Updating the S3 bucket name and IAM role in my Panther log source
QUESTION
I updated the AWS S3 bucket I use to send logs to Panther, along with the AWS IAM role associated with it. Is there a way to update the S3 bucket name and the IAM role ARN in the affected log sources from the Panther Console?
ANSWER
It's not possible to update the S3 bucket name for your log source. When you click on Configuration, which appears on the right of your log source view, and then on Edit, the Bucket Name appears as read-only, as shown in the following screenshot:
.png?revision=1&size=bestfit&width=643&height=326)
You can, however, update the IAM role, if you click on Edit IAM Role. You will then see the views that appear in the following screenshot:
If you click on I want to setup everything on my own, you will be encountered with the below screen:
.png?revision=1&size=bestfit&width=640&height=421)
Creating a new log source would be the best option in this case. You won't lose the existing logs that have already been ingested from the old source, as they will remain in our Data Lake, as part of the corresponding table and will still be queryable using Data Explorer and Search. This is also mentioned in our article If I delete a log source in Panther, is its data deleted?.