S3 Troubleshooting

This section helps with different approaches to troubleshooting S3 access for the CHAOSSEARCH Platform

This section will help you troubleshoot the appropriate level of access needed for CHAOSSEARCH to index your log and events stored in your S3 bucket.

Read Access for S3 Objects

If you're unable to Preview or Index objects in the CHAOSSEARCH UI, you may not have the appropriate level of access needed to view this object. A common reason for this is that the object is owned by another AWS Account

In this example, the S3 bucket owner has read / read object / write object perms (full perms) so you can read the object. This object is in a bucket owned by e397 but the object is owned by a34607. The bucket owner does not have the appropriate level of permissions on the object.

This is different than a file owned by the S3 bucket owner

Troubleshooting - Who owns the S3 Object

The overview tab has information on the "account" that owns the object. Note the "Access denied" for server-side encryption. Since only the object owner can read some metadata about the object.

If you'd like to make a change on the object owner, you can change the ACL on the object uploaded to the S3 bucket giving the bucket owner full permissions.

aws --profile kevinexample s3api put-object-acl --bucket name-of-s3-bucket --key mb.json --grant-full-control id="canononical-id"

S3 Policy - No Upload Authority

This IAM Policy example doesn't allow the upload of files that are not owned by the bucket owner

{
  "Version": "2012-10-17",
  "Id": "Policy1557350455933",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789:user/user.name"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::your-s3-bucket/*"
    },
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "arn:aws:iam::123456789:user/user.name"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-s3-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-grant-full-control": "id=canonical-id"
        }
      }
    }
  ]
}

S3 Troubleshooting


This section helps with different approaches to troubleshooting S3 access for the CHAOSSEARCH Platform

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.