Unable to generate policy with access analyzer

0

I tried to generate a policy using access analyzer. The generated policy is always empty and I cannot figure out why. Moreover, the events I can see in the cloudtrail event logs do not include data events even though I've configured data events.

I have executed the following action

  • DynamoDB CreateTable aws dynamodb create-table --tablename ....
  • DynamoDB PutItem aws dynamodb put-item --table-name xxx --item file://contents.json
  • S3 list aws s3 ls s3://mygreatbucket
  • S3 download aws s3 cp s3://mygreatbucket/theevengreater/file .

The only relevant event that is being logged in the cloudtrail is the create-table event. The data events are missing. I can't figure out what I'm doing wrong. The cloud trail config says in the "data events" section "Log All Events" for both S3 and DynamoDbB.

I followed the instructions in https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html. I opened my Administrator user and on the policy page I clicked "Generate Policy" in the bottom.

1 Antwort
0

Please see the Things to know about generating policies in the below doc :

https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html

Data events not available – IAM Access Analyzer does not identify action-level activity for data events, such as Amazon S3 data events, in generated policies.

While generating the policy, Please check the duration and region on which the IAM Access Analyzer should look into the cloudtrail.

Enter image description here

profile pictureAWS
beantwortet vor 2 Jahren
profile pictureAWS
EXPERTE
überprüft vor 2 Jahren
  • Just to clarify: In the Cloud trail configuration, I did enable data events. If these are not logged, then what is this setting good for? Is there a distinction between "action-level data events" and "other data events"? And I solely operate in zone eu-central-1 and that is what I configured access analyzer to look after.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen