Generated policy failing during proccess

0

Hi, Actually we try to generate a policy based on CloudTrail events, but we have Control Tower and a centralized bucket for all cloudtrails to all our accounts. We follow this blog: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html#access-analyzer-policy-generation-cross-account

but still give the error: "Incorrect permissions assigned to access CloudTrail S3 bucket. Please fix before trying again."

We already update the bucket policy, bucket ownership and we dont use KMS on it.

Any advise or glue about what we miss ?

Thanks in advance,

  • btw, we just append the policy mentioned on blog to the existing one created by Control Tower

2개 답변
0
수락된 답변

Hi There

In the policy, it mentions AccessAnalyzerMonitorServiceRole* arn as a condition.

"StringLike": {
  "aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"

It allows access if the role accessing the bucket belongs to an account in your organization and has a name that starts with AccessAnalyzerMonitorServiceRole. Using aws:PrincipalArn as a Condition in the Resource element ensures that the role can only access activity for the account if it belongs to account A.

Can you verify the name of the role that you are using (See Step 1) ?

profile pictureAWS
전문가
Matt-B
답변함 일 년 전
  • indeed the role was created for the proccess and call: AccessAnalyzerMonitorServiceRole_W99N7OHOS6

0

Indeed, we actually use this service-role:

Enter image description here

Karlos
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