2 réponses
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
Hi There
In the policy, it mentions AccessAnalyzerMonitorServiceRole* arn as a condition.
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
It allows access if the role accessing the bucket belongs to an account in your organization and has a name that starts with AccessAnalyzerMonitorServiceRole. Using aws:PrincipalArn as a Condition in the Resource element ensures that the role can only access activity for the account if it belongs to account A.
Can you verify the name of the role that you are using (See Step 1) ?
indeed the role was created for the proccess and call: AccessAnalyzerMonitorServiceRole_W99N7OHOS6
Contenus pertinents
- demandé il y a un an
- demandé il y a 6 mois
- demandé il y a un an
AWS OFFICIELA mis à jour il y a 2 ans- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
btw, we just append the policy mentioned on blog to the existing one created by Control Tower