You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since the migration from the ABI templates to the SRA templates various changes in how the Cloudtrail bucket is implemented causes issues with the policy on the role created for cross-account assumption, including the following:
Versioning is enabled: s3:GetObjectVersion is needed
KMS-encrypted bucket objects: kms:Decrypt needed on IAM policy and key policy similar to below required on the KMS key used for encryption
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::0123456789:role/deepwatch-mdr-role"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "$KMS-ARN"
}
Additional reports of permissions potentially being needed: sqs:ChangeMessageVisibility & s3:ListBucket
The text was updated successfully, but these errors were encountered:
Since the migration from the ABI templates to the SRA templates various changes in how the Cloudtrail bucket is implemented causes issues with the policy on the role created for cross-account assumption, including the following:
s3:GetObjectVersion
is neededkms:Decrypt
needed on IAM policy and key policy similar to below required on the KMS key used for encryptionAdditional reports of permissions potentially being needed:
sqs:ChangeMessageVisibility
&s3:ListBucket
The text was updated successfully, but these errors were encountered: