権限エラーを削除してフィルタリングする { "Sid":"Deny unintended access to KMS key", "Effect":"Deny", "Principal":"*", "Action":[ "kms:DescribeKey", "kms:GetKeyPolicy", "kms:List*" ], "Resource":"*", "Condition":{ "ArnNotLikeIfExists":{ "aws:PrincipalArn":[ "arn:aws:iam::<ACCOUNT_ID>:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer", "arn:aws:iam::*:role/<YOUR-ADMIN-ROLE>" ] } } } 拒否の例外条件に サービスにリンクされたロールを追加