Panther Log Source error: "Bucket notifications are not properly configured"
Issue
When viewing an S3 Bucket Log Source, the following error occurs:
Source has turned unhealthy. Bucket Notifications are not properly configured - Notifications are not properly configured for these prefixes: [""]
This often occurs after editing the log source configuration.
Resolution
To resolve this issue:
- Edit the log source.
- From the Log Source overview page, click the gear-icon button in the top-right, then select Edit Log Source from the drop-down menu options.
- In the left-side panel, click Edit IAM Role.
- In the IAM Role view, click I want to set up everything on my own.
- Without making any other changes, click Save in the top-right.
After completing these steps, the Log Source should return to a healthy state.
Cause
This issue occurs when an S3 Bucket was originally set up to use the Panther-provided SNS topic, panther-notifications-topic, but was later changed to use a custom one instead. Panther routinely scans the S3 Buckets properties to make sure everything is in working order. If it expects to see panther-notifications-topic attached to the buckets EventNotification, but instead finds another SNS topic, Panther will raise an error as a sign of possible misconfiguration.
By editing the bucket and choosing I want to set up everything myself, you tell Panther that you'll be making your own SNS topic, and as a result, Panther no longer expects to find panther-notifications-topic.