1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
0
To resolve the "Access denied" error when copying CloudTrail events to a CloudTrail Lake, ensure the following:
- The CloudTrailCopyRole role should have s3:ListBucket, s3:GetBucketAcl, s3:GetObject, kms:Decrypt, and kms:GenerateDataKey permissions.
- Update the KMS key policy used for encrypting the S3 bucket to allow the CloudTrailCopyRole role to use kms:Decrypt and kms:GenerateDataKey.
- Change the object ownership in the S3 bucket settings from "Object writer" to "Bucket owner preferred" to ensure your management account can access the objects.
After applying these changes, try the copy operation again.
Hi Sedat, thank you for your answer. The problem seems to lie with the object ownership. However, to changing the the bucket's ownership settings won't change the ownership of the existing objects. Does that mean I now need to update the ownership of each of the millions of objects?
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
Could you double-check that the resource names and Amazon Resource Names (ARNs) specified in your IAM policies are correct and match the actual resources. Ensure that the IAM role (CloudTrailCopyRole) has the necessary permissions to interact with AWS CloudTrail to read and copy the CloudTrail events. This might involve permissions like cloudtrail:LookupEvents, cloudtrail:DescribeTrails, and cloudtrail:GetEventSelectors.
KMS Key Policy: Since your S3 bucket is encrypted with SSE-S3, there might be a KMS key policy attached to the KMS key used for encryption. Ensure that the CloudTrailCopyRole has the necessary permissions to decrypt objects using this KMS key. You may need to update the KMS key policy to grant decryption permissions to the CloudTrailCopyRole.