2 Antworten
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
0
Hi There
In the policy, it mentions AccessAnalyzerMonitorServiceRole*
arn as a condition.
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
It allows access if the role accessing the bucket belongs to an account in your organization and has a name that starts with AccessAnalyzerMonitorServiceRole. Using aws:PrincipalArn as a Condition in the Resource element ensures that the role can only access activity for the account if it belongs to account A.
Can you verify the name of the role that you are using (See Step 1) ?
indeed the role was created for the proccess and call: AccessAnalyzerMonitorServiceRole_W99N7OHOS6
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
btw, we just append the policy mentioned on blog to the existing one created by Control Tower