Why am I not receiving data after my AWS S3 bucket log source has been successfully connected to my Panther Console?

Issue

Why am I not receiving data after my AWS S3 bucket log source has been successfully connected to my Panther Console?

Resolution

To resolve this issue:

1. Verify S3 Bucket Encryption:

   • Before establishing a connection between Panther and your S3 bucket, ensure that the S3 bucket is not encrypted.
   • If encryption is enabled, proceed to add the appropriate Key Management Service (KMS) key to the Panther log source to enable decryption.

2. Edit the IAM Role Policy for Panther:

   • Access the AWS IAM console and locate the IAM role created for Panther.
   • Modify the IAM role policy to incorporate the necessary permissions and access rights, referencing the second policy template from our documentation.

3. Configure the IAM Role in Panther:

   • In the Panther dashboard, navigate to the "Edit IAM Role" tab.
   • Choose the option "I want to set up everything on my own" to manually configure the IAM role.
   • Paste the IAM role ARN.

If you have verified that your bucket is not encrypted, check to see if you have added KMS encryption to your SNS topic.  If that is the case you'll need to allow your bucket to write to this topic. If you need help verifying this, please contact the support team.

Cause

The issue may be due to either the S3 bucket or the SNS topic being encrypted. If neither of these scenarios applies to your situation, please reach out to the Panther support team for further assistance.