# S3 Sources (Beta)

## Overview

{% hint style="info" %}
The S3 Sources API endpoints are in open beta starting with Panther version 1.122, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

Use these API operations to interact with [S3 Sources](https://docs.panther.com/data-onboarding/data-transports/aws/s3) in Panther.

## Required permissions

* For `GET` operations, your API token must have the `View Log Sources` permission.
* For `POST`, `PUT`, and `DELETE` operations, your API token must have the `Manage Log Sources` permission.

## POST /log-sources/s3

> create S3 source

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"S3 source","description":"The S3 source API handles all operations for AWS S3 log sources"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"S3SourceAPI.CreateS3Source":{"type":"object","properties":{"awsAccountId":{"type":"string","description":"The 12-digit AWS account ID where the S3 bucket resides"},"integrationLabel":{"type":"string","description":"The integration label (name)"},"kmsKey":{"type":"string","description":"KMS key ARN for server-side encryption. Omit if the bucket is not KMS-encrypted."},"logProcessingRole":{"type":"string","description":"The IAM role ARN that Panther assumes to read from the S3 bucket"},"logStreamType":{"type":"string","description":"The log stream type. Supported: Auto, JSON, JsonArray, Lines, XML, CloudWatchLogs","enum":["Auto","JSON","JsonArray","Lines","XML","CloudWatchLogs"]},"logStreamTypeOptions":{"$ref":"#/components/schemas/S3SourceAPI.S3LogStreamTypeOptions"},"managedBucketNotifications":{"type":"boolean","description":"Whether Panther should configure the S3 bucket notifications automatically"},"s3Bucket":{"type":"string","description":"The S3 bucket name"},"s3PrefixLogTypes":{"type":"array","items":{"$ref":"#/components/schemas/S3SourceAPI.PrefixLogTypesMapping"},"description":"Prefix-based log type mappings for parsing ingested data"}},"required":["awsAccountId","s3Bucket","integrationLabel","s3PrefixLogTypes","managedBucketNotifications","logProcessingRole","logStreamType"]},"S3SourceAPI.S3LogStreamTypeOptions":{"type":"object","properties":{"jsonArrayEnvelopeField":{"type":"string","description":"Path to the JSON array field to extract records from. Only applicable when logStreamType is JsonArray. Omit if the input is already a top-level array."},"retainEnvelopeFields":{"type":"boolean","description":"Preserve CloudWatch Logs envelope metadata (accountId, logGroup, subscriptionFilters) in a p_header column. Only applicable when logStreamType is CloudWatchLogs."},"xmlRootElement":{"type":"string","description":"Root element wrapping XML events. Only applicable when logStreamType is XML. Omit if events are not enclosed in a root element."}}},"S3SourceAPI.PrefixLogTypesMapping":{"type":"object","properties":{"excludedPrefixes":{"type":"array","items":{"type":"string"},"description":"Prefixes to exclude from matching. Use '*' as a wildcard for dynamic path segments."},"logTypes":{"type":"array","items":{"type":"string"},"description":"The log types (schemas) to apply for this prefix"},"prefix":{"type":"string","description":"S3 prefix to match. Leave empty to match all objects in the bucket."}}},"S3SourceAPI.S3Source":{"type":"object","properties":{"awsAccountId":{"type":"string","description":"The AWS account ID where the S3 bucket resides"},"integrationId":{"type":"string","description":"The unique ID of the S3 log source"},"integrationLabel":{"type":"string","description":"The integration label (name)"},"kmsKey":{"type":"string","description":"KMS key ARN for server-side encryption. Omit if the bucket is not KMS-encrypted."},"logProcessingRole":{"type":"string","description":"The IAM role ARN that Panther assumes to read from the S3 bucket"},"logStreamType":{"type":"string","description":"The log stream type. Supported: Auto, JSON, JsonArray, Lines, XML, CloudWatchLogs","enum":["Auto","JSON","JsonArray","Lines","XML","CloudWatchLogs"]},"logStreamTypeOptions":{"$ref":"#/components/schemas/S3SourceAPI.S3LogStreamTypeOptions"},"managedBucketNotifications":{"type":"boolean","description":"Whether Panther should configure the S3 bucket notifications automatically"},"s3Bucket":{"type":"string","description":"The S3 bucket name"},"s3PrefixLogTypes":{"type":"array","items":{"$ref":"#/components/schemas/S3SourceAPI.PrefixLogTypesMapping"},"description":"Prefix-based