How can I troubleshoot AWS Config console error messages?
My AWS Config console returns an error or isn't working as expected.
Short description
If you perform an action in the AWS Config console and receive one of the following error messages, then see the related section for troubleshooting:
- "An error has occurred with AWS Config. Contact AWS Support."
- "We are unable to complete the request at this time. Try again later or contact AWS Support."
- "AWS Config is currently experiencing unusually high traffic. Try your request again or contact AWS Support."
- "An unexpected internal error occurred with AWS Config. Try again or contact AWS Support if the error persists."
Resolution
An error has occurred with AWS Config. Contact AWS Support.
This can occur if the AWS Identity and Access Management (IAM) entity performing an action on the AWS Config console doesn't have the necessary permissions. For example, config:PutConfigRule, iam:PassRole, or ssm:ListDocuments permissions. This error also can occur if your AWS Config aggregator contains duplicate accounts or if AWS Systems Manager parameters aren't valid.
AWS API Error Code | CloudTrail Error Message | Related AWS Config API | Description | Resolution |
InsufficientDeliveryPolicyException | Insufficient delivery policy to s3 bucket:<Bucket Name>, unable to write to bucket, provided s3 key prefix is 'null'. | PutDeliveryChannel | Amazon Simple Storage Service (Amazon S3) bucket policy lacks permission to write into the target bucket. | Check the Amazon S3 bucket policy, and then verify that it allows the config.amazonaws.com service to write into the target bucket. Then, review the IAM entity permission, and then use the AWS Config Full access policy. Finally, verify that the IAM entity has permissions to write to the s3:GetBucketAcl and s3:PutObject* buckets. |
InvalidParameterValueException | Your configuration aggregator contains duplicate accounts. Delete the duplicate accounts and try again. | PutConfigurationAggregator | Your configuration aggregator contains duplicate accounts. | If you added a new aggregator or edited an existing one using the same account ID, delete the duplicate account, and then try again. For more information, see Setting up an aggregator using the console. |
AccessDenied | The user:arn:aws:sts::Example_Account_ID:assumed-role/Example_IAM_Role_Name is not authorized to perform: config:PutConfigurationRecorder with an explicit deny. | PutConfigurationRecorder | An AWS Control Tower preventive guardrail is enforced with AWS Organizations using Service Control Policies (SCPs) that disallow configuration changes to AWS Config. | Verify AWS resource access with your primary account administrators. |
InvalidParameterValueException | RemediationConfiguration(s) for AWS Config Rule(s) <Config_Rule_Name> are missing required document parameters. Specify all required document parameters and try again. | PutRemediationConfigurations | The required Systems Manager parameter is empty, or one or more of the specified parameters aren't valid. | Add the required Systems Manager parameters. For more information, see Systems Manager Automation runbook reference. |
We are unable to complete the request at this time. Try again later or contact AWS Support.
This error can occur if you exceed the AWS Config aggregator limit, or if you're calling the StartConfigRulesEvaluation API more than one time every minute.
AWS API Error Code | CloudTrail Error Message | Related AWS Config API | Description | Resolution |
LimitExceededException | The configuration aggregator '<aggregator_name>' could not be created because the account already contains '50' configuration aggregators. Consider deleting configuration aggregators or contact AWS Config to increase the limit." | PutConfigurationAggregator | This error indicates that the number of the aggregators exceeds the limit. | The default limit for configuration aggregators is 50. You can either delete an aggregator or request a limit increase. For more information, see Service limits. |
LimitExceededException | You have exceeded the maximum request rate. Try again at a later time. | StartConfigRulesEvaluation | This error indicates you're calling the StartConfigRulesEvaluation API more than one time every minute, or when another evaluation is in progress. | The StartConfigRulesEvaluation API call is limited to one time every minute. Wait for the current evaluation to complete, or wait one minute, and then try again. |
AWS Config is currently experiencing unusually high traffic. Try your request again or contact AWS Support.
This error can occur if you are using the API call GetResourceConfigHistory or ListDiscoveredResources with automation.
AWS API Error Code | CloudTrail Error Message | Related AWS Config API | Description | Resolution |
ThrottlingException | Rate exceeded | GetResourceConfigHistory | Using the API call GetResourceConfigHistory with automation can cause an issue if the allowed limit is exceeded. | If your automation retrieves the old state of your resources, then use the earlierTime parameter to limit the history period. Limit the history period using a timestamp with the GetResourceConfigHistory API. Or, if your automation determines the current configuration of your resources, consider using the BatchGetResourceConfig API call instead of GetResourceConfigHistory. |
ThrottlingException | Rate exceeded | ListDiscoveredResources | Using the API call ListDiscoveredResources with an automation can cause an issue if there is a high rate within a short interval that exceeds the throttle rate in the account per Region. | Reduce the frequency of API calls by implementing a sleep time. For more information, see Managing AWS Lambda function concurrency. |
Note: In addition to these best practices, you can also implement exponential backoff, and then retry your request.
An unexpected internal error occurred with AWS Config. Try again or contact AWS Support if the error persists
This error can occur if you switched to a different AWS Region, or attempted to delete a remediation while there is a remediation in progress.
AWS API Error Code | CloudTrail Error Message | Related AWS Config API | Description | Resolution |
NoSuchConfigRuleException | The ConfigRule '<Config rule name>' provided in the request isn't valid. Please check the configRule name. | GetComplianceDetailsByConfigRule | You might receive this error in AWS Config rules if you switched to a different AWS Region, because the rule doesn't exist in that Region. | Switch back to the AWS Region that contains the AWS Config rule. For more information, see Choosing a Region. |
RemediationInProgressException | Remediation action is in progress. | DeleteRemediationConfiguration | You deleted a remediation while there is a remediation in progress. | If you deleted a remediation action when a remediation was in progress, you can cancel the execution with the stop-automation-execution command. Or, you can wait, and then try again later. |
NoSuchRemediationConfigurationException | No RemediationConfiguration for rule EXAMPLE_Config_Rule_Name exists. | DeleteRemediationConfiguration | The PutRemediationConfigurations API call ResourceType parameter was specified in creation but not in deletion. | If you use the ResourceType parameter in the PutRemediationConfigurations API, you must also use the ResourceType parameter in the DeleteRemediationConfiguration API. |
Related information
Relevant content
- asked 2 years agolg...
- Accepted Answerasked 3 months agolg...
- asked 6 months agolg...
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 25 days ago