> For the complete documentation index, see [llms.txt](https://docs.thousandeyes.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.thousandeyes.com/product-documentation/integration-guides/custom-built-integrations/aws-for-cloud-insights/troubleshooting-aws-integration-for-cloud-insights.md). # Troubleshooting AWS for Cloud Insights For detailed error information (including messages returned by AWS), go to **Cloud Insights > Settings > Integration Logs**. For help reading these logs, see [Cloud Insights settings: Integration Logs](https://docs.thousandeyes.com/product-documentation/cloud-insights/settings#integration-logs). ## Integration Statuses | Status | What it means | | ----------------------- | ------------------------------------------------------------------------------------------------------------ | | **Pending** | Initial state after save. ThousandEyes is validating the connection and permissions. | | **Connected** | Monitoring is working. | | **Partially connected** | Monitoring is active, but some subscriptions or flow log files failed. See **Integration Logs** for details. | | **Failed** | Monitoring can’t start due to errors (for example, missing permissions or connectivity issues). | ## Partially Connected Inventory Monitoring Integrations Some **Inventory Monitoring** integrations can show **Connected** with a red warning symbol: ![Partially connected state](/files/ZSuChr2Sk9b0m7KqeD3X) **Meaning** One or more read-only permissions requested by the ThousandEyes permission policy are not granted in your AWS account. The integration works, but some data won’t appear in **Cloud Insights > Views** or **Network & App Synthetics > Views**. **Find what’s missing** Open the integration. Error banners at the top list the specific API resources that are denied. You can also check **Integration Logs** for details. If the warnings are expected (for example, certain AWS resources are intentionally out of scope), you can remove the warning badge: 1. Go to **Cloud Insights > Settings**. 2. Open **Integration Policies**. 3. Uncheck resource groups or regions that ThousandEyes shouldn’t access. * **Note:** You can’t disable **EC2 (including load balancing)**—it’s required. 4. Select **Save changes**. ## Partially Connected Flow Logs Monitoring Integrations **Meaning** The integration is connected, but some flow logs can’t be ingested or processed. ![Flow Logs Monitoring partially connected state](/files/LIh0n5rIGQkwRbu2crMz) ### Failure to Subscribe to AWS SNS Topics **Symptoms** * If subscriptions to **all** topics fail → status changes to **Failed** and no logs are ingested. * If **some** topics subscribe and others fail → status is **Partially connected**. **What you’ll see** * “**Failed to subscribe to the following topics:** …” in the integration sidebar. * **Integration Logs** entries with category such as *Subscribe Failed*. **Common causes** * The topic ARN is wrong or the topic does not exist. * The topic **access policy** does not allow ThousandEyes to **Subscribe** (`SNS:Subscribe`). **How to fix** 1. Verify each topic exists and ARNs are correct in the integration. 2. Update the SNS topic access policy to allow ThousandEyes to subscribe. See **Update the SNS topic access policy** in the setup guide. 3. Select **Save** in the integration to retry subscriptions. ### Failure to Process Incoming Flow Logs **Symptoms** * “**Some AWS flow logs could not be processed in the last 30 minutes**” banner. * **Integration Logs** entries for *Flow Log Download Failed* or *Flow Log Parse Failed*. **Common causes** * ThousandEyes can’t download the object from S3 (role lacks `s3:GetObject`/bucket access). * The log record format is missing required fields. **How to fix** * For download failures: confirm the IAM **permission policy** used by the Flow Logs role includes the target bucket ARNs (both bucket and `/*` object ARNs). * For parse failures: ensure your **VPC/TGW flow log record format** includes all required fields. See **Configure VPCs to publish flow logs in AWS** in the setup guide. ## Inventory Monitoring Errors ### IAM Role: Cannot Assume Role **Error** `User: arn:aws:iam::...:user/thousandeyes-integrations-user is not authorized to perform: sts:AssumeRole on resource ...` **Why it happens** * The role ARN is wrong or doesn’t exist. * The **trust policy** doesn’t allow ThousandEyes to assume the role. **How to fix** * Verify the role ARN you entered in the integration. * Reapply the ThousandEyes **trust policy** to the role (see **Create the trust policy in AWS** in the setup guide). * If you disabled the trust policy after connecting, the integration will leave **Connected** and won’t recover until the trust is restored. ### Duplicate Integration (Inventory) **Error** `AWS Integration with Role ARN ... and Service Type [INVENTORY_MONITORING] already exists` **Why it happens** Each Inventory Monitoring integration must use a **unique role ARN** within an account group. **How to fix** * Use a different role ARN, or edit the existing integration instead of creating a duplicate. ### Permission Policy: Missing Actions **Error** `We are not authorized to perform ... Additional permissions are missing` **Why it happens** Your IAM **permission policy** does not grant some requested read-only actions. **What to expect** * The integration may remain **Connected** with a warning badge. * The edit sidebar lists denied APIs (limited to a subset for space). Check **Integration Logs** for full details. **How to fix** * Update the permission policy to include the missing actions **or** * Exclude the corresponding resource groups/regions in **Integration Policies** if intentional (removes the warning badge). ### Region Disabled **Error** `STS is not activated in this region for account ...