log type mappings for parsing ingested data"}}},"S3SourceAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"S3SourceAPI.ExistsError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"S3SourceAPI.ServiceError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/log-sources/s3":{"post":{"tags":["S3 source"],"summary":"create S3 source","operationId":"S3 source#create","requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.CreateS3Source"}}}},"responses":{"201":{"description":"Created response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.S3Source"}}}},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.BadRequestError"}}}},"409":{"description":"exists: Conflict response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.ExistsError"}}}},"500":{"description":"service: Internal Server Error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.ServiceError"}}}}}}}}}
```

## GET /log-sources/s3/{id}

> get S3 source

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"S3 source","description":"The S3 source API handles all operations for AWS S3 log sources"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"S3SourceAPI.S3Source":{"type":"object","properties":{"awsAccountId":{"type":"string","description":"The AWS account ID where the S3 bucket resides"},"integrationId":{"type":"string","description":"The unique ID of the S3 log source"},"integrationLabel":{"type":"string","description":"The integration label (name)"},"kmsKey":{"type":"string","description":"KMS key ARN for server-side encryption. Omit if the bucket is not KMS-encrypted."},"logProcessingRole":{"type":"string","description":"The IAM role ARN that Panther assumes to read from the S3 bucket"},"logStreamType":{"type":"string","description":"The log stream type. Supported: Auto, JSON, JsonArray, Lines, XML, CloudWatchLogs","enum":["Auto","JSON","JsonArray","Lines","XML","CloudWatchLogs"]},"logStreamTypeOptions":{"$ref":"#/components/schemas/S3SourceAPI.S3LogStreamTypeOptions"},"managedBucketNotifications":{"type":"boolean","description":"Whether Panther should configure the S3 bucket notifications automatically"},"s3Bucket":{"type":"string","description":"The S3 bucket name"},"s3PrefixLogTypes":{"type":"array","items":{"$ref":"#/components/schemas/S3SourceAPI.PrefixLogTypesMapping"},"description":"Prefix-based log type mappings for parsing ingested data"}}},"S3SourceAPI.S3LogStreamTypeOptions":{"type":"object","properties":{"jsonArrayEnvelopeField":{"type":"string","description":"Path to the JSON array field to extract records from. Only applicable when logStreamType is JsonArray. Omit if the input is already a top-level array."},"retainEnvelopeFields":{"type":"boolean","description":"Preserve CloudWatch Logs envelope metadata (accountId, logGroup, subscriptionFilters) in a p_header column. Only applicable when logStreamType is CloudWatchLogs."},"xmlRootElement":{"type":"string","description":"Root element wrapping XML events. Only applicable when logStreamType is XML. Omit if events are not enclosed in a root element."}}},"S3SourceAPI.PrefixLogTypesMapping":{"type":"object","properties":{"excludedPrefixes":{"type":"array","items":{"type":"string"},"description":"Prefixes to exclude from matching. Use '*' as a wildcard for dynamic path segments."},"logTypes":{"type":"array","items":{"type":"string"},"description":"The log types (schemas) to apply for this prefix"},"prefix":{"type":"string","description":"S3 prefix to match. Leave empty to match all objects in the bucket."}}},"S3SourceAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"S3SourceAPI.NotFoundError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"S3SourceAPI.ServiceError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/log-sources/s3/{id}":{"get":{"tags":["S3 source"],"summary":"get S3 source","operationId":"S3 source#get","parameters":[{"name":"id","in":"path","description":"ID of the S3 source to fetch","required":true,"schema":{"type":"string","description":"ID of the S3 source to fetch"}}],"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.S3Source"}}}},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.BadRequestError"}}}},"404":{"description":"not_found: Not Found response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.NotFoundError"}}}},"500":{"description":"service: Internal Server Error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.ServiceError"}}}}}}}}}
```

