2 回答
- 最新
- 投票最多
- 评论最多
0
Hi There
In the policy, it mentions AccessAnalyzerMonitorServiceRole*
arn as a condition.
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
It allows access if the role accessing the bucket belongs to an account in your organization and has a name that starts with AccessAnalyzerMonitorServiceRole. Using aws:PrincipalArn as a Condition in the Resource element ensures that the role can only access activity for the account if it belongs to account A.
Can you verify the name of the role that you are using (See Step 1) ?
indeed the role was created for the proccess and call: AccessAnalyzerMonitorServiceRole_W99N7OHOS6
相关内容
- AWS 官方已更新 2 年前
btw, we just append the policy mentioned on blog to the existing one created by Control Tower