I tried to generate a policy using access analyzer. The generated policy is always empty and I cannot figure out why. Moreover, the events I can see in the cloudtrail event logs do not include data events even though I've configured data events.
I have executed the following action
- DynamoDB CreateTable
aws dynamodb create-table --tablename ....
- DynamoDB PutItem
aws dynamodb put-item --table-name xxx --item file://contents.json
- S3 list
aws s3 ls s3://mygreatbucket
- S3 download
aws s3 cp s3://mygreatbucket/theevengreater/file .
The only relevant event that is being logged in the cloudtrail is the create-table
event. The data events are missing. I can't figure out what I'm doing wrong. The cloud trail config says in the "data events" section "Log All Events" for both S3 and DynamoDbB.
I followed the instructions in https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html. I opened my Administrator user and on the policy page I clicked "Generate Policy" in the bottom.
Just to clarify: In the Cloud trail configuration, I did enable data events. If these are not logged, then what is this setting good for? Is there a distinction between "action-level data events" and "other data events"? And I solely operate in zone eu-central-1 and that is what I configured access analyzer to look after.