Generated policy failing during proccess

0

Hi, Actually we try to generate a policy based on CloudTrail events, but we have Control Tower and a centralized bucket for all cloudtrails to all our accounts. We follow this blog: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html#access-analyzer-policy-generation-cross-account

but still give the error: "Incorrect permissions assigned to access CloudTrail S3 bucket. Please fix before trying again."

We already update the bucket policy, bucket ownership and we dont use KMS on it.

Any advise or glue about what we miss ?

Thanks in advance,

  • btw, we just append the policy mentioned on blog to the existing one created by Control Tower

2回答
0
承認された回答

Hi There

In the policy, it mentions AccessAnalyzerMonitorServiceRole* arn as a condition.

"StringLike": {
  "aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"

It allows access if the role accessing the bucket belongs to an account in your organization and has a name that starts with AccessAnalyzerMonitorServiceRole. Using aws:PrincipalArn as a Condition in the Resource element ensures that the role can only access activity for the account if it belongs to account A.

Can you verify the name of the role that you are using (See Step 1) ?

profile pictureAWS
エキスパート
Matt-B
回答済み 1年前
  • indeed the role was created for the proccess and call: AccessAnalyzerMonitorServiceRole_W99N7OHOS6

0

Indeed, we actually use this service-role:

Enter image description here

Karlos
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