Troubleshooting AWS for Cloud Insights
For detailed error information (including messages returned by AWS), go to Cloud Insights > Settings > Integration Logs. For help reading these logs, see Cloud Insights settings: Integration Logs.
Integration Statuses
Pending
Initial state after save. ThousandEyes is validating the connection and permissions.
Connected
Monitoring is working.
Partially connected
Monitoring is active, but some subscriptions or flow log files failed. See Integration Logs for details.
Failed
Monitoring can’t start due to errors (for example, missing permissions or connectivity issues).
Partially Connected Inventory Monitoring Integrations
Some Inventory Monitoring integrations can show Connected with a red warning symbol:
Meaning
One or more read-only permissions requested by the ThousandEyes permission policy are not granted in your AWS account. The integration works, but some data won’t appear in Cloud Insights > Views or Network & App Synthetics > Views.
Find what’s missing
Open the integration. Error banners at the top list the specific API resources that are denied. You can also check Integration Logs for details.
If the warnings are expected (for example, certain AWS resources are intentionally out of scope), you can remove the warning badge:
Go to Cloud Insights > Settings.
Open Integration Policies.
Uncheck resource groups or regions that ThousandEyes shouldn’t access.
Note: You can’t disable EC2 (including load balancing)—it’s required.
Select Save changes.
Partially Connected Flow Logs Monitoring Integrations
Meaning
The integration is connected, but some flow logs can’t be ingested or processed.
Failure to Subscribe to AWS SNS Topics
Symptoms
If subscriptions to all topics fail → status changes to Failed and no logs are ingested.
If some topics subscribe and others fail → status is Partially connected.
What you’ll see
“Failed to subscribe to the following topics: …” in the integration sidebar.
Integration Logs entries with category such as Subscribe Failed.
Common causes
The topic ARN is wrong or the topic does not exist.
The topic access policy does not allow ThousandEyes to Subscribe (
SNS:Subscribe).
How to fix
Verify each topic exists and ARNs are correct in the integration.
Update the SNS topic access policy to allow ThousandEyes to subscribe. See Update the SNS topic access policy in the setup guide.
Select Save in the integration to retry subscriptions.
Failure to Process Incoming Flow Logs
Symptoms
“Some AWS flow logs could not be processed in the last 30 minutes” banner.
Integration Logs entries for Flow Log Download Failed or Flow Log Parse Failed.
Common causes
ThousandEyes can’t download the object from S3 (role lacks
s3:GetObject/bucket access).The log record format is missing required fields.
How to fix
For download failures: confirm the IAM permission policy used by the Flow Logs role includes the target bucket ARNs (both bucket and
/*object ARNs).For parse failures: ensure your VPC/TGW flow log record format includes all required fields. See Configure VPCs to publish flow logs in AWS in the setup guide.
Inventory Monitoring Errors
IAM Role: Cannot Assume Role
Error
User: arn:aws:iam::...:user/thousandeyes-integrations-user is not authorized to perform: sts:AssumeRole on resource ...
Why it happens
The role ARN is wrong or doesn’t exist.
The trust policy doesn’t allow ThousandEyes to assume the role.
How to fix
Verify the role ARN you entered in the integration.
Reapply the ThousandEyes trust policy to the role (see Create the trust policy in AWS in the setup guide).
If you disabled the trust policy after connecting, the integration will leave Connected and won’t recover until the trust is restored.
Duplicate Integration (Inventory)
Error
AWS Integration with Role ARN ... and Service Type [INVENTORY_MONITORING] already exists
Why it happens
Each Inventory Monitoring integration must use a unique role ARN within an account group.
How to fix
Use a different role ARN, or edit the existing integration instead of creating a duplicate.
Permission Policy: Missing Actions
Error
We are not authorized to perform ... Additional permissions are missing
Why it happens
Your IAM permission policy does not grant some requested read-only actions.
