By using AWS re:Post, you agree to the AWS re:Post Terms of Use

I am following documentation and I'm still getting 'findings export options' to an S3 bucket` when trying to export GD logs to S3

0

Hello,

I am trying to export GuardDuty logs to S3 and I am getting errors with the policy. I am receiving message above 'findings export options' to an S3 bucket`.

I am following the documentation listed here - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html

The resource is a contradiction to this answer here, which indicates the resource should be *. So now I came somewhat confused.

I'm starting to wonder if this is incorrect documentation or if I'm doing something wrong. Hoping that I'm doing something wrong so it can be easy fix. But I am reaching out for assistance.

In the Permissions required to configure findings export I did not see these permissions noted to configure during the KMS set up and S3 bucket set up; so I was under the assumption that these are referring to GuardDuty policies that should be attached to GuardDuty; otherwise, I'm not sure why they were not mentioned during set up of KMS and S3. I see s3:* on some so I believe I have these permissions already.

Can someone tell me what I may be missing?

NOTE: I Am also using an EXISTING bucket that was created separately and not from GuardDuty

  • Can you post the bucket policy of the existing bucket that you want your guardduty findings to export into? Please post the KMS key policy as well.

  • I think I found the problem.

1 Answer
0

Instead of manually creating the policies, you can use the Amazon GuardDuty console to generate sample polices for you.

  1. Navigate to the Amazon GuardDuty console. Choose settings in the navigation pane.
  2. Under Findings export options, choose the frequency for updating findings.
  3. Under S3 bucket, choose Existing bucket
  4. Select your bucket and choose View Policy. Copy that policy and apply it to your S3 bucket.
  5. You can leave Log file prefix as default (blank)
  6. For KMS, select your key alias and choose View Policy. Copy that policy and apply it to your KMS key. You want to add this to your key, rather than replace the one that is there. For example:
{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:role/Admin"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow GuardDuty to encrypt findings",
            "Effect": "Allow",
            "Principal": {
                "Service": "guardduty.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:guardduty:us-west-2:<account_ID>:detector/<detectorID>",
                    "aws:SourceAccount": "<account_ID>"
                }
            }
        }
    ]
}
  1. Then choose save.
profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions