EDR Forwarder: 403 Error When Connecting to S3 Bucket
search cancel

EDR Forwarder: 403 Error When Connecting to S3 Bucket

book

Article ID: 284942

calendar_today

Updated On:

Products

Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Despite having working AWS credentials a 403 error found in the /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log: 
time="2021-09-13T09:38:18Z" level=info msg="Could not open bucket <aws_bucket> : Forbidden: Forbidden\n\tstatus code: 403, request id: <request_id>, host id: <host_id>"

 

Environment

  • EDR Event Forwarder : 3.7

Cause

  • There is a mis-configuration, either in the AWS bucket policy, IAM/credentials, or in the cb-event-forwarder.conf file.

Resolution

  • Ensure the following items are correct first (reference the link in Related Content below for guidance on setup):
    • AWS Access Key
    • AWS Secret Key
    • Bucket Policy
  • Confirm the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf is appropriately updating from the UI changes.
  • Confirm cb-event-forwarder.conf also set to the appropriate credential_profile as denoted in the first line of the aws.creds file.  The example profile below is named 'default':
credential_profile = /etc/cb/integrations/event-forwarder/aws.creds:default

 
Powered by Wolken Software