QUESTION

I encountered the error: `"msg":"failed to parse notification" in the panther-log-router. How can I use AWS EventBridge to filter and route S3 notifications to Panther via SNS and SQS without forwarding?

ANSWER

While Panther supports EventBridge as a data transport, S3 notifications sent through EventBridge require a transformation to match Panther's expected format. You can accomplish this using EventBridge's input transformer feature.

Here's how to configure the input transformer in your AWS EventBridge target:

1. Define the input paths to extract the required fields:

{
    "bucket": "$.detail.bucket.name",
    "key": "$.detail.object.key"
}

2. Set up the input template to transform the data into Panther's expected format:

{
    "s3Bucket": "<your-bucket>",
    "s3ObjectKey": ["<your-key>"]
}

If you're using Terraform to manage, you can implement this transformation using the following configuration:

resource "aws_cloudwatch_event_target" 
"panther_sns_target" {
    target_id = "panther-siem-notifier-sns-topic"
    rule      = aws_cloudwatch_event_rule.panther_s3_object_create_event_capture.name
    arn       = module.panther_siem_notifier_sns_topic.topic_arn

    input_transformer {
        input_paths = {
            "bucket" = "$.detail.bucket.name"
            "key"    = "$.detail.object.key"
        }
        input_template = <<EOF"
{
    "s3Bucket": "<your-bucket>",
    "s3ObjectKey": ["<your-key>"]
}
EOF
    }
}