AWS Security ChangesHomeSearch

AWS AmazonCloudWatch medium security documentation change

Service: AmazonCloudWatch · 2025-05-19 · Security-related medium

File: AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Troubleshoot.md

Summary

Added two new troubleshooting sections: 'Troubleshooting a canary on a VPC' and 'Troubleshooting an auto retry canary'. Expanded documentation about VPC-related permissions requirements, subnet configurations, and error analysis workflows.

Security assessment

The VPC troubleshooting section explicitly addresses security-related configurations including required EC2 network interface permissions (ec2:CreateNetworkInterface etc.) and emphasizes using private subnets without internet gateways. These changes help prevent security misconfigurations that could expose resources or cause access denials. The documentation of required IAM permissions directly relates to security controls.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Troubleshoot.md b/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Troubleshoot.md
index bb3f32c04..844cb6dbd 100644
--- a//AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Troubleshoot.md
+++ b//AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Troubleshoot.md
@@ -5 +5 @@
-Canary fails after Lambda environment updateMy canary is blocked by AWS WAFWaiting for an element to appearNode is either not visible or not an HTMLElement for page.click() Unable to upload artifacts to S3, Exception: Unable to fetch S3 bucket location: Access Denied Error: Protocol error (Runtime.callFunctionOn): Target closed. Canary Failed. Error: No datapoint - Canary Shows timeout error Trying to access an internal endpointCanary runtime version upgrade and downgrade issuesCross-origin request sharing (CORS) issueCanary race condition issues
+Canary fails after Lambda environment updateMy canary is blocked by AWS WAFWaiting for an element to appearNode is either not visible or not an HTMLElement for page.click() Unable to upload artifacts to S3, Exception: Unable to fetch S3 bucket location: Access Denied Error: Protocol error (Runtime.callFunctionOn): Target closed. Canary Failed. Error: No datapoint - Canary Shows timeout error Trying to access an internal endpointCanary runtime version upgrade and downgrade issuesCross-origin request sharing (CORS) issueCanary race condition issuesTroubleshooting a canary on a VPCTroubleshooting an auto retry canary
@@ -54 +54,3 @@ By default, CloudWatch Synthetics captures screenshots for each step in a UI can
-  * [Troubleshooting a canary on a VPC](./CloudWatch_Synthetics_Canaries_VPC_troubleshoot.html)
+  * Troubleshooting a canary on a VPC
+
+  * Troubleshooting an auto retry canary
@@ -239,0 +242,67 @@ For the best experience when using CloudWatch Synthetics, ensure that the code w
+## Troubleshooting a canary on a VPC
+
+If you have issues after creating or updating a canary on a VPC, one of the following sections might help you troubleshoot the problem.
+
+### New canary in error state or canary can't be updated
+
+If you create a canary to run on a VPC and it immediately goes into an error state, or you can't update a canary to run on a VPC, the canary's role might not have the right permissions. To run on a VPC, a canary must have the permissions `ec2:CreateNetworkInterface`, `ec2:DescribeNetworkInterfaces`, and `ec2:DeleteNetworkInterface`. These permissions are all contained in the `AWSLambdaVPCAccessExecutionRole` managed policy. For more information, see [Execution Role and User Permissions](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-permissions).
+
+If this issue happened when you created a canary, you must delete the canary, and create a new one. If you use the CloudWatch console to create the new canary, under **Access Permissions** , select **Create a new role**. A new role that includes all permissions required to run the canary is created.
+
+If this issue happens when you update a canary, you can update the canary again and provide a new role that has the required permissions.
+
+### "No test result returned" error
+
+If a canary displays a "no test result returned" error, one of the following issues might be the cause: 
+
+  * If your VPC does not have internet access, you must use VPC endpoints to give the canary access to CloudWatch and Amazon S3. You must enable the **DNS resolution** and **DNS hostname** options in the VPC for these endpoint addresses to resolve correctly. For more information, see [Using DNS with Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html) and [Using CloudWatch and CloudWatch Synthetics with interface VPC endpoints ](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-and-interface-VPC.html).
+
+  * Canaries must run in private subnets within a VPC. To check this, open the **Subnets** page in the VPC console. Check the subnets that you selected when configuring the canary. If they have a path to an internet gateway (**igw-**), they are not private subnets.
+
+
+
+
+To help you troubleshoot these issues, see the logs for the canary.
+
+###### To see the log events from a canary
+
+  1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
+
+  2. In the navigation pane, choose **Log groups**.
+
+  3. Choose the name of the canary's log group. The log group name starts with `/aws/lambda/cwsyn-`canary-name``.
+
+
+
+
+## Troubleshooting an auto retry canary
+
+To understand why your canary is failing or to analyze specific failed attempts, follow these troubleshooting steps.
+
+  1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
+
+  2. In the navigation pane, choose **Application Signals** , **Synthetics Canaries**.
+
+  3. Choose the **Canary**.
+
+  4. Under the **Availability** tab, you can examine the run details by either:
+
+     * Selecting a specific point on the Canary Runs graph
+
+     * Under **Issues** , selecting a record. Note that retry attempts are tagged and share timestamps with their scheduled runs
+
+You can view additional information under **Steps** , **Screenshot** , **Logs** , **HAR file** , or **Traces (if active tracing is enabled)**.
+
+  5. Under **Canary artifacts and Amazon S3 location** , you can access the artifact and navigate to the Amazon S3 folders or buckets through the available links.
+
+  6. The **Canary runs** graph uses different colored points to indicate various status:
+
+     * Blue Points – Indicates successful scheduled runs with a consistent value of 100%
+
+     * Red Points – Displays failure of both scheduled runs and all retries, marked at 0%
+
+     * Orange Points – Displays either 0% or 100%. 0% indicates ongoing retry following previous attempt failures and 100% means success was achieved after retrying
+
+
+
+
@@ -248 +317 @@ Test a canary locally
-Troubleshooting a canary on a VPC
+Sample code for canary scripts