[FEATURE] Add ability for IAM Access Analyzer Policy generation as a part of the Access Analyzer solution

[ashmeetp]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Is your feature request related to a problem? Please describe

IAM Access Analyzer is a really good tool to allow policy generation based on CloudTrail activity. SRA configures the org access analyzer but does not do the required configuration for access analyzer to utilize it to the full potential (policy generation).

Describe the solution you'd like

To allow IAM Access analyzer to be able to read CloudTrail logs and generate policies, we need:

1. Access Analyzer service linked role with permissions to CloudTrail log bucket.
2. Bucket policy to allow access analyzer role to read logs.
3. Bucket owner enforced to let CloudTrail bucket to allow access analyzer to read the logs, as logs owned by member accounts cannot be shared by the log bucket account to any other principal unless bucket owner is enforced or preferred.

Describe alternatives you've considered

I have been manually setting up policy generation by performing the steps listed above.