Troubleshooting AWS Errors
A guide to understanding and resolving AWS configuration and permission errors that appear in the Scanner UI.
When Scanner validates your AWS infrastructure, it checks both the configuration of your S3 buckets and your IAM permissions. This page helps you understand and resolve the errors displayed in Scanner's error UI.
Error Types
Errors are organized into two main categories:
Configuration Errors
Configuration errors occur when Scanner's resources are not properly set up in AWS. These typically indicate missing or incorrectly configured S3 buckets and their settings.
bucket_presence - Error calling head-bucket: NoSuchBucket
Cause: The S3 bucket does not exist
Solution:
Verify the bucket name you provided in Scanner is correct (no typos, exact spelling)
Ensure the bucket exists in your AWS account
Check that the bucket is in the same AWS account linked to Scanner
region - Error calling head-bucket: "Bucket is in the region X instead of the expected Y"
Cause: The bucket exists but is in a different AWS region than expected
Solution:
Check the actual region of your S3 bucket in the AWS Console
Update Scanner's configuration to point to the correct region, or
Create a new bucket in the expected region
event_notification_presence - Bucket does not have EventBridge notifications enabled
Cause: The S3 log files bucket is not configured to send object-created events to AWS EventBridge
Solution:
Enable EventBridge notifications on your S3 log files bucket
Ensure an EventBridge rule exists in the same region that forwards S3 object-created events to Scanner's event bus
See the CloudFormation, Terraform, or manual setup guides for how to configure this
Permission Errors
Permission errors occur when the Scanner IAM role lacks the necessary permissions to access or manipulate AWS resources. These indicate either missing IAM policy statements or incorrect policy configuration.
head_bucket - Error calling head-bucket: NoSuchBucket or AccessDenied
Cause (NoSuchBucket): The bucket does not exist or is not in the expected region
Cause (AccessDenied): The Scanner IAM role lacks permission to access the bucket
Solution:
If
NoSuchBucket: Verify the bucket exists and is in the correct region (see Configuration Errors above)If
AccessDenied: Ensure your Scanner IAM role policy includess3:ListBucketpermission for this bucket
get_bucket_location - Not checked or Error calling get-bucket-location: AccessDenied
Cause (Not checked): Skipped because bucket presence wasn't confirmed
Cause (AccessDenied): The Scanner IAM role lacks
s3:GetBucketLocationpermissionSolution: Ensure your Scanner IAM role policy includes
s3:GetBucketLocationfor the bucket resources
list_objects_v2 - Not checked or Error calling list-objects-v2: AccessDenied
Cause (Not checked): Permission check hasn't run yet or encountered a service error
Cause (AccessDenied): The Scanner IAM role lacks
s3:ListBucketpermissionSolution: Ensure your Scanner IAM role policy includes
s3:ListBucketfor the bucket ARN (e.g.,arn:aws:s3:::your-bucket-name)
head_object - Not checked or Error calling head-object: AccessDenied
Cause (Not checked): Permission check hasn't run yet or encountered a service error
Cause (AccessDenied): The Scanner IAM role lacks
s3:GetObjectpermissionSolution: Ensure your Scanner IAM role policy includes
s3:GetObjectfor the bucket objects ARN (e.g.,arn:aws:s3:::your-bucket-name/*)
get_object - Not checked or Error calling get-object: AccessDenied
Cause (Not checked): Permission check hasn't run yet or encountered a service error
Cause (AccessDenied): The Scanner IAM role lacks
s3:GetObjectpermissionSolution: Ensure your Scanner IAM role policy includes
s3:GetObjectfor the bucket objects ARN (e.g.,arn:aws:s3:::your-bucket-name/*)
put_object - Not checked or Error calling put-object: AccessDenied
Cause (Not checked): Permission check hasn't run yet or encountered a service error
Cause (AccessDenied): The Scanner IAM role lacks
s3:PutObjectpermission (needed for writing index files)Solution: Ensure your Scanner IAM role policy includes
s3:PutObjectfor the index bucket objects ARN
delete_object - Not checked or Error calling delete-object: AccessDenied
Cause (Not checked): Permission check hasn't run yet or encountered a service error
Cause (AccessDenied): The Scanner IAM role lacks
s3:DeleteObjectpermissionSolution: Ensure your Scanner IAM role policy includes
s3:DeleteObjectfor the relevant bucket objects ARN
get_object_tagging - Not checked or Error calling get-object-tagging: AccessDenied
Cause (Not checked): Permission check hasn't run yet or encountered a service error
Cause (AccessDenied): The Scanner IAM role lacks
s3:GetObjectTaggingpermissionSolution: Ensure your Scanner IAM role policy includes
s3:GetObjectTaggingfor the bucket objects ARN
put_object_tagging - Not checked or Error calling put-object-tagging: AccessDenied
Cause (Not checked): Permission check hasn't run yet or encountered a service error
Cause (AccessDenied): The Scanner IAM role lacks
s3:PutObjectTaggingpermissionSolution: Ensure your Scanner IAM role policy includes
s3:PutObjectTaggingfor the bucket objects ARN
delete_object_tagging - Not checked or Error calling delete-object-tagging: AccessDenied
Cause (Not checked): Permission check hasn't run yet or encountered a service error
Cause (AccessDenied): The Scanner IAM role lacks
s3:DeleteObjectTaggingpermissionSolution: Ensure your Scanner IAM role policy includes
s3:DeleteObjectTaggingfor the bucket objects ARN
get_bucket_notification_configuration - Not checked or Error calling get-bucket-notification-configuration: AccessDenied
Cause (Not checked): Permission check hasn't run yet or encountered a service error
Cause (AccessDenied): The Scanner IAM role lacks
s3:GetBucketNotificationpermissionSolution: Ensure your Scanner IAM role policy includes
s3:GetBucketNotificationfor the bucket ARN
get_bucket_lifecycle_configuration - Not checked or Error calling get-bucket-lifecycle-configuration: AccessDenied
Cause (Not checked): Permission check hasn't run yet or encountered a service error
Cause (AccessDenied): The Scanner IAM role lacks
s3:GetLifecycleConfigurationpermissionSolution: Ensure your Scanner IAM role policy includes
s3:GetLifecycleConfigurationfor the bucket ARN
Understanding the Scanner IAM Policy
The Scanner IAM role requires different permissions depending on the type of bucket:
Log buckets (buckets you want Scanner to index): Read-only permissions (
s3:GetBucketLocation,s3:ListBucket,s3:GetObject,s3:GetObjectTagging,s3:GetBucketNotification)Index bucket (Scanner's dedicated bucket): Full read/write permissions for managing index files
Collect destination buckets (where Scanner Collect writes logs): Read/write permissions
See the Terraform template for the complete policy structure. If you used CloudFormation or manual setup, ensure your policy includes all the necessary actions for your use case.
