Step 2: Add permissions to read Amazon CloudTrail logs to the workflow role
-
Attach the following inline policy to the role
LakeFormationWorkflowRole
. The policy grants permission to read your Amazon CloudTrail logs. Name the policyDatalakeGetCloudTrail
.To create the
LakeFormationWorkflowRole
role, see (Optional) Create an IAM role for workflows.Important
Replace
<your-s3-cloudtrail-bucket>
with the Amazon S3 location of your CloudTrail data.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": ["arn:aws:s3:::
<your-s3-cloudtrail-bucket>
/*"] } ] } -
Verify that there are three policies attached to the role.