Allowing permission to Generate a policy based on CloudTrail events where the selected Trail logs events in an S3 bucket in another account

Question

I have an AWS account (Account A) with CloudTrail enabled and logging management events to an S3 'logs' bucket in another, dedicated logs account (Account B, which I also own).

The logging part works fine, but I'm now trying (and failing) to use the 'Generate policy based on CloudTrail events' tool in the IAM console (under the Users > Permissions tab) in Account A.

This is supposed to read the CloudTrail logs for a given user/region/no. of days, identify all of the actions the user performed, then generate a sample IAM security policy to allow only those actions, which is great for setting up least privilege policies etc.

When I first ran the generator, it created a new service role to assume in the same account (Account A): AccessAnalyzerMonitorServiceRole_ABCDEFGHI

When I selected the CloudTrail trail to analyse, it (correctly) identified that the trail logs are stored in an S3 bucket in another account, and displayed this warning messsage:
> Important: Verify cross-account access is configured for the selected trail The selected trail logs events in an S3 bucket in another account. The role you choose or create must have read access to the bucket in that account to generate a policy. Learn more.

Attempting to run the generator at this stage fails after a short amount of time, and if you hover over the 'Failed' status in the console you see the message:
> Incorrect permissions assigned to access CloudTrail S3 bucket. Please fix before trying again.

Makes sense, but actually giving read access to the S3 bucket to the automatically generated AccessAnalyzerMonitorServiceRole_ABCDEFGHI is where I'm now stuck!

I'm relatively new to AWS so I might have done something dumb or be missing something obvious, but I'm trying to give the automatically generated role in Account A permission to the S3 bucket by adding to the 'Bucket Policy' attached to the S3 logs bucket in our Account B. I've added the below extract to the existing bucket policy (which is just the standard policy for a CloudTrail logs bucket, extended to allow CloudTrail in Account A to write logs to it as well), but my attempts to run the policy generator still fail with the same error message.

```
{
    "Sid": "IAMPolicyGeneratorRead",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::1234567890:role/service-role/AccessAnalyzerMonitorServiceRole_ABCDEFGHI"
    },
    "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:ListBucket"
    ],
    "Resource": [
        "arn:aws:s3:::aws-cloudtrail-logs-ABCDEFGHI",
        "arn:aws:s3:::aws-cloudtrail-logs-ABCDEFGHI/*"
    ]
}
```

Any suggestions how I can get this working?

Accepted Answer

Hello,

Based on the message being returned, it would indicate that the S3 bucket policy attached to S3 log bucket in Account B, is not allowing the IAM Access Analyzer Service-linked role in Account A, access to read the log files stored in the S3 log bucket. In case of using AWS KMS Key to encrypt Cloudtrail log files[1], the attached Key policy does not allow the Service-linked Role in Account A, access to decrypt the encrypted log files.

As indicated in the AWS link here[2], you would need to ensure that the S3 log bucket in Account B, has the following bucket policy attached:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PolicyGenerationBucketPolicy",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::",
        "arn:aws:s3:::/AWSLogs/organization-id/${aws:PrincipalAccount}/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalOrgID": "organization-id"
        },
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
        }
      }
    }
  ]
}

In case of using AWS KMS to encrypt Cloudtrail log files before storing them in the S3 log bucket, the attached KMS Key policy also needs to be updated, to allow the Service-linked role, to decrypt the encrypted log files:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "kms:Decrypt",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:EncryptionContext:aws:cloudtrail:arn": "CROSS_ACCOUNT_ORG_TRAIL_FULL_ARN",
          "aws:PrincipalOrgID": "organization-id"
        },
        "StringLike": {
          "kms:ViaService": "s3.*.amazonaws.com",
          "aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
        }
      }
    }
  ]
}

Additionally, if using ACLs to control access to the S3 log bucket in Account B, you may need to change the Object Ownership setting for your bucket. Set Object Ownership to one of the following options:

- Bucket owner enforced (recommended)
- Bucket owner preferred

[1] Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS) - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html

[2] IAM Access Analyzer policy generation - Generate a policy using AWS CloudTrail data in another account - https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html#access-analyzer-policy-generation-cross-account

I sincerely hope this helps!

Allowing permission to Generate a policy based on CloudTrail events where the selected Trail logs events in an S3 bucket in another account

Relevant content