User: arn:aws:sts::<account_id>:assumed-role/Netskope_Role/NetskopeSession1 is not authorized to perform: SNS:TagResource on resource: arn:aws:sns:us-west-2:<account_id>:CloudWatchEventNskp because no identity-based policy allows the SNS:TagResource action...
This error message is due to a recent change in AWS where it auto-assigns stack-level tags to resources created using a CloudFormation Template (CFT). For more information, read this AWS article. However, the existing Netskope_Role does not have the required permission, particularly sns:TagResource to add tags to a resource. To resolve this, you need to add the sns:TagResource permission to the CFT.
Follow the steps below to add the sns:TagResource permission to the existing cross-account role:
Log in to the AWS Management Console using the credentials of the AWS account you set up with Netskope for IaaS and navigate to Services > CloudFormation. Then, click Stacks.
Select the Netskope stack and click Update.
On the next page, select Edit template in designer and click View in Designer.
The AWS CloudFormation Designer opens.
Ensure that the template language is set to YAML.
Under the YAML template definition, go to the section Resources > CloudFormationPolicy > Properties > PolicyDocument > Statement and add an item to the SNS Action list: sns:TagResource.
On the top-left corner of the page, click Create stack to upload the modified CFT.
Back on the Update stack page, keep the default configuration, and continue clicking Next till you reach the Review page. Review your stack details and click Submit.
Once you update the stack successfully, log in to your Netskope tenant and re-grant the AWS instance. To do so, edit the AWS instance and click Save.