Troubleshooting AWS Errors

A guide to understanding and resolving AWS configuration and permission errors that appear in the Scanner UI.

When Scanner validates your AWS infrastructure, it checks both the configuration of your S3 buckets and your IAM permissions. This page helps you understand and resolve the errors displayed in Scanner's error UI.

Error Types

Errors are organized into two main categories:

Configuration Errors

Configuration errors occur when Scanner's resources are not properly set up in AWS. These typically indicate missing or incorrectly configured S3 buckets and their settings.

bucket_presence - Error calling head-bucket: NoSuchBucket

  • Cause: The S3 bucket does not exist

  • Solution:

    1. Verify the bucket name you provided in Scanner is correct (no typos, exact spelling)

    2. Ensure the bucket exists in your AWS account

    3. Check that the bucket is in the same AWS account linked to Scanner

region - Error calling head-bucket: "Bucket is in the region X instead of the expected Y"

  • Cause: The bucket exists but is in a different AWS region than expected

  • Solution:

    1. Check the actual region of your S3 bucket in the AWS Console

    2. Update Scanner's configuration to point to the correct region, or

    3. Create a new bucket in the expected region

event_notification_presence - Bucket does not have any SNS or SQS Event Notification set up

  • Cause: The S3 log files bucket is not configured with event notifications for S3 object creation

  • Solution:

    1. Configure your S3 log files bucket to send s3:ObjectCreated notifications to an SNS topic

    2. The SNS topic must be in the same region as your S3 bucket

    3. Verify the SNS topic is properly configured and active

    4. See the CloudFormation or Terraform templates for how to configure this

Permission Errors

Permission errors occur when the Scanner IAM role lacks the necessary permissions to access or manipulate AWS resources. These indicate either missing IAM policy statements or incorrect policy configuration.

head_bucket - Error calling head-bucket: NoSuchBucket or AccessDenied

  • Cause (NoSuchBucket): The bucket does not exist or is not in the expected region

  • Cause (AccessDenied): The Scanner IAM role lacks permission to access the bucket

  • Solution:

    1. If NoSuchBucket: Verify the bucket exists and is in the correct region (see Configuration Errors above)

    2. If AccessDenied: Ensure your Scanner IAM role policy includes s3:ListBucket permission for this bucket

get_bucket_location - Not checked or Error calling get-bucket-location: AccessDenied

  • Cause (Not checked): Skipped because bucket presence wasn't confirmed

  • Cause (AccessDenied): The Scanner IAM role lacks s3:GetBucketLocation permission

  • Solution: Ensure your Scanner IAM role policy includes s3:GetBucketLocation for the bucket resources

list_objects_v2 - Not checked or Error calling list-objects-v2: AccessDenied

  • Cause (Not checked): Permission check hasn't run yet or encountered a service error

  • Cause (AccessDenied): The Scanner IAM role lacks s3:ListBucket permission

  • Solution: Ensure your Scanner IAM role policy includes s3:ListBucket for the bucket ARN (e.g., arn:aws:s3:::your-bucket-name)

head_object - Not checked or Error calling head-object: AccessDenied

  • Cause (Not checked): Permission check hasn't run yet or encountered a service error

  • Cause (AccessDenied): The Scanner IAM role lacks s3:GetObject permission

  • Solution: Ensure your Scanner IAM role policy includes s3:GetObject for the bucket objects ARN (e.g., arn:aws:s3:::your-bucket-name/*)

get_object - Not checked or Error calling get-object: AccessDenied

  • Cause (Not checked): Permission check hasn't run yet or encountered a service error

  • Cause (AccessDenied): The Scanner IAM role lacks s3:GetObject permission

  • Solution: Ensure your Scanner IAM role policy includes s3:GetObject for the bucket objects ARN (e.g., arn:aws:s3:::your-bucket-name/*)

put_object - Not checked or Error calling put-object: AccessDenied

  • Cause (Not checked): Permission check hasn't run yet or encountered a service error