## PUT /log-sources/s3/{id}

> put S3 source

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"S3 source","description":"The S3 source API handles all operations for AWS S3 log sources"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"S3SourceAPI.ModifyS3Source":{"type":"object","properties":{"integrationLabel":{"type":"string","description":"The integration label (name)"},"kmsKey":{"type":"string","description":"KMS key ARN for server-side encryption. Omit if the bucket is not KMS-encrypted."},"logProcessingRole":{"type":"string","description":"The IAM role ARN that Panther assumes to read from the S3 bucket"},"logStreamType":{"type":"string","description":"The log stream type. Supported: Auto, JSON, JsonArray, Lines, XML, CloudWatchLogs","enum":["Auto","JSON","JsonArray","Lines","XML","CloudWatchLogs"]},"logStreamTypeOptions":{"$ref":"#/components/schemas/S3SourceAPI.S3LogStreamTypeOptions"},"managedBucketNotifications":{"type":"boolean","description":"Whether Panther should configure the S3 bucket notifications automatically"},"s3PrefixLogTypes":{"type":"array","items":{"$ref":"#/components/schemas/S3SourceAPI.PrefixLogTypesMapping"},"description":"Prefix-based log type mappings for parsing ingested data"}},"required":["integrationLabel","s3PrefixLogTypes","managedBucketNotifications","logProcessingRole","logStreamType"]},"S3SourceAPI.S3LogStreamTypeOptions":{"type":"object","properties":{"jsonArrayEnvelopeField":{"type":"string","description":"Path to the JSON array field to extract records from. Only applicable when logStreamType is JsonArray. Omit if the input is already a top-level array."},"retainEnvelopeFields":{"type":"boolean","description":"Preserve CloudWatch Logs envelope metadata (accountId, logGroup, subscriptionFilters) in a p_header column. Only applicable when logStreamType is CloudWatchLogs."},"xmlRootElement":{"type":"string","description":"Root element wrapping XML events. Only applicable when logStreamType is XML. Omit if events are not enclosed in a root element."}}},"S3SourceAPI.PrefixLogTypesMapping":{"type":"object","properties":{"excludedPrefixes":{"type":"array","items":{"type":"string"},"description":"Prefixes to exclude from matching. Use '*' as a wildcard for dynamic path segments."},"logTypes":{"type":"array","items":{"type":"string"},"description":"The log types (schemas) to apply for this prefix"},"prefix":{"type":"string","description":"S3 prefix to match. Leave empty to match all objects in the bucket."}}},"S3SourceAPI.S3Source":{"type":"object","properties":{"awsAccountId":{"type":"string","description":"The AWS account ID where the S3 bucket resides"},"integrationId":{"type":"string","description":"The unique ID of the S3 log source"},"integrationLabel":{"type":"string","description":"The integration label (name)"},"kmsKey":{"type":"string","description":"KMS key ARN for server-side encryption. Omit if the bucket is not KMS-encrypted."},"logProcessingRole":{"type":"string","description":"The IAM role ARN that Panther assumes to read from the S3 bucket"},"logStreamType":{"type":"string","description":"The log stream type. Supported: Auto, JSON, JsonArray, Lines, XML, CloudWatchLogs","enum":["Auto","JSON","JsonArray","Lines","XML","CloudWatchLogs"]},"logStreamTypeOptions":{"$ref":"#/components/schemas/S3SourceAPI.S3LogStreamTypeOptions"},"managedBucketNotifications":{"type":"boolean","description":"Whether Panther should configure the S3 bucket notifications automatically"},"s3Bucket":{"type":"string","description":"The S3 bucket name"},"s3PrefixLogTypes":{"type":"array","items":{"$ref":"#/components/schemas/S3SourceAPI.PrefixLogTypesMapping"},"description":"Prefix-based log type mappings for parsing ingested data"}}},"S3SourceAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"S3SourceAPI.NotFoundError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"S3SourceAPI.ExistsError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"S3SourceAPI.ServiceError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/log-sources/s3/{id}":{"put":{"tags":["S3 source"],"summary":"put S3 source","operationId":"S3 source#put","parameters":[{"name":"id","in":"path","description":"ID of the S3 source to update","required":true,"schema":{"type":"string","description":"ID of the S3 source to update"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.ModifyS3Source"}}}},"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.S3Source"}}}},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.BadRequestError"}}}},"404":{"description":"not_found: Not Found response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.NotFoundError"}}}},"409":{"description":"exists: Conflict response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.ExistsError"}}}},"500":{"description":"service: Internal Server Error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.ServiceError"}}}}}}}}}
```

## DELETE /log-sources/s3/{id}

> delete S3 source

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"S3 source","description":"The S3 source API handles all operations for AWS S3 log sources"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"S3SourceAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"S3SourceAPI.ServiceError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/log-sources/s3/{id}":{"delete":{"tags":["S3 source"],"summary":"delete S3 source","operationId":"S3 source#delete","parameters":[{"name":"id","in":"path","description":"ID of the S3 source to delete","required":true,"schema":{"type":"string","description":"ID of the S3 source to delete"}}],"responses":{"204":{"description":"No Content response."},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.BadRequestError"}}}},"500":{"description":"service: Internal Server Error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/S3SourceAPI.ServiceError"}}}}}}}}}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/panther-developer-workflows/api/rest/log-sources/s3-sources.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.