2개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
0
Hi There
In the policy, it mentions AccessAnalyzerMonitorServiceRole*
arn as a condition.
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
It allows access if the role accessing the bucket belongs to an account in your organization and has a name that starts with AccessAnalyzerMonitorServiceRole. Using aws:PrincipalArn as a Condition in the Resource element ensures that the role can only access activity for the account if it belongs to account A.
Can you verify the name of the role that you are using (See Step 1) ?
indeed the role was created for the proccess and call: AccessAnalyzerMonitorServiceRole_W99N7OHOS6
관련 콘텐츠
- AWS 공식업데이트됨 2년 전
btw, we just append the policy mentioned on blog to the existing one created by Control Tower