Skip to main content

Illumio Segmentation for the Cloud User Guide

AWS Onboarding Troubleshooting Tips

Having onboarding issues? Use these troubleshooting tips to resolve your onboarding errors.

Onboarding Status

The Onboarding page summarizes onboarding statuses as one of the following:

Status

Description

Action

Complete

Accounts have both resource access and flow log access fully enabled. These accounts are fully onboarded and ready for monitoring and insights.

No action required

Partially Complete

Accounts have resource access enabled, but flow logs are missing, disabled, or only partially enabled.

Click the Issues column for details and how to troubleshoot.

Incomplete

Accounts are missing either resource access, flow log access, or both.

Click the Issues column for details and how to troubleshoot.

To filter the Onboarding Status table, click a status cards at the top of the page.

Onboarding Setup Errors
Onboarding Wizard Did Not Complete

Onboarding Wizard Did Not Complete: Continue your onboarding tasks.

CloudFormation Task Errors
CloudFormation Stack Deployment in Progress

  1. Wait for the AWS CloudFormation stack creation to complete.

    This can take about 10 minutes.

  2. In AWS CloudFormation, monitor the Events tab for errors.

  3. If stack creation completes and Illumio Onboarding does not update, the Illumio Lambda function might have produced an error.

  4. Check CloudWatch Logs for the Illumio callback Lambda function for errors:

    1. Navigate to CloudWatch.

    2. Click Log management.

    3. Search Log groups for IllumioCloudAPICallFunct.

    4. Click the Log group for the Lambda function for IllumioCloudAPICallFunct.

    5. Click the Log stream.

    6. Search for "Status":"FAILED".

      create_stack_search_log_failure.png

  5. If the callback Lambda function failed, return to the Illumio Onboarding wizard.

  6. In the Illumio Onboarding wizard's Set up Access step, click Create IAM Roles on AWS.

  7. In the AWS CloudFormation Quick create stack page, enter a new stack name, acknowledge the capabilities, and click Create Stack.

  8. Complete the onboarding.

StackSet Deployment in Progress

  1. In AWS CloudFormation StackSets, wait for all stack instances to reach CURRENT status.

  2. For failed instances, check the Operations tab for error details.

  3. Fix common errors:

    1. Verify that CloudFormation is enabled for the target storage accounts in CloudFormation Console > StackSets.

    2. Verify the IAM permissions for the member accounts.

  4. In AWS CloudFormation > StackSets, select the StackSet that contains failed instances.

  5. From the Actions menu, select EditStackSet details to rerun the operation.

  6. On the Specify template page, choose Use current template.

  7. Follow the wizard and accepting existing parameters on the Specify stack details page.

  8. On the Set deployment options page, confirm the settings.

  9. On the Review page, acknowledge the required IAM capabilities and submit.

  10. After all instances complete, verify that Illumio received the callback.

CloudFormation Stack Deployment Failed

  1. Identify the root cause from the CloudFormation Events tab.

  2. For IAM conflicts:

    1. In AWS Console, navigate to Roles.

    2. Search for and click the IllumioCloudIntegrationRole.

    3. In the resulting page for that role, click Delete and enter the role name to confirm deletion.

  3. Rerun the onboarding process from the Illumio Console.

  4. For 401 issues on cloudwatch logs when calling Illumio's API, check the tenantId, serviceAccountKeyId and serviceAccountKeyToken pairs. Make sure these match the contents of the Illumio Service Account credentials you downloaded.

  5. Rerun the onboarding process from the Illumio Console.

Inventory Onboarding Errors
Credential Error (Status Code 401)

  1. If the required IAM role is missing, run the Illumio‑provided CloudFormation template. This recreates the required IAM role with the correct permissions and trust policy.

  2. If there is an External ID mismatch, open the AWS Console and go to :IAM → Roles → [Your Illumio Role]

  3. Select the role and open the Trust relationships tab.

  4. Click Edit trust policy.

  5. Locate the sts:ExternalId entry and update its value to match the correctserviceAccountKeyId provided by Illumio for download from the onboarding wizard.

  6. Save your changes.

Permission Error (Status Code 403)

  1. Browse to the Permissions for Onboarding AWS topic in the Illumio documentation. 

  2. Download the permissions file from the Updating AWS permissions on the Assume Role section.

  3. In AWS, navigate to IAM > Roles.

  4. Search for and click the IllumioCloudIntegrationRole.

  5. Click IllumioCloudAWSIntegrationPolicy.

  6. Copy any missing permissions from the downloaded permissions file and paste them into the policy.

  7. Click Next.

  8. Click Save changes.

Flow Errors

Insufficient S3 Permissions

Watch video

Flow Log Configuration Missing Required Fields

Watch video

Incorrect Flow Log File Format

Watch video

Flows Partially Enabled

Watch video

Flows Not Reachable

Watch video

Flows Not Enabled

Watch video

Insufficient S3 Permissions

  1. In the IAM console, go to Roles, and then select the Illumio role.

  2. Open the Permissions tab.

  3. Modify the IllumioCloudBucketListPolicy policy:

    1. Add your flow log S3 bucket ARNs to the Resource list:

      • arn:aws:s3:::your-flow-log-bucket-name

      • arn:aws:s3:::your-flow-log-bucket-name/*

    2. Update the IllumioCloudBucketGetLocationPolicy and IllumioCloudBucketReadPolicy policies with the same ARNs.

  4. (Optional) Rerun the Illumio CloudFormation template to automatically update all required permissions.

  5. Confirm that the S3 bucket policy does not contain any explicit deny statements that apply to the Illumio role.

Flow Log Configuration Missing Required Fields

  1. In AWS Console, navigate to VPC > Flow Logs

  2. Note the current flow log configuration (destination, filter, and so on). 

  3. Delete the incompatible flow log: 

  4. Create a new flow log with the required format: 

    1. Click Create flow log

    2. Select the same VPC. 

    3. Choose Custom format and include all required fields. 

    4. Use the same S3 destination bucket. 

Incorrect Flow Log File Format

  1. In the AWS Management Console, open VPC, select your VPC and then select Flow logs.

  2.  Review and record the existing flow log configuration details.

  3. Delete the flow log that uses the Parquet log file format.

  4. Create a new flow log:

    1. Select Create flow log.

    2. Configure the log with the same VPC, subnet, or ENI, and use the same S3 destination.

    3. In Log record format, select Custom and Select all.

    4. In Log file format, select Text.

    5. Verify that all required fields are included in the configuration.

Flows Partially Enabled

  1. Navigate to Illumio Console > Cloud > Onboarding > Flow Log Access.

  2. Identify the S3 buckets with pending access.

  3. Click Grant Access for each pending bucket.

  4. Click the link provided in the Illumio dialog box and run the CFT.

Flows Not Reachable

  1. In the AWS Management Console, go to AWS Organizations.

  2. Select Policies.

  3. Select Service control policies.

  4. Locate the Service Control Policy (SCP) that is preventing Illumio from accessing Amazon S3.

  5. Update the SCP to allow the Illumio IAM role to access the required S3 resources in one of the following ways:

    • Add a condition that exempts the Illumio IAM role ARN.

    • Update the existing deny statement to exclude the S3 actions required by Illumio.

  6. Save and apply the updated SCP.

  7. Allow a few minutes for the policy changes to propagate across the organization.

  8. In the Illumio Console, verify that flow ingestion resumed.

Flows Not Enabled

  1. In the AWS Management Console, open VPC, select