S3 Troubleshooting

A summary of different approaches for troubleshooting S3 access via the ChaosSearch platform

This topic provides some troubleshooting assistance for the the appropriate level of access needed for ChaosSearch to index your log and events stored in your AWS S3 bucket.

Read Access for S3 Objects

If you are unable to Preview or Index objects in the ChaosSearch UI, you might not have the appropriate level of access needed to view this object. A common reason is that the object is owned by another AWS Account.

12961296

In this example, the S3 bucket owner has read / read object / write object perms (full perms) so you can read the object. This object is in a bucket owned by e397 but the object is owned by a34607. The bucket owner does not have the appropriate level of permissions on the object.

776776

This is different for a file owned by the S3 bucket owner.

844844

Troubleshooting – Who owns the S3 Object

The overview tab has information on the account" that owns the object. Note the Access denied for server-side encryption. As a result, only the object owner can read some metadata about the object.

564564

If you would like to change the object owner, you can change the ACL on the object uploaded to the S3 bucket to give the bucket owner full permissions.

aws --profile userexample s3api put-object-acl --bucket name-of-s3-bucket --key mb.json --grant-full-control id="canononical-id"

S3 Policy – No Upload Authority

This IAM Policy example does not allow the upload of files that are not owned by the bucket owner.

{
  "Version": "2012-10-17",
  "Id": "Policy1557350455933",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789:user/user.name"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::your-s3-bucket/*"
    },
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "arn:aws:iam::123456789:user/user.name"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-s3-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-grant-full-control": "id=canonical-id"
        }
      }
    }
  ]
}

Did this page help you?