An Amazon® administrator must create a user and then apply the S3:listBucket and S3:getObject permissions to that user in the AWS Management Console. If these permissions are not set, QRadar® cannot pull events from a remote AWS S3 Bucket. The AWS command line tool can list bucket contents or verify files can download to validate permissions.
- Download and install the AWS CLI.
- Open the Windows® command prompt (CMD) with administrative rights.
- Run the following command:
- Enter your AWS Access Key ID.
- Enter your AWS Secret Access Key.
- Enter the Default region name.
- Enter the Default output format.
Note: You can leave the default by pressing ENTER.
- After you configure a user, type the following command to display the files in the bucket:
aws s3 ls s3://bucket-name/DirectoryPrefix/
- In order to display the files, always end the line with a forward slash ( / ).
- If the credentials do not have access to the bucket, you might see a message similar to:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied.
- To confirm if QRadar will be able to download files with the provided credentials, create a folder on your workstation. For example: \test\AWSFiles\
- Open the command prompt (CMD) with administrative rights.
- Type the following command using the absolute path for the folder location:
aws s3 ls s3://bucket-name/DirectoryPrefix/file.json.gz \WindowsAbsolutePathtoFolder\
If the files are successfully downloaded to the Windows host, QRadar should be able to pull the files from the remote S3 bucket. This command will download the file, file.json.gz under the windows folder you created, \test\AWSFiles. If you continue to experience issues, use the Log Source Management app in QRadar to fully test protocol configurations to Amazon S3 buckets.
Was this topic helpful?
27 October 2020