Issues with S3 Logging for Rejected Writes in AWS Timestream for LiveAnalytics

Greetings!

Please allow me to address your questions below.

1. Permissions for Timestream User: What exact permissions must the user writing to Timestream for LiveAnalytics have to ensure they can write new records and that errors are logged to S3?

Answer) To write to the magnetic store, callers of WriteRecords must have "S3:PutObject" permissions to the S3 bucket specified in MagneticStoreRejectedDataLocationduring table creation.[1]

[1] Writes - Writing data (inserts and upserts) - https://docs.aws.amazon.com/timestream/latest/developerguide/writes.html#writes.writing-data-inserts-upserts

Apart from the above, Your user will also need "s3:ListAllMyBuckets" which is also included in few of the existing policies like AmazonTimestreamFullAccess[2].

[2] AWS managed policies for Amazon Timestream Live Analytics - Timestream Live Analytics updates to AWS managed policies - https://docs.aws.amazon.com/timestream/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates

2. S3 Bucket-Level Permissions: Is it necessary to set specific permissions at the S3 bucket level to enable logging of rejected writes from Timestream for LiveAnalytics?

Answer) Kindly note that no additional permission is needed at the s3 bucket for writing Rejected Writes.

I hope the above helps. Kindly feel free to reach back to us at AWS support[3] if you need any specific help regarding the same.

[3] https://aws.amazon.com/contact-us/