Troubleshooting Steps
1. Re-run Validation
After making changes to your IAM policy or S3 configuration:
Go to Settings > AWS Accounts in Scanner
Click the account with errors
Click Refresh to trigger a new check
2. Check IAM Role Permissions
Verify your Scanner IAM role has the correct inline or managed policies:
Navigate to IAM > Roles in your AWS Console
Search for your Scanner role (e.g.,
scnr-IntegrationRole)Review the attached policies under the "Permissions" tab
Ensure all required S3 permissions are included for:
The log buckets you want to index
The Scanner index bucket
Any Collect destination buckets (if using Scanner Collect)
See the Terraform template for the complete IAM policy structure as reference.
3. Verify KMS Encryption
If your S3 buckets use custom KMS encryption:
Ensure your Scanner IAM role has
kms:Decryptandkms:DescribeKeypermissions for the relevant KMS keysSee the Terraform template for the complete KMS policy structure
5. Check EventBridge Configuration
For event-driven indexing:
Verify your S3 log bucket has EventBridge notifications enabled (S3 Properties > Event notifications > Amazon EventBridge > On)
Ensure an EventBridge rule exists in the same region that matches S3 object-created events and forwards them to Scanner's event bus
The EventBridge rule (and its IAM role) must be in the same region as your S3 bucket
Common Issues
"NoSuchBucket" Error
This error typically appears in both configuration and permission checks. To resolve:
Verify the bucket name is spelled correctly in Scanner
Confirm the bucket exists in your AWS account
Ensure the bucket is in the same account linked to Scanner (not a cross-account setup)
Check that you have the correct Scanner role ARN in Scanner's settings
Multiple Buckets with Different Permissions
If you have multiple S3 buckets (log files + index files) with different error patterns:
Review which bucket each error is associated with (shown in Scanner's UI)
Ensure your IAM policy grants permissions to all relevant buckets
Remember: Index Files Bucket needs write permissions, Log Buckets need read permissions
Regional Mismatch Issues
EventBridge rules only receive S3 events from buckets in the same region as the rule
If you have buckets in multiple regions, create the EventBridge rule (and its IAM role) in each region, or deploy the CloudFormation/Terraform stack in each region
Verify all resources are in regions where Scanner's infrastructure is deployed
IAM User Instead of Role
Scanner cannot assume IAM Users. Ensure you create an IAM Role, not an IAM User.
Missing KMS Permissions
If your S3 buckets use custom KMS encryption, ensure your Scanner IAM role has kms:Decrypt and kms:DescribeKey permissions for those specific KMS keys. See the Terraform template for the complete KMS policy structure.
Incomplete IAM Policy
When granting S3 permissions in your IAM policy:
Grant permissions to both the bucket ARN (
arn:aws:s3:::bucket-name) and object ARNs (arn:aws:s3:::bucket-name/*)Bucket-level permissions (bucket ARN) are needed for actions like
ListBucket,GetBucketLocation, andGetBucketNotificationObject-level permissions (object ARN) are needed for actions like
GetObject,PutObject, andDeleteObject
Malformed ARNs
Double-check all resource identifiers:
Role ARN format should be:
arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME(not a user ARN)Bucket ARN format should be:
arn:aws:s3:::bucket-nameObject ARN format should be:
arn:aws:s3:::bucket-name/*
Index Files Bucket vs. Log Files Buckets Confusion
Scanner Index Files Bucket = NEW bucket created just for Scanner's index files (Scanner needs write access)
Log Files Buckets = Your EXISTING buckets with raw logs (Scanner needs read-only access)
Make sure you're configuring the correct IAM permissions for each bucket type.
EventBridge Rule Not in Same Region as Logs
The EventBridge rule (and its IAM role) must be in the same region as your S3 log buckets. Multi-region setups require the rule to be created in each region where you have buckets. See the Terraform template or manual setup for guidance on multi-region configurations.
Multiple Errors From Same Root Cause
You may see multiple errors stemming from the same root cause. For example, if a bucket has been deleted, the bucket presence check will fail, and many other checks on that bucket will also fail or show as "Not checked" because they couldn't proceed. When troubleshooting, focus on resolving the primary issue first (like recreating the bucket or fixing the primary permission), then re-run the validation to clear cascading errors.
Still Having Issues?
If errors persist after following these steps:
Double-check all resource ARNs and bucket names for typos
Review AWS CloudTrail logs for access denied errors from Scanner's actions
Ensure your AWS credentials/role have not been revoked or rotated
Contact Scanner support with the specific error message and affected bucket/resource
Last updated
Was this helpful?