  • Cause (AccessDenied): The Scanner IAM role lacks s3:PutObject permission (needed for writing index files)

  • Solution: Ensure your Scanner IAM role policy includes s3:PutObject for the index bucket objects ARN

delete_object - Not checked or Error calling delete-object: AccessDenied

  • Cause (Not checked): Permission check hasn't run yet or encountered a service error

  • Cause (AccessDenied): The Scanner IAM role lacks s3:DeleteObject permission

  • Solution: Ensure your Scanner IAM role policy includes s3:DeleteObject for the relevant bucket objects ARN

get_object_tagging - Not checked or Error calling get-object-tagging: AccessDenied

  • Cause (Not checked): Permission check hasn't run yet or encountered a service error

  • Cause (AccessDenied): The Scanner IAM role lacks s3:GetObjectTagging permission

  • Solution: Ensure your Scanner IAM role policy includes s3:GetObjectTagging for the bucket objects ARN

put_object_tagging - Not checked or Error calling put-object-tagging: AccessDenied

  • Cause (Not checked): Permission check hasn't run yet or encountered a service error

  • Cause (AccessDenied): The Scanner IAM role lacks s3:PutObjectTagging permission

  • Solution: Ensure your Scanner IAM role policy includes s3:PutObjectTagging for the bucket objects ARN

delete_object_tagging - Not checked or Error calling delete-object-tagging: AccessDenied

  • Cause (Not checked): Permission check hasn't run yet or encountered a service error

  • Cause (AccessDenied): The Scanner IAM role lacks s3:DeleteObjectTagging permission

  • Solution: Ensure your Scanner IAM role policy includes s3:DeleteObjectTagging for the bucket objects ARN

get_bucket_notification_configuration - Not checked or Error calling get-bucket-notification-configuration: AccessDenied

  • Cause (Not checked): Permission check hasn't run yet or encountered a service error

  • Cause (AccessDenied): The Scanner IAM role lacks s3:GetBucketNotification permission

  • Solution: Ensure your Scanner IAM role policy includes s3:GetBucketNotification for the bucket ARN

get_bucket_lifecycle_configuration - Not checked or Error calling get-bucket-lifecycle-configuration: AccessDenied

  • Cause (Not checked): Permission check hasn't run yet or encountered a service error

  • Cause (AccessDenied): The Scanner IAM role lacks s3:GetLifecycleConfiguration permission

  • Solution: Ensure your Scanner IAM role policy includes s3:GetLifecycleConfiguration for the bucket ARN

Understanding the Scanner IAM Policy

The Scanner IAM role requires different permissions depending on the type of bucket:

  • Log buckets (buckets you want Scanner to index): Read-only permissions (s3:GetBucketLocation, s3:ListBucket, s3:GetObject, s3:GetObjectTagging, s3:GetBucketNotification)

  • Index bucket (Scanner's dedicated bucket): Full read/write permissions for managing index files

  • Collect destination buckets (where Scanner Collect writes logs): Read/write permissions

See the Terraform template for the complete policy structure. If you used CloudFormation or manual setup, ensure your policy includes all the necessary actions for your use case.

Troubleshooting Steps

1. Re-run Validation

After making changes to your IAM policy or S3 configuration:

  1. Go to Settings > AWS Accounts in Scanner

  2. Click the account with errors

  3. Click Refresh to trigger a new check

2. Check IAM Role Permissions

Verify your Scanner IAM role has the correct inline or managed policies:

  1. Navigate to IAM > Roles in your AWS Console

  2. Search for your Scanner role (e.g., scnr-ScannerRole)

  3. Review the attached policies under the "Permissions" tab

  4. Ensure all required S3 permissions are included for:

    • The log buckets you want to index

    • The Scanner index bucket

    • Any Collect destination buckets (if using Scanner Collect)

See the Terraform template for the complete IAM policy structure as reference.

