From 150b443de70bf24ae201a089129a7866a555e8ef Mon Sep 17 00:00:00 2001 From: Arthur Lutz Date: Wed, 20 Aug 2025 10:43:03 +0200 Subject: [PATCH 1/4] docs(s3.md): add example Policy to allow access to S3 & SQS --- .../docs/log_processor/data_sources/s3.md | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/crowdsec-docs/docs/log_processor/data_sources/s3.md b/crowdsec-docs/docs/log_processor/data_sources/s3.md index 99a58a50..57ce63c5 100644 --- a/crowdsec-docs/docs/log_processor/data_sources/s3.md +++ b/crowdsec-docs/docs/log_processor/data_sources/s3.md @@ -134,3 +134,34 @@ crowdsec -type syslog -dsn s3://my_bucket/my_prefix/foo.log?log_level=debug ``` AWS SDK behaviour can be configured with the standard AWS environment variables. + + +## IAM Permissions + +Because the component needs to interact with AWS resources, it need the proper permissions. + +Here is the set of required permissions: +```json +{ + "Statement": [ + { + "Action": [ + "sqs:*" + ], + "Effect": "Allow", + "Resource": "arn:aws:sqs:::test-sqs-s3-acquis" + }, + { + "Effect": "Allow", + "Action": [ + "s3:*", + "s3-object-lambda:*" + ], + "Resource": "arn:aws:s3:::my_bucket:*" + } + ], + "Version": "2012-10-17" +} +``` + +For the permissions, we recommend to restrict the S3 permissions to read only operations, to avoid the ability to destroy logs from the CrowdSec agent. If you are using S3 polling, the SQS part of the permissions can be omitted. From 79ae10f15f018c2e824e3a60d04f2300ef377bcf Mon Sep 17 00:00:00 2001 From: Arthur Lutz Date: Mon, 1 Sep 2025 10:43:47 +0200 Subject: [PATCH 2/4] Update crowdsec-docs/docs/log_processor/data_sources/s3.md: only need s3 --- crowdsec-docs/docs/log_processor/data_sources/s3.md | 1 - 1 file changed, 1 deletion(-) diff --git a/crowdsec-docs/docs/log_processor/data_sources/s3.md b/crowdsec-docs/docs/log_processor/data_sources/s3.md index 57ce63c5..3773cd6e 100644 --- a/crowdsec-docs/docs/log_processor/data_sources/s3.md +++ b/crowdsec-docs/docs/log_processor/data_sources/s3.md @@ -155,7 +155,6 @@ Here is the set of required permissions: "Effect": "Allow", "Action": [ "s3:*", - "s3-object-lambda:*" ], "Resource": "arn:aws:s3:::my_bucket:*" } From 76653d2d5b093706d8633d5129f605c9e1685ba1 Mon Sep 17 00:00:00 2001 From: Arthur Lutz Date: Mon, 1 Sep 2025 10:45:13 +0200 Subject: [PATCH 3/4] Update crowdsec-docs/docs/log_processor/data_sources/s3.md: more precise permissions --- crowdsec-docs/docs/log_processor/data_sources/s3.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crowdsec-docs/docs/log_processor/data_sources/s3.md b/crowdsec-docs/docs/log_processor/data_sources/s3.md index 3773cd6e..36f4a6b7 100644 --- a/crowdsec-docs/docs/log_processor/data_sources/s3.md +++ b/crowdsec-docs/docs/log_processor/data_sources/s3.md @@ -154,7 +154,9 @@ Here is the set of required permissions: { "Effect": "Allow", "Action": [ - "s3:*", + "s3:DescribeJob", + "s3:Get*", + "s3:List*" ], "Resource": "arn:aws:s3:::my_bucket:*" } From 1d1cd98e2ef9b1e4d94d29dd4728e1681d02aa2f Mon Sep 17 00:00:00 2001 From: Arthur Lutz Date: Mon, 1 Sep 2025 10:46:01 +0200 Subject: [PATCH 4/4] Update crowdsec-docs/docs/log_processor/data_sources/s3.md: SQS precise premissions --- crowdsec-docs/docs/log_processor/data_sources/s3.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/crowdsec-docs/docs/log_processor/data_sources/s3.md b/crowdsec-docs/docs/log_processor/data_sources/s3.md index 36f4a6b7..8b0772ae 100644 --- a/crowdsec-docs/docs/log_processor/data_sources/s3.md +++ b/crowdsec-docs/docs/log_processor/data_sources/s3.md @@ -146,7 +146,12 @@ Here is the set of required permissions: "Statement": [ { "Action": [ - "sqs:*" + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListDeadLetterSourceQueues", + "sqs:ListQueues" ], "Effect": "Allow", "Resource": "arn:aws:sqs:::test-sqs-s3-acquis"