EDR Forwarder: 403 Error When Connecting to S3 Bucket
search cancel

EDR Forwarder: 403 Error When Connecting to S3 Bucket


Article ID: 284942


Updated On:


Carbon Black Hosted EDR (formerly Cb Response Cloud)


Despite having working AWS credentials a 403 error found in the /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log:
time="2021-09-13T09:38:18Z" level=info msg="Could not open bucket <aws_bucket> : Forbidden: Forbidden\n\tstatus code: 403, request id: <request_id>, host id: <host_id>"



  • EDR Event Forwarder : 3.7


  • There is a mis-configuration, either in the AWS bucket policy, IAM/credentials, or in the cb-event-forwarder.conf file.


  • Ensure the following items are correct first (reference the link in Related Content below for guidance on setup):
    • AWS Access Key
    • AWS Secret Key
    • Bucket Policy
  • Confirm the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf is appropriately updating from the UI changes.
  • Confirm cb-event-forwarder.conf also set to the appropriate credential_profile as denoted in the first line of the aws.creds file.  The example profile below is named 'default':
credential_profile = /etc/cb/integrations/event-forwarder/aws.creds:default