Generated policy failing during proccess

0

Hi, Actually we try to generate a policy based on CloudTrail events, but we have Control Tower and a centralized bucket for all cloudtrails to all our accounts. We follow this blog: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html#access-analyzer-policy-generation-cross-account

but still give the error: "Incorrect permissions assigned to access CloudTrail S3 bucket. Please fix before trying again."

We already update the bucket policy, bucket ownership and we dont use KMS on it.

Any advise or glue about what we miss ?

Thanks in advance,

  • btw, we just append the policy mentioned on blog to the existing one created by Control Tower

2 Answers
0
Accepted Answer

Hi There

In the policy, it mentions AccessAnalyzerMonitorServiceRole* arn as a condition.

"StringLike": {
  "aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"

It allows access if the role accessing the bucket belongs to an account in your organization and has a name that starts with AccessAnalyzerMonitorServiceRole. Using aws:PrincipalArn as a Condition in the Resource element ensures that the role can only access activity for the account if it belongs to account A.

Can you verify the name of the role that you are using (See Step 1) ?

profile pictureAWS
EXPERT
answered 2 years ago
profile picture
EXPERT
reviewed 4 months ago
  • indeed the role was created for the proccess and call: AccessAnalyzerMonitorServiceRole_W99N7OHOS6

0

Indeed, we actually use this service-role:

Enter image description here

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions