2 Answers
- Newest
- Most votes
- Most comments
0
Hi There
In the policy, it mentions AccessAnalyzerMonitorServiceRole*
arn as a condition.
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
It allows access if the role accessing the bucket belongs to an account in your organization and has a name that starts with AccessAnalyzerMonitorServiceRole. Using aws:PrincipalArn as a Condition in the Resource element ensures that the role can only access activity for the account if it belongs to account A.
Can you verify the name of the role that you are using (See Step 1) ?
indeed the role was created for the proccess and call: AccessAnalyzerMonitorServiceRole_W99N7OHOS6
Relevant content
- asked 7 months ago
- AWS OFFICIALUpdated 20 days ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 years ago
btw, we just append the policy mentioned on blog to the existing one created by Control Tower