x-pack/filebeat/inputs/awss3 - Handle SQS notification without region (…

…#40628) When a region is not specified in the SQS notification then reuse the existing S3 client instead of creating a new one based on an empty (unspecified) AWS region name. This problem affected custom SQS notification formats that did not specify a region name (like Crowdstrike FDR notifications). This addresses errors like: S3 download failure: s3 GetObject failed: operation error S3: GetObject, resolve auth scheme: resolve endpoint: endpoint rule error, Invalid region: region was not a valid DNS name. Fixes: elastic/integrations/#10647 Relates: #40309
elastic · Aug 27, 2024 · 6d25d46 · 6d25d46
1 parent cc561ff
commit 6d25d46
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -160,6 +160,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Ensure Entra ID request bodies are not truncated and trace logs are rotated before 100MB. {pull}40494[40494]
 - The Elasticsearch output now correctly logs the event fields to the event log file {issue}40509[40509] {pull}40512[40512]
 - Fix the "No such input type exist: 'azure-eventhub'" error on the Windows platform {issue}40608[40608] {pull}40609[40609]
+- awss3 input: Fix handling of SQS notifications that don't contain a region. {pull}40628[40628]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/input/awss3/interfaces.go b/x-pack/filebeat/input/awss3/interfaces.go
@@ -305,7 +305,7 @@ func (a *awsS3API) clientFor(region string) *s3.Client {
 	// Conditionally replace the client if the region of
 	// the request does not match the pre-prepared client.
 	opts := a.client.Options()
-	if opts.Region == region {
+	if region == "" || opts.Region == region {
 		return a.client
 	}
 	// Use a cached client if we have already seen this region.

diff --git a/x-pack/filebeat/input/awss3/interfaces_test.go b/x-pack/filebeat/input/awss3/interfaces_test.go
@@ -0,0 +1,25 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package awss3
+
+import (
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+)
+
+func TestAWSS3API_clientFor(t *testing.T) {
+	// When SQS notifications do not contain a region (like Crowdstrike FDR's
+	// custom notifications), then the default pre-made S3 client should be used.
+	t.Run("empty_region_uses_pre_made_client", func(t *testing.T) {
+		want := s3.New(s3.Options{Region: "us-east-1"})
+		api := newAWSs3API(want)
+		got := api.clientFor("")
+
+		if want != got {
+			t.Errorf("Empty region should return the default premade client: want %p, got %p", want, got)
+		}
+	})
+}