Environment

• EDR Event Forwarder : 3.7

Symptoms

time="2021-09-13T09:38:18Z" level=info msg="Could not open bucket <aws_bucket> : Forbidden: Forbidden\n\tstatus code: 403, request id: <request_id>, host id: <host_id>"

Cause

• There is a mis-configuration, either in the AWS bucket policy, IAM/credentials, or in the cb-event-forwarder.conf file.

Resolution

• Ensure the following items are correct first (reference the link in Related Content below for guidance on setup):
  • AWS Access Key
  • AWS Secret Key
  • Bucket Policy
• Confirm the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf is appropriately updating from the UI changes.
• Confirm cb-event-forwarder.conf also set to the appropriate credential_profile as denoted in the first line of the aws.creds file.  The example profile below is named 'default':

credential_profile = /etc/cb/integrations/event-forwarder/aws.creds:default

Related Content

• https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-Setup-the-Event-Forwarder-to-Export-to-an-External-S3/ta-p/95826