Generated policy failing during proccess

Question

Hi,
Actually we try to  generate a policy based on CloudTrail events, but we have Control Tower and a centralized bucket for all cloudtrails to all our accounts.
We follow this blog: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html#access-analyzer-policy-generation-cross-account

but still give the error: "Incorrect permissions assigned to access CloudTrail S3 bucket. Please fix before trying again."

We already  update the bucket policy, bucket ownership and we dont use KMS on it.

Any advise or glue about what we miss ?

Thanks in advance,

Accepted Answer

Hi There

In the policy, it mentions ` AccessAnalyzerMonitorServiceRole* ` arn as a condition.

```
"StringLike": {
  "aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
```

It allows access if the role accessing the bucket belongs to an account in your organization and has a name that starts with AccessAnalyzerMonitorServiceRole. Using aws:PrincipalArn as a Condition in the Resource element ensures that the role can only access activity for the account if it belongs to account A.

Can you verify the name of the role that you are using (See Step 1) ?

Answer

Indeed, we actually use this service-role:

![Enter image description here](/media/postImages/original/IMVOYJo9cMTgWJJQFTX4A5Sw)

Generated policy failing during proccess

Relevant content