Cloudwatch Canaries VPC

Question

Hi,

I would like to have a simple homepage check that checks Grafana that we use for alerting.
Grafana is only accessible from inside the VPC or specif external ip adresses.
IAM Policy used by the Role:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::thanos-syn-canary/*",
                "arn:aws:s3:::thanos-syn-canary"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::thanos-syn-canary"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:eu-central-1:******:log-group:/aws/lambda/cwsyn-grafana-thanos*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "xray:PutTraceSegments"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": "cloudwatch:PutMetricData",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "CloudWatchSynthetics"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
```

But in the logs it says it can't find the bucket.

```
Failed to get the S3 bucket name.: Os { code: 2, kind: NotFound, message: "No such file or directory" } 
```

Can't find anything on google about this, tried to have vpc endpoint to cloudwatch but according to the documentation it should not be needed.
The bucket is in the same region as the cloudwatch canarie.

Answer

> I apologize for the delayed response. If you're still encountering this issue, I'd be happy to offer some solutions.

I think this issue could be related to the networking configuration, permissions, or the bucket itself.

- Since your Grafana instance is accessible only from within the VPC or specific external IP addresses, you need to ensure that the CloudWatch Canary is configured to run within the same VPC. - [Running a canary on a VPC](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_VPC.html)

- Also verify that the S3 bucket policy allows access from the IAM role assigned to the CloudWatch Canary. You can add a bucket policy statement similar to the following:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:::role/"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::thanos-syn-canary/*",
                "arn:aws:s3:::thanos-syn-canary"
            ]
        }
    ]
}
```

> For more examples on managing buckets with canned ACLs, you can refer to this section of the AWS documentation: [Managing Buckets Using Canned ACLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-public-access).

Cloudwatch Canaries VPC

Relevant content