3. Verify KMS Encryption

If your S3 buckets use custom KMS encryption:

  1. Ensure your Scanner IAM role has kms:Decrypt and kms:DescribeKey permissions for the relevant KMS keys

  2. See the Terraform template for the complete KMS policy structure

5. Check SNS/SQS Configuration

For event-driven indexing:

  1. Verify your S3 log bucket has an event notification configured for s3:ObjectCreated events

  2. The notification should send to the SNS topic created during setup

  3. The SNS topic must be in the same region as your S3 bucket

Common Issues

"NoSuchBucket" Error

This error typically appears in both configuration and permission checks. To resolve:

  • Verify the bucket name is spelled correctly in Scanner

  • Confirm the bucket exists in your AWS account

  • Ensure the bucket is in the same account linked to Scanner (not a cross-account setup)

  • Check that you have the correct Scanner role ARN in Scanner's settings

Multiple Buckets with Different Permissions

If you have multiple S3 buckets (log files + index files) with different error patterns:

  • Review which bucket each error is associated with (shown in Scanner's UI)

  • Ensure your IAM policy grants permissions to all relevant buckets

  • Remember: Index Files Bucket needs write permissions, Log Buckets need read permissions

Regional Mismatch Issues

  • SNS topics must be in the same region as S3 buckets for event notifications

  • If you have buckets in multiple regions, create one SNS topic per region

  • Verify all resources are in regions where Scanner's infrastructure is deployed

IAM User Instead of Role

Scanner cannot assume IAM Users. Ensure you create an IAM Role, not an IAM User.

Missing KMS Permissions

If your S3 buckets use custom KMS encryption, ensure your Scanner IAM role has kms:Decrypt and kms:DescribeKey permissions for those specific KMS keys. See the Terraform template for the complete KMS policy structure.

Incomplete IAM Policy

When granting S3 permissions in your IAM policy:

  • Grant permissions to both the bucket ARN (arn:aws:s3:::bucket-name) and object ARNs (arn:aws:s3:::bucket-name/*)

  • Bucket-level permissions (bucket ARN) are needed for actions like ListBucket, GetBucketLocation, and GetBucketNotification

  • Object-level permissions (object ARN) are needed for actions like GetObject, PutObject, and DeleteObject

Malformed ARNs

Double-check all resource identifiers:

  • Role ARN format should be: arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME (not a user ARN)

  • Bucket ARN format should be: arn:aws:s3:::bucket-name

  • Object ARN format should be: arn:aws:s3:::bucket-name/*

Index Files Bucket vs. Log Files Buckets Confusion

  • Scanner Index Files Bucket = NEW bucket created just for Scanner's index files (Scanner needs write access)

  • Log Files Buckets = Your EXISTING buckets with raw logs (Scanner needs read-only access)

Make sure you're configuring the correct IAM permissions for each bucket type.

SNS Topic Not in Same Region as Logs

The SNS topic must be in the same region as your S3 log buckets. Multi-region setups require one SNS topic per region. See the Terraform template for guidance on multi-region configurations.

Multiple Errors From Same Root Cause

You may see multiple errors stemming from the same root cause. For example, if a bucket has been deleted, the bucket presence check will fail, and many other checks on that bucket will also fail or show as "Not checked" because they couldn't proceed. When troubleshooting, focus on resolving the primary issue first (like recreating the bucket or fixing the primary permission), then re-run the validation to clear cascading errors.

Still Having Issues?

If errors persist after following these steps:

  1. Double-check all resource ARNs and bucket names for typos

  2. Review AWS CloudTrail logs for access denied errors from Scanner's actions

  3. Ensure your AWS credentials/role have not been revoked or rotated

  4. Contact Scanner support with the specific error message and affected bucket/resource

PreviousManual Setup - AWS CloudShellNextStep 2: Connect Your First Data Source using Scanner Collect

Last updated

Was this helpful?