How to use EventBridge instead of S3 Bucket Notifications for an S3 Panther Log Source

Last updated: May 27, 2026

By default, Panther's S3 log source setup uses native S3 Bucket Notifications to send object create events to the panther-notifications-topic SNS topic. If you are unable to use S3 Bucket Notifications — for example, due to conflicting notification configurations on the bucket — you can use Amazon EventBridge as an alternative to forward the same events to the same SNS topic.

When to Use This Guide

Use this approach if:

  • Your S3 bucket already has event notifications configured and you cannot add additional ones (S3 only allows one notification configuration per bucket)

  • Your organization prefers centralized event routing through EventBridge

  • You encounter errors when attempting to configure S3 Bucket Notifications directly

Prerequisites

Before you begin:

  • You have completed Steps 1 and 2 of the standard Panther S3 source setup (creating the log source in Panther, and setting up the IAM role manually)

  • The panther-notifications-topic SNS topic exists in your AWS account and is already subscribed to Panther's SQS queue

  • You have permissions to modify S3 bucket properties and create EventBridge rules in your AWS account

Step 1: Enable Amazon EventBridge on Your S3 Bucket

By default, S3 does not send events to EventBridge. You need to turn this on for your bucket.

  1. Log in to the AWS S3 console and navigate to your bucket.

  2. Click the Properties tab.

  3. Scroll to the Event Notifications section and find the Amazon EventBridge subsection.

  4. Click Edit and toggle Send notifications to Amazon EventBridge for all events in this bucket to On.

  5. Click Save changes.

Note: It can take up to five minutes for this change to take effect.

Alternatively, enable it via the AWS CLI:

aws s3api put-bucket-notification-configuration \
  --bucket YOUR-BUCKET-NAME \
  --notification-configuration='{"EventBridgeConfiguration": {}}'

Step 2: Update the SNS Topic Access Policy

EventBridge needs permission to publish to your panther-notifications-topic SNS topic. Add the following statement to the topic's access policy:

  1. Navigate to the SNS console and select panther-notifications-topic.

  2. Click Edit and expand the Access Policy section.

  3. Add the following statement to the existing policy:

{
  "Sid": "AllowEventBridgePublish",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": "sns:Publish",
  "Resource": "<SNS-TOPIC-ARN>"
}

Replace <SNS-TOPIC-ARN> with the full ARN of your panther-notifications-topic.

Step 3: Create an EventBridge Rule to Forward Object Create Events

  1. Navigate to the Amazon EventBridge console and select Rules.

  2. Click Create rule and configure the following:

    • Name: e.g. panther-s3-object-created

    • Event bus: Select default

    • Rule type: Select Rule with an event pattern

  3. Under Event pattern, select:

    • Event source: AWS services

    • AWS service: Simple Storage Service (S3)

    • Event type: Amazon S3 Event Notification

    • Specific event(s): Object Created

  4. If you want to limit the rule to a specific bucket, expand Additional options and add a filter on detail.bucket.name matching your bucket name.

  5. Under Target, select SNS topic and choose panther-notifications-topic.

  6. Click Create rule.

Step 4: Verify Log Ingestion

Once the rule is active, new objects written to your S3 bucket will trigger an EventBridge event, which will be forwarded to panther-notifications-topic and on to Panther for processing.

To confirm everything is working:

  1. In the Panther Console, navigate to Configure → Log Sources and confirm the source status shows Healthy.

  2. Write a test object to the S3 bucket and check that it appears in Search or Data Explorer within a few minutes.

Troubleshooting

No events reaching Panther after setup Confirm that EventBridge is enabled on the bucket (Step 1) and that the EventBridge rule is in an Enabled state. Also verify the SNS topic access policy was saved correctly.

SNS publish errors in EventBridge Check that the SNS topic access policy includes the events.amazonaws.com service principal with sns:Publish permission (Step 2). If the topic is KMS-encrypted, ensure the KMS key policy also grants EventBridge permission to use the key.

Events arriving but logs not processing Verify the SNS topic has an active subscription to Panther's SQS queue (panther-input-data-notifications-queue). If the subscription is in a Pending state, confirm the S3 log source exists in your Panther Console for the correct AWS account.

Duplicate events If you previously had S3 Bucket Notifications configured on the same bucket pointing to the same SNS topic, remove those to avoid Panther receiving duplicate notifications.