CloudWatch investigations cannot assume the necessary IAM roles or permissions. Please verify required roles and permissions are correctly configured Unable to identify event source. Verify that the resource exists in your application topology and the resource type is supported.Analysis complete. Submit additional findings to receive updated suggestions Source account status shows "Pending link to monitoring account"

Troubleshooting

Topics

CloudWatch investigations cannot assume the necessary IAM roles or permissions. Please verify required roles and permissions are correctly configured
Unable to identify event source. Verify that the resource exists in your application topology and the resource type is supported.
Analysis complete. Submit additional findings to receive updated suggestions
Source account status shows "Pending link to monitoring account"

CloudWatch investigations cannot assume the necessary IAM roles or permissions. Please verify required roles and permissions are correctly configured

CloudWatch investigations use an IAM role to be able to access information in your topology. This IAM role must be configured with adequate permissions. For more information about the necessary permissions, see How to control what data CloudWatch investigations has access to during investigations.

Unable to identify event source. Verify that the resource exists in your application topology and the resource type is supported.

There are several AWS services and features that we recommend you to enable to provide additional valuable information to CloudWatch investigations. These services and features can help CloudWatch investigations identify event sources. For more information, see (Recommended) Best practices to enhance investigations.

Analysis complete. Submit additional findings to receive updated suggestions

When you see this message, CloudWatch investigations has finished analyzing your topology and telemetry based on the findings that it has found so far. If you think that the root cause hasn't been found, you can manually add more telemetry to the investigation, and this might cause CloudWatch investigations to scan your system again based on the new information.

To add new telemetry, navigate to that service's console and add the telemetry to the investigation. For example, to add a Lambda metric to the investigation, you can do the following:

Open the Lambda console.
In the Monitor section, find the metric.
Open the vertical ellipsis context menu for the metric, choose Investigate, Add to investigation Then, in the Investigate pane, select the name of the investigation.

Source account status shows "Pending link to monitoring account"

Check that both your monitoring account and source account are set up correctly.

Check that the source account ID and the source account role name are correct.
The monitoring account role needs to have sts:AssumeRole permission to assume the source account role.
The source account role needs to have a trust policy for the monitoring account role to assume.

The trust policy in the source account role must be properly scoped to have the Investigation Group arn in the sts:ExternalId context key:



            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "investigation-group-arn"
                }
            }

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security in CloudWatch investigations

Integrations with other systems