What to expect
The integration may remain Connected with a warning badge.
The edit sidebar lists denied APIs (limited to a subset for space). Check Integration Logs for full details.
How to fix
Update the permission policy to include the missing actions or
Exclude the corresponding resource groups/regions in Integration Policies if intentional (removes the warning badge).
Region Disabled
Error
STS is not activated in this region for account ...
Why it happens
The integration is restricted from assuming the role in a specific region.
How to fix
Enable STS in the region or exclude the region in Integration Policies if intentional.
Flow Logs Monitoring Errors
For AWS-side configuration issues (VPC, S3, SNS, EventBridge), refer to the relevant AWS documentation at aws.amazon.com/documentation.
When an integration shows Connected, ThousandEyes can assume the IAM role and has subscribed to at least one topic. Errors below relate to downloading or parsing the notified objects.
Integration Creation Errors
Duplicate integration (Flow Logs)
AWS Integration with Role ARN ... and Service Type [FLOW_LOGS_MONITORING] already exists
Fix: Use a unique role ARN per Flow Logs integration within the account group (the same ARN may be used by the matching Inventory integration).
Mismatched accounts
SNS Topic ARNs must have the same account as the Role ARN
Fix: Ensure all SNS topics added to the integration belong to the same AWS account as the role ARN.
Duplicate topic ARNs
Testing Failed: SNS Topic ARNs must be unique across all flow logs monitoring integrations ...
Fix: Remove any SNS topic ARN already used by another Flow Logs integration in the org.
S3 Bucket Permissions: Assume Role Failed
Error
Testing Failed: User ... is not authorized to perform: sts:AssumeRole on resource: ...
Why it happens
ThousandEyes cannot assume the IAM role specified in the integration.
How to fix
Reapply the ThousandEyes trust policy to the role.
Confirm the role ARN is correct.
Ensure the role’s permission policy includes your bucket ARNs (
arn:aws:s3:::<BUCKET>andarn:aws:s3:::<BUCKET>/*).
SNS Topic Subscription Errors
Failed to subscribe to the following topics
Meaning: ThousandEyes couldn’t subscribe to one or more SNS topics.
Fix: Verify topic ARNs and update the SNS topic access policy to allow
SNS:Subscribefor ThousandEyes, andSNS:Publishfrom S3 (withaws:SourceAccountandaws:SourceArnconditions). Then Save the integration to retry.
Failed to subscribe to SNS topic (in Integration Logs)
Meaning: Log-level details for each failed topic.
Fix: Use the error text to adjust the topic policy or ARN, then retry.
Flow Log Processing Errors
Some AWS flow logs could not be processed in the last 30 minutes
Meaning: Recent download or parse failures triggered a Partially connected state.
Fix: Open Integration Logs to identify whether failures are download or parse issues and follow the steps below.
Received flow log for an unmonitored account or region
Meaning: ThousandEyes filters logs from accounts/regions not covered by an Inventory Monitoring integration.
Fix: Add Inventory Monitoring for that account/region, or send only logs from monitored locations. Integration Logs show Unmonitored Account entries with S3 bucket and object key details.
Failed to download flow log from S3 bucket
Common cause: The role lacks permission to read the bucket/object.
Fix: Update the role’s permission policy to include both the bucket and object ARNs for all flow log buckets. Integration Logs show Flow Log Download Failed with the bucket/key and error text.
Failed to parse flow log
Common cause: Required flow log fields are missing.
Fix:
Configure Custom record format with all required fields (see Configure VPCs to publish flow logs in AWS in the setup guide).
Verify the current format in the VPC/TGW flow log settings.
Helpful Tips
Use Integration Logs to pivot quickly from a banner message to exact failures (subscribe/download/parse) and the affected topic or object key.
When in doubt, re-copy policies from the ThousandEyes UI (policies can change).
Prefer one SNS topic per region and regional buckets to reduce cross-region complexity.
Last updated