I am following documentation and I'm still getting 'findings export options' to an S3 bucket` when trying to export GD logs to S3

Question

Hello,

I am trying to export GuardDuty logs to S3 and I am getting errors with the policy. I am receiving message above **'findings export options' to an S3 bucket`**.

I am following the documentation listed here - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html

The resource is a contradiction to this answer [here](https://repost.aws/questions/QUFmvjeTlZTS6x1PeqWvTtjg/cannot-configure-guardduty-findings-export-options-to-an-s-3-bucket), which indicates the resource should be *. So now I came somewhat confused.

I'm starting to wonder if this is incorrect documentation or if I'm doing something wrong. Hoping that I'm doing something wrong so it can be easy fix. But I am reaching out for assistance.

In the **Permissions required to configure findings export** I did not see these permissions noted to configure during the KMS set up and S3 bucket set up; so I was under the assumption that these are referring to GuardDuty policies that should be attached to GuardDuty; otherwise, I'm not sure why they were not mentioned during set up of KMS and S3. I see s3:* on some so I believe I have these permissions already.

Can someone tell me what I may be missing?

NOTE: I Am also using an EXISTING bucket that was created separately and not from GuardDuty

Answer

Instead of manually creating the policies, you can use the Amazon GuardDuty console to generate sample polices for you.

1. Navigate to the Amazon GuardDuty console. Choose **settings** in the navigation pane.
2. Under Findings export options, choose the frequency for updating findings.
3. Under S3 bucket, choose **Existing bucket**
4. Select your bucket and choose **View Policy**. Copy that policy and apply it to your S3 bucket.
5. You can leave **Log file prefix** as default (blank)
6. For KMS, select your key alias and choose **View Policy**. Copy that policy and apply it to your KMS key. You want to add this to your key, rather than replace the one that is there. For example:

```
{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:::root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:::role/Admin"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow GuardDuty to encrypt findings",
            "Effect": "Allow",
            "Principal": {
                "Service": "guardduty.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:guardduty:us-west-2::detector/",
                    "aws:SourceAccount": ""
                }
            }
        }
    ]
}
```
7. Then choose **save**.

I am following documentation and I'm still getting 'findings export options' to an S3 bucket` when trying to export GD logs to S3

Relevant content