` **Why it happens** The integration is restricted from assuming the role in a specific region. **How to fix** * Enable STS in the region **or** exclude the region in **Integration Policies** if intentional. ## Flow Logs Monitoring Errors For AWS-side configuration issues (VPC, S3, SNS, EventBridge), refer to the relevant AWS documentation at [aws.amazon.com/documentation](https://docs.aws.amazon.com/). When an integration shows **Connected**, ThousandEyes can assume the IAM role and has subscribed to at least one topic. Errors below relate to downloading or parsing the notified objects. ### Integration Creation Errors **Duplicate integration (Flow Logs)** `AWS Integration with Role ARN ... and Service Type [FLOW_LOGS_MONITORING] already exists` * **Fix:** Use a unique role ARN per Flow Logs integration within the account group (the same ARN may be used by the matching Inventory integration). **Mismatched accounts** `SNS Topic ARNs must have the same account as the Role ARN` * **Fix:** Ensure all SNS topics added to the integration belong to the **same AWS account** as the role ARN. **Duplicate topic ARNs** `Testing Failed: SNS Topic ARNs must be unique across all flow logs monitoring integrations ...` * **Fix:** Remove any SNS topic ARN already used by another Flow Logs integration in the org. ### S3 Bucket Permissions: Assume Role Failed **Error** `Testing Failed: User ... is not authorized to perform: sts:AssumeRole on resource: ...` **Why it happens** ThousandEyes cannot assume the IAM role specified in the integration. **How to fix** * Reapply the ThousandEyes **trust policy** to the role. * Confirm the role ARN is correct. * Ensure the role’s permission policy includes your bucket ARNs (`arn:aws:s3:::` and `arn:aws:s3:::/*`). ### SNS Topic Subscription Errors **Failed to subscribe to the following topics** * **Meaning:** ThousandEyes couldn’t subscribe to one or more SNS topics. * **Fix:** Verify topic ARNs and update the **SNS topic access policy** to allow `SNS:Subscribe` for ThousandEyes, and `SNS:Publish` from S3 (with `aws:SourceAccount` and `aws:SourceArn` conditions). Then **Save** the integration to retry. **Failed to subscribe to SNS topic** (in **Integration Logs**) * **Meaning:** Log-level details for each failed topic. * **Fix:** Use the error text to adjust the topic policy or ARN, then retry. ### Flow Log Processing Errors **Some AWS flow logs could not be processed in the last 30 minutes** * **Meaning:** Recent download or parse failures triggered a **Partially connected** state. * **Fix:** Open **Integration Logs** to identify whether failures are *download* or *parse* issues and follow the steps below. **Received flow log for an unmonitored account or region** * **Meaning:** ThousandEyes filters logs from accounts/regions not covered by an **Inventory Monitoring** integration. * **Fix:** Add Inventory Monitoring for that account/region, or send only logs from monitored locations. Integration Logs show *Unmonitored Account* entries with S3 bucket and object key details. **Failed to download flow log from S3 bucket** * **Common cause:** The role lacks permission to read the bucket/object. * **Fix:** Update the role’s **permission policy** to include both the bucket and object ARNs for all flow log buckets. Integration Logs show *Flow Log Download Failed* with the bucket/key and error text. **Failed to parse flow log** * **Common cause:** Required flow log fields are missing. * **Fix:** 1. Configure **Custom** record format with all required fields (see **Configure VPCs to publish flow logs in AWS** in the setup guide). 2. Verify the current format in the VPC/TGW flow log settings. {% hint style="info" %} You can’t change fields on an existing VPC/TGW flow log. Create a **new** flow log configuration with the required fields, then remove the old one. {% endhint %} ### Helpful Tips * Use **Integration Logs** to pivot quickly from a banner message to exact failures (subscribe/download/parse) and the affected topic or object key. * When in doubt, re-copy policies from the ThousandEyes UI (policies can change). * Prefer **one SNS topic per region** and **regional buckets** to reduce cross-region complexity. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.thousandeyes.com/product-documentation/integration-guides/custom-built-integrations/aws-for-cloud-insights/troubleshooting-aws-integration-for-cloud-insights.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.