# Appendix 3 – Troubleshooting Issues While Onboarding During onboarding, a number of issues may arise. These may occur during the CloudFormation setup step, or they may occur after finishing the connection setup. ## CloudFormation Link is Malformed In some cases, where CloudFormation links are sent via Teams chat, the URL becomes malformed, and the fields will not correctly copy over from Vectra Detect. In these cases, you can enter the field values manually by copying them from the manual entry section. Some customers may also utilize URL rewriting that can be applied to links sent via email and other methods. In rare cases, URL rewriting and subsequent decoding can impact the integrity of the URL. If you have issues with the URL, please compare the original URL as copied and the subsequent URL after decoding in an editor that shows all formatting to eliminate any potential malformation. ## CloudTrail S3 Bucket has Pre-existing Event Notifications Enabled In the case where your CloudTrail S3 Bucket already has a subscription to it, then you will need to perform some small work to support this. If the pre-existing event notification is an SNS topic, then Vectra can subscribe to this same SNS topic, just specify the SNS topic ARN in the CloudFormation setup step or reference it in the credential submission step if following the manual flow. If the pre-existing event notification is an SQS topic, then you should: * Create a new SNS topic. * Subscribe your existing SQS topic to your new SNS topic. * Unsubscribe your SQS topic from your S3 bucket. * Subscribe your new SNS topic to the S3 bucket. * Reference this new SNS topic in the CDR for AWS Setup. This may result in a short downtime in event notifications going to your SQS topic. If this is unacceptable, bucket replication may be a feasible solution instead. ## Connection Error Messages You may see **Logs not flowing** or other error messages from an AWS CloudTrail connection. You can hover over this message to see the full reason. Some are self explanatory, while others have additional guidance below: **We could not subscribe the SNS topic to your CloudTrail S3 bucket, please confirm the Vectra role has the required permissions.** **We were not able to fetch logs from the CloudTrail S3 bucket, please confirm the Vectra role has the required permissions to access or decrypt this data.** **Invalid IAM Role. Please check that the External ID and Vectra's AWS Account ID were correctly entered in AWS.** * If the details are correct, please try the following: * The IAM role may not be configured correctly. Review the [The Permissions Vectra Requires in your AWS Account](https://docs.vectra.ai/deployment/cdr-for-aws/appendix-1-aws-configuration-notes#the-permissions-vectra-requires-in-your-aws-account) and correct any misconfigurations in the IAM role and then resubmit the details in the AWS data source connector. To resubmit the details, edit the connector, re-add the details, and click **Save**. **The SNS topic is not in the same region as the S3 bucket. Please ensure the CloudFormation script runs on the same region that the S3 bucket was created on, or if it was created manually, make sure to create the SNS topic on the same region.** **Unable to add SNS topic subscription to this S3 bucket due to a pre-existing subscription. Please specify this in the CloudFormation setup, otherwise, follow instructions in the CDR for AWS Deployment Guide.** * See the pre-existing notifications section above. **We weren't able to subscribe to the SNS topic specified, please confirm the Vectra role has the required permissions.** **Something went wrong with the connection to AWS. Contact Vectra support to fix this issue.** **Logs Flowing, but Filtering Detected** * If you see this status message, it means that the connection is successful, and Vectra is now processing CloudTrail logs. * However, we have noticed that a filter is applied to this SNS topic, which means that we may not be notified of all new CloudTrail logs being added to your S3 bucket. * Frequently, this is caused by a filter on the SNS topic which specifies only to alert for files in the CloudTrail format of `json.gz`, but we would recommend confirming this. * If the filter is limiting which CloudTrail log data we are notified of, your security coverage will be reduced. ## Enabling STS in AWS Regions Created After 2019 Session tokens from the global AWS Security Token Service (STS) endpoint are not valid in AWS Regions created after 2019 by default. The resolution is to change the region compatibility of session tokens for global endpoints to **Valid in all AWS Regions** if you will deploy in any of the following Regions (AWS could add additional Regions to this list in the future). * Africa (Cape Town) * Asia Pacific (Hong Kong) * Europe (Milan) * Middle East (Bahrain) To enable or check the status of STS for your Region: * In the IAM Console, navigate to **Account Settings** under **Access Management**. * Navigate to **Security Token Services (STS)**. * Find the **Global endpoint** option. * Check if this is **Valid in all AWS Regions** or **Only valid in AWS Regions enabled by default**. * Select **Valid in all AWS Regions** if needed and **Save Changes**.