Issue

When viewing an S3 Bucket Log Source, the following error occurs: 

Source has turned unhealthy. Bucket Notifications are not properly configured - Notifications are not properly configured for these prefixes: [""]

This error can also read:

We couldn't determine if S3 Event Notifications are configured for your given S3 Prefixes and bucket: <bucket name>

This often occurs after editing the log source configuration.

bucket notifications are not properly configured.png

Resolution

To resolve this issue:

  1. Edit the log source.

    • From the Log Source overview page, click on the "Configuration" button in the top-right, then select Edit Log Source from the drop-down menu options.

  2. In the top-right panel, click Edit IAM Role.

  3. In the IAM Role view, click I want to set up everything on my own.

  4. Without making any other changes, click Save in the top-right.

After completing these steps, the Log Source should return to a healthy state.

Cause

This issue occurs when an S3 Bucket was originally set up to use the Panther-provided SNS topic, panther-notifications-topic, but was later changed to use a custom one instead. Panther routinely scans the S3 Buckets properties to make sure everything is in working order. If it expects to see panther-notifications-topic attached to the buckets EventNotification, but instead finds another SNS topic, Panther will raise an error as a sign of possible misconfiguration.

By editing the bucket and choosing I want to set up everything myself, you tell Panther that you'll be making your own SNS topic, and as a result, Panther no longer expects to find panther-notifications-topic.