Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP CAL Template - AWS Organisation SCP issue "SimulatePrincipalPolicy"

RingoSommer
Explorer

on ‎2025 Jan 29 5:12 PM

0 Likes
598

Hello Community

We try to deploy SAP System into our own AWS Account, but facing severals unknow issues.

Whole configuration regards to user management "user" - standard policy and customer inline policy - are implemented as described from AWS https://caldocs.hana.ondemand.com/caldocs/help/AWS_FAQs.pdf point of view. User has a valid AK/SK and is just configured for AWS CLI / API needs.

During few more validaitons, we getting the following issue from SimulatePrincipalPolicy point of view.

RingoSommer_0-1738169900069.png

After a deep dive and execution command via console there is a result for each KMS part "implicitDeny" and it feels like workflow is crashing and there is no possiblity to deploy SAP System from SAP CAL point of view.

RingoSommer_1-1738170112512.png

RingoSommer_2-1738170129808.png

Any ideas how to fix this issue in general, each new deployment is mentioned issue with AWS KMS and failed always?

Who is taking care of the overall deployment workflow/implementation SAP or AWS?

If something missing for validation or further deep dive please let me know.

Thanks in advance and your support.

Regards

Ringo

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (3)

Answers (3)

tsvetinka_gaydazhieva
Product and Topic Expert
Product and Topic Expert
‎2025 Jan 31 2:11 PM
0 Likes

Hi RingoSommer ,

Please try again to create a new appliance.

In case the problem is still reproducible, please check your global account policies, if there are any that prohibit the activation of policies required by us.

Best regards,

Tsvetinka 

 

Show replies
Show replies
tsvetinka_gaydazhieva
Product and Topic Expert
Product and Topic Expert
‎2025 Jan 30 4:08 PM
0 Likes

According to the firs post, you have a policy that prohibits kms:Decrypt.

Show replies
Show replies
RingoSommer
Explorer
‎2025 Jan 30 4:25 PM
0 Likes
The used AWS Account is part of more AWS Accounts, handle by AWS Organisation including Service Control Policy configuration. When I'm checking AWS CloudTrail / CloudWatch logs, I'm not able to catch an useful log entry because it is not crossing the AWS Account to do something there. From my understandig it is already failing during the checks with SimulatePrincipalPolicy. The user is fully configured as described. Now we just expect that the validation is failing and stopping the whole workflow to proceed due to mismatch of "deny". I'm not sure how to configure the AWS Account to allow each and everything, each company should protect as much as possible. Not sure what the workflow to deploy an appliance is doing the background maybe we need to have a look there, but still wondering why it is not working. Thanks for your support.
tsvetinka_gaydazhieva
Product and Topic Expert
Product and Topic Expert
‎2025 Jan 30 3:23 PM
0 Likes

Hi RingoSommer,

There is not workaround in your case.

You must meet all listed here requirements to be able to create an appliance. According to provided screenshots you have not done it yet. 

Best regards,

Tsvetinka

Show replies
Show replies
RingoSommer
Explorer
‎2025 Jan 30 3:45 PM
0 Likes
Hello Tsvetinka
RingoSommer
Explorer
‎2025 Jan 30 3:46 PM
0 Likes
the following inline policy is configured but it is not working as expected. Issue highlighted everytime after starting the deployment of appliance. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:*" ], "Resource": [ "*" ] } ] }
Ask a Question