Cloudwatch Canaries VPC

0

Hi,

I would like to have a simple homepage check that checks Grafana that we use for alerting. Grafana is only accessible from inside the VPC or specif external ip adresses. IAM Policy used by the Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::thanos-syn-canary/*",
                "arn:aws:s3:::thanos-syn-canary"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::thanos-syn-canary"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:eu-central-1:******:log-group:/aws/lambda/cwsyn-grafana-thanos*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "xray:PutTraceSegments"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": "cloudwatch:PutMetricData",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "CloudWatchSynthetics"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

But in the logs it says it can't find the bucket.

Failed to get the S3 bucket name.: Os { code: 2, kind: NotFound, message: "No such file or directory" } 

Can't find anything on google about this, tried to have vpc endpoint to cloudwatch but according to the documentation it should not be needed. The bucket is in the same region as the cloudwatch canarie.

  • Could you clarify if the Grafana URL is Amazon Managed Grafana? If it is, there is an option when you deploy whether it is publicly accessible or only via VPC. Based on the option you choose the Grafana URL may not be reachable from the CloudWatch RUM.

  • EC2 Server that we use open source grafana. Is on public DNS and if your external IP is whitelisted it is open and it is also open from inside the VPC.

1 Answer
0

I apologize for the delayed response. If you're still encountering this issue, I'd be happy to offer some solutions.

I think this issue could be related to the networking configuration, permissions, or the bucket itself.

  • Since your Grafana instance is accessible only from within the VPC or specific external IP addresses, you need to ensure that the CloudWatch Canary is configured to run within the same VPC. - Running a canary on a VPC

  • Also verify that the S3 bucket policy allows access from the IAM role assigned to the CloudWatch Canary. You can add a bucket policy statement similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/<CANARY_IAM_ROLE_NAME>"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::thanos-syn-canary/*",
                "arn:aws:s3:::thanos-syn-canary"
            ]
        }
    ]
}

For more examples on managing buckets with canned ACLs, you can refer to this section of the AWS documentation: Managing Buckets Using Canned ACLs.

profile picture
EXPERT
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions