- Newest
- Most votes
- Most comments
Hello,
Based on the message being returned, it would indicate that the S3 bucket policy attached to S3 log bucket in Account B, is not allowing the IAM Access Analyzer Service-linked role in Account A, access to read the log files stored in the S3 log bucket. In case of using AWS KMS Key to encrypt Cloudtrail log files[1], the attached Key policy does not allow the Service-linked Role in Account A, access to decrypt the encrypted log files.
As indicated in the AWS link here[2], you would need to ensure that the S3 log bucket in Account B, has the following bucket policy attached:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PolicyGenerationBucketPolicy", "Effect": "Allow", "Principal": { "AWS": "" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<Log_Bucket_name>", "arn:aws:s3:::<Log_Bucket_name>/AWSLogs/organization-id/${aws:PrincipalAccount}/" ], "Condition": { "StringEquals": { "aws:PrincipalOrgID": "organization-id" }, "StringLike": { "aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*" } } } ] }
In case of using AWS KMS to encrypt Cloudtrail log files before storing them in the S3 log bucket, the attached KMS Key policy also needs to be updated, to allow the Service-linked role, to decrypt the encrypted log files:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "kms:Decrypt", "Resource": "", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:cloudtrail:arn": "CROSS_ACCOUNT_ORG_TRAIL_FULL_ARN", "aws:PrincipalOrgID": "organization-id" }, "StringLike": { "kms:ViaService": "s3..amazonaws.com", "aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole" } } } ] }
Additionally, if using ACLs to control access to the S3 log bucket in Account B, you may need to change the Object Ownership setting for your bucket. Set Object Ownership to one of the following options:
- Bucket owner enforced (recommended)
- Bucket owner preferred
[1] Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS) - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
[2] IAM Access Analyzer policy generation - Generate a policy using AWS CloudTrail data in another account - https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html#access-analyzer-policy-generation-cross-account
I sincerely hope this helps!
Relevant content
- Accepted Answerasked 10 months ago
- asked 8 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 years ago
Thanks Bradley - following the guidance in your 2nd link, I finally managed to get this working! I initially tried just updating the policy attached to the bucket, but it needed the suggested change to Object Ownership as well before I was successfully able to generate policies for my IAM users and roles. Many thanks for your help!