Unable to generate policy with access analyzer

Question

I tried to generate a policy using access analyzer. The generated policy is always empty and I cannot figure out why. Moreover, the events I can see in the cloudtrail event logs do not include data events even though I've configured data events.

I have executed the following action

* DynamoDB CreateTable `aws dynamodb create-table --tablename  .... `
*  DynamoDB PutItem `aws dynamodb put-item --table-name xxx --item file://contents.json`
* S3 list `aws s3 ls s3://mygreatbucket`
* S3 download `aws s3 cp s3://mygreatbucket/theevengreater/file .`

The only relevant event that is being logged in the cloudtrail is the `create-table` event. The data events are missing. I can't figure out what I'm doing wrong. The cloud trail config says in the "data events" section "Log All Events" for both S3 and DynamoDbB.

I followed the instructions in https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html. I opened my Administrator user and on the policy page I clicked "Generate Policy" in the bottom.

Answer

Please see the Things to know about generating policies in the below doc :

https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html

`Data events not available – IAM Access Analyzer does not identify action-level activity for data events, such as Amazon S3 data events, in generated policies.`

While generating the policy, Please check the duration and region on which the IAM Access Analyzer should look into the cloudtrail.

![Enter image description here](/media/postImages/original/IMIUokXcQ3Twe-mugMSVqBDg)

Unable to generate policy with access analyzer

相關內容