I tried to use AWS Identity and Access Management Access Analyzer to generate a policy based on AWS CloudTrail events but I received errors.
Short description
I followed the instructions to use IAM Access Analyzer to generate a policy based on CloudTrail activity but I received errors similar to the following:
"An error occurred Invalid accessRole: Incorrect permissions assigned to access CloudTrail S3 bucket"
"The role is not authorized to perform: kms:Decrypt on the resource"
Resolution
Check the policies that are associated with the IAM Access Analyzer service role
Confirm that the service role for IAM Access Analyzer has the required permissions to generate a policy. You must create or edit a service role to allow IAM Access Analyzer access to CloudTrail. You must also allow IAM Access Analyzer permission to the AWS service last accessed information in your AWS account. Make sure that the AWS service works with IAM.
Note: It's a best practice to have an administrator create the service role for the initial setup. For more information, see Create a role to delegate permissions to an AWS service.
Check the Amazon S3 bucket policy where the CloudTrail logs are stored
Review the bucket policy where the CloudTrail logs are stored. Make sure that the policy statements don't deny access to the IAM Access Analyzer service role. If the CloudTrail logs are stored in another account, then make sure that the policy grants explicit access to the Access Analyzer service role.
For example, suppose you have an Amazon Simple Storage Service (Amazon S3) bucket stored in another account for your AWS Organizations. The bucket policy for the Amazon S3 bucket must allow access to the GetObject and ListBuckets API actions to the IAM Access Analyzer service role.
Check the AWS KMS key policy that you use to encrypt the CloudTrail logs
If you use AWS Key Management Service (AWS KMS) to encrypt your CloudTrail logs, then update your AWS KMS key policy. Check the AWS KMS key policy in the account where you store the CloudTrail logs. Make sure that the AWS KMS key policy grants access to IAM Access Analyzer. Make sure that the AWS KMS key policy doesn't contain an explicit deny for the IAM Access Analyzer service role.
Related information
IAM Access Analyzer policy generation
Using AWS Identity and Access Management Access Analyzer
How can I use AWS IAM Access Analyzer to monitor my AWS resources in my AWS Organization accounts?