IBM Support

QRadar: How to test credential permissions with the AWS command line interface

How To


Summary

An Amazon® administrator must create a user and then apply the S3:listBucket and S3:getObject permissions to that user in the AWS Management Console. If these permissions are not set, QRadar® cannot pull events from a remote AWS S3 Bucket. The AWS command line tool can list bucket contents or verify files can download to validate permissions.

Objective

Test AWS Access and Secret Key permissions to access and download events from a remote AWS S3 Bucket.

Environment

For information about operating systems and requirements for the AWS Command Line Interface tool, see: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html.

Steps

Administrators who experience collection issues from Amazon S3 buckets can use the Log Source Management app to test protocol configurations to Amazon S3 buckets. The steps provided in this technical note can help administrators test credential issues from a Windows® host.

Procedure
  1. Download and install the AWS CLI.
  2. Open the Windows® command prompt (CMD) with administrative rights.
  3. Run the following command: 
    aws configure
    1. Enter your AWS Access Key ID.
    2. Enter your AWS Secret Access Key.
    3. Enter the Default region name.
    4. Enter the Default output format.
      Note: You can leave the default by pressing ENTER.
  4. After you configure a user, type the following command to display the files in the bucket: 
    aws s3 ls s3://bucket-name/DirectoryPrefix/
    • In order to display the files, always end the line with a forward slash ( / ).
    • If the credentials do not have access to the bucket, you might see a message similar to: 
      An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied.
  5. To confirm if QRadar will be able to download files with the provided credentials, create a folder on your workstation. For example: \test\AWSFiles\
  6. Open the command prompt (CMD) with administrative rights.
  7. Type the following command using the absolute path for the folder location: 
    aws s3 ls s3://bucket-name/DirectoryPrefix/file.json.gz \WindowsAbsolutePathtoFolder\
    For more information on absolute paths in Windows®, see: https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats.

    Results
    If the files are successfully downloaded to the Windows host, QRadar should be able to pull the files from the remote S3 bucket. This command will download the file, file.json.gz under the windows folder you created, \test\AWSFiles. If you continue to experience issues, use the Log Source Management app in QRadar to fully test protocol configurations to Amazon S3 buckets.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
27 October 2020

UID

ibm16335125

Page Feedback