Configuration Auditing Troubleshooting

I updated my password policy but it was not reflected in my scan.

Several rules in IAM are built off the Credential Report. This report is cached and can only be regenerated if the existing report is more than 4 hours old. This is true for the following rules:

  • MFA is Enabled for All Users
  • No Unused Password
  • No Unused Access Key #1
  • No Unused Access Key #2
  • Password is Rotated Regularly
  • Access Key #1 is Rotated Regularly
  • Access Key #2 is Rotated Regularly

If you don't see values updating after a scan, it's probably because Amazon hasn't generated a new Credential Report. You will need to wait a few hours to see this update.

Permissions error for entire service

If you are presented with an error message, in pink, at the top of the page with the text "Whoops, we have a permissions problem:" The most likely problem would be the second profile for config audit not being attached to the IAM role. Ensure that the cross-account IAM role that’s integrated with App Infrastructure Protection (AIP) has the correct permissions attached. See AWS Integrations Overview for required permissions for different installation options.

Error at the Service level indicates an error evaluating child rules

If you see an error icon (exclamation point in a gray triangle) next to the Service name, expand the section for that resource and look for the same icon in the "Resource Status" column for a rule. That is where the error occurred. 


API error for an individual resource

If you are reviewing a rule and are presented with an error message in pink, AIP has encountered one of the few possible errors when querying the AWS API. 

  1. Check the cross-account IAM role as suggested in this document for the answer for Service errors.
  2. If you have ruled out permission problems please click on the "Show error code" URL and include the given error message in a message to our support team.

All CloudTrail Trails did not get scanned

Cloud Trails can be configured to service multiple regions (apply trail to all regions = yes). When this happens a main Trail is created in the default region, and shadow trails are created in every other region. Because these shadow trails have the exact same configuration as the main trail, AIP does not evaluate Shadow Trails.

Typically shadow trails are not displayed in the AWS Console, but we have run into cases where they seem to be getting displayed. To generate a list of trails you can expect to see in AIP, run the following command in the AWS CLI:

AWS CloudTrail describe-trails --no-include-shadow-trails

For more information, see Receiving CloudTrail log files from multiple regions.


‘Resource Could Not Be Evaluated’ Errors

If AIP could not evaluate an individual AWS resource against a particular rule, you will see a result that says “n [resource type] could not be evaluated.” 

There are many reasons why AIP may not be able to get a result on an individual AWS resource. Here are some troubleshooting steps:

  1. Ensure that the cross-account IAM role that’s integrated with AIP has the correct permissions attached. Required permissions are here for the different install options: AWS Integrations Overview.
  2. Check resource-level permissions. Within an individual rule, if some resources are getting evaluated and others aren’t, it’s possible that permissions are set on the individual resource, and are overriding the global permissions. This is especially common with S3 buckets.
Was this article helpful?
0 out of 0 found this helpful