Unable to generate policy with access analyzer

0

I tried to generate a policy using access analyzer. The generated policy is always empty and I cannot figure out why. Moreover, the events I can see in the cloudtrail event logs do not include data events even though I've configured data events.

I have executed the following action

  • DynamoDB CreateTable aws dynamodb create-table --tablename ....
  • DynamoDB PutItem aws dynamodb put-item --table-name xxx --item file://contents.json
  • S3 list aws s3 ls s3://mygreatbucket
  • S3 download aws s3 cp s3://mygreatbucket/theevengreater/file .

The only relevant event that is being logged in the cloudtrail is the create-table event. The data events are missing. I can't figure out what I'm doing wrong. The cloud trail config says in the "data events" section "Log All Events" for both S3 and DynamoDbB.

I followed the instructions in https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html. I opened my Administrator user and on the policy page I clicked "Generate Policy" in the bottom.

Kai
asked 2 years ago781 views
1 Answer
0

Please see the Things to know about generating policies in the below doc :

https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html

Data events not available – IAM Access Analyzer does not identify action-level activity for data events, such as Amazon S3 data events, in generated policies.

While generating the policy, Please check the duration and region on which the IAM Access Analyzer should look into the cloudtrail.

Enter image description here

profile pictureAWS
answered 2 years ago
profile pictureAWS
EXPERT
kentrad
reviewed 2 years ago
  • Just to clarify: In the Cloud trail configuration, I did enable data events. If these are not logged, then what is this setting good for? Is there a distinction between "action-level data events" and "other data events"? And I solely operate in zone eu-central-1 and that is what I configured access analyzer to look after.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions