How can I troubleshoot AWS Config console error messages?

7 minute read
0

My AWS Config console returns an error or isn't working as expected. 

Short description

If you perform an action in the AWS Config console and receive one of the following error messages, then see the related section for troubleshooting:

  • "An error has occurred with AWS Config. Contact AWS Support."
  • "We are unable to complete the request at this time. Try again later or contact AWS Support."
  • "AWS Config is currently experiencing unusually high traffic. Try your request again or contact AWS Support."
  • "An unexpected internal error occurred with AWS Config. Try again or contact AWS Support if the error persists."

Resolution

An error has occurred with AWS Config. Contact AWS Support.

This can occur if the AWS Identity and Access Management (IAM) entity performing an action on the AWS Config console doesn't have the necessary permissions. For example, config:PutConfigRule, iam:PassRole, or ssm:ListDocuments permissions. This error also can occur if your AWS Config aggregator contains duplicate accounts or if AWS Systems Manager parameters aren't valid.

AWS API Error CodeCloudTrail Error MessageRelated AWS Config APIDescriptionResolution
InsufficientDeliveryPolicyExceptionInsufficient delivery policy to s3 bucket:<Bucket Name>, unable to write to bucket, provided s3 key prefix is 'null'.PutDeliveryChannelAmazon Simple Storage Service (Amazon S3) bucket policy lacks permission to write into the target bucket.Check the Amazon S3 bucket policy, and then verify that it allows the config.amazonaws.com service to write into the target bucket. Then, review the IAM entity permission, and then use the AWS Config Full access policy. Finally, verify that the IAM entity has permissions to write to the s3:GetBucketAcl and s3:PutObject* buckets.
InvalidParameterValueExceptionYour configuration aggregator contains duplicate accounts. Delete the duplicate accounts and try again.PutConfigurationAggregatorYour configuration aggregator contains duplicate accounts.If you added a new aggregator or edited an existing one using the same account ID, delete the duplicate account, and then try again. For more information, see Setting up an aggregator using the console.
AccessDeniedThe user:arn:aws:sts::Example_Account_ID:assumed-role/Example_IAM_Role_Name is not authorized to perform: config:PutConfigurationRecorder with an explicit deny.PutConfigurationRecorderAn AWS Control Tower preventive guardrail is enforced with AWS Organizations using Service Control Policies (SCPs) that disallow configuration changes to AWS Config.Verify AWS resource access with your primary account administrators.
InvalidParameterValueExceptionRemediationConfiguration(s) for AWS Config Rule(s) <Config_Rule_Name> are missing required document parameters. Specify all required document parameters and try again.PutRemediationConfigurationsThe required Systems Manager parameter is empty, or one or more of the specified parameters aren't valid.Add the required Systems Manager parameters. For more information, see Systems Manager Automation runbook reference.

We are unable to complete the request at this time. Try again later or contact AWS Support.

This error can occur if you exceed the AWS Config aggregator limit, or if you're calling the StartConfigRulesEvaluation API more than one time every minute.

AWS API Error CodeCloudTrail Error MessageRelated AWS Config APIDescriptionResolution
LimitExceededExceptionThe configuration aggregator '<aggregator_name>' could not be created because the account already contains '50' configuration aggregators. Consider deleting configuration aggregators or contact AWS Config to increase the limit."PutConfigurationAggregatorThis error indicates that the number of the aggregators exceeds the limit.The default limit for configuration aggregators is 50. You can either delete an aggregator or request a limit increase. For more information, see Service limits.
LimitExceededExceptionYou have exceeded the maximum request rate. Try again at a later time.StartConfigRulesEvaluationThis error indicates you're calling the StartConfigRulesEvaluation API more than one time every minute, or when another evaluation is in progress.The StartConfigRulesEvaluation API call is limited to one time every minute. Wait for the current evaluation to complete, or wait one minute, and then try again.

AWS Config is currently experiencing unusually high traffic. Try your request again or contact AWS Support.

This error can occur if you are using the API call GetResourceConfigHistory or ListDiscoveredResources with automation.

AWS API Error CodeCloudTrail Error MessageRelated AWS Config APIDescriptionResolution
ThrottlingExceptionRate exceededGetResourceConfigHistoryUsing the API call GetResourceConfigHistory with automation can cause an issue if the allowed limit is exceeded.If your automation retrieves the old state of your resources, then use the earlierTime parameter to limit the history period. Limit the history period using a timestamp with the GetResourceConfigHistory API. Or, if your automation determines the current configuration of your resources, consider using the BatchGetResourceConfig API call instead of GetResourceConfigHistory.
ThrottlingExceptionRate exceededListDiscoveredResourcesUsing the API call ListDiscoveredResources with an automation can cause an issue if there is a high rate within a short interval that exceeds the throttle rate in the account per Region.Reduce the frequency of API calls by implementing a sleep time. For more information, see Managing AWS Lambda function concurrency.

Note: In addition to these best practices, you can also implement exponential backoff, and then retry your request.

An unexpected internal error occurred with AWS Config. Try again or contact AWS Support if the error persists

This error can occur if you switched to a different AWS Region, or attempted to delete a remediation while there is a remediation in progress.

AWS API Error CodeCloudTrail Error MessageRelated AWS Config APIDescriptionResolution
NoSuchConfigRuleExceptionThe ConfigRule '<Config rule name>' provided in the request isn't valid. Please check the configRule name.GetComplianceDetailsByConfigRuleYou might receive this error in AWS Config rules if you switched to a different AWS Region, because the rule doesn't exist in that Region.Switch back to the AWS Region that contains the AWS Config rule. For more information, see Choosing a Region.
RemediationInProgressExceptionRemediation action is in progress.DeleteRemediationConfigurationYou deleted a remediation while there is a remediation in progress.If you deleted a remediation action when a remediation was in progress, you can cancel the execution with the stop-automation-execution command. Or, you can wait, and then try again later.
NoSuchRemediationConfigurationExceptionNo RemediationConfiguration for rule EXAMPLE_Config_Rule_Name exists.DeleteRemediationConfigurationThe PutRemediationConfigurations API call ResourceType parameter was specified in creation but not in deletion.If you use the ResourceType parameter in the PutRemediationConfigurations API, you must also use the ResourceType parameter in the DeleteRemediationConfiguration API.

Related information

AWS Config common errors

AWS CloudTrail common errors

AWS Lambda errors

Working with CloudTrail log files

Troubleshooting Systems Manager Automation

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago