~~NOCACHE~~
~~DISCUSSION~~

## 80.AccessAnalyzerポリシーの生成
CloudTrailログを分析して、ポリシーを生成してくれる機能
https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/access-analyzer-policy-generation.html

<color #ed1c24>権限不足だとCloudTrailに、[eventName:Decrypt][errorCode:AccessDenied]が沢山でるので注意！！！</color>

### IAMロール作成
#### 信頼関係
--> ポリシーサンプル#
<sxh bash; highlight: []; gutter:True>
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "access-analyzer.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
</sxh>
<--

#### インラインポリシー(AccessAnalyzerMonitorServiceRolePolicy)
--> IAMロールポリシーサンプル#
<sxh bash; highlight: []; gutter:True>
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "cloudtrail:GetTrail",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:GenerateServiceLastAccessedDetails",
                "iam:GetServiceLastAccessedDetails"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::[CloudTrailバケット名]",
                "arn:aws:s3:::[CloudTrailバケット名]/*"
            ],
            "Effect": "Allow"
        }
    ]
}
</sxh>
<--


### CloudTrailのS3バケット側に追加する設定
--> S3バケットポリシーサンプル#
<sxh bash; highlight: []; gutter:True>
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PolicyGenerationBucketPolicy",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::[CloudTrailバケット名]",
        "arn:aws:s3:::[CloudTrailバケット名]/*"
      ],
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::[アカウントID]:role/AccessAnalyzerMonitorServiceRole"
        }
      }
    }
  ]
}
</sxh>
<--

### CloudTrailのS3バケットがCMK暗号化されていた場合
--> キーポリシーサンプル#
<sxh bash; highlight: []; gutter:True>
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::[アカウントID]:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": [
        "kms:Encrypt",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:kms:[リージョン名]:[アカウントID]:key/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "arn:aws:cloudtrail:[リージョン名]:[アカウントID]:trail/[証跡名]"
        }
      }
    },
    {
      "Sid": "Allow use of the key for AccessAnalyzer",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "kms:Decrypt",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::[アカウントID]:role/AccessAnalyzerMonitorServiceRole*",
          "kms:ViaService": "s3.*.amazonaws.com"
        }
      }
    }
  ]
}
</sxh>
<--

### ポリシーの生成
{{:Aws:IAM:pasted:20220516-093724.png?direct 600x0}}

上記のようにCloudTrailの証跡を指定してポリシーを生成できます。
ステータスが[成功]となれば完了です。
{{:Aws:IAM:pasted:20220516-091357.png?direct 900x0}}


{{tag>AWS IAM Trail AccessAnalyzer なるほど}}