Add s3:HeadObject permission to reduce early analyzer errors

airbnb · Dec 15, 2017 · eb35518 · eb35518
1 parent 7c63026
commit eb35518
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/docs/source/troubleshooting-faq.rst b/docs/source/troubleshooting-faq.rst
@@ -33,6 +33,8 @@ Why did my live test fail?
 --------------------------
 Check the :ref:`Lambda execution logs <cloudwatch_logs>` and the :ref:`BinaryAlert dashboard <cloudwatch_dashboard>` for abnormalities. A common problem is that the BinaryAlert analyzers don't understand the compiled YARA rules file. Make sure your `virtual environment <getting-started.html>`_ is set up correctly and that your YARA rules only use the :ref:`supported modules <supported_yara_modules>`. It is also possible that one or more AWS components might be down.
 
+It may take 1-3 minutes after a deploy before the Lambda functions are ready to go. If a live test fails immediately after a deploy, wait a few minutes and try again.
+
 
 How do I setup YARA match / metric alarm alerts?
 ------------------------------------------------

diff --git a/terraform/lambda_iam.tf b/terraform/lambda_iam.tf
@@ -117,9 +117,14 @@ data "aws_iam_policy_document" "binaryalert_analyzer_policy" {
   }
 
   statement {
-    sid       = "GetFromBinaryAlertBucket"
-    effect    = "Allow"
-    actions   = ["s3:GetObject"]
+    sid    = "GetFromBinaryAlertBucket"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+      "s3:HeadObject",
+    ]
+
     resources = ["${aws_s3_bucket.binaryalert_binaries.arn}/*"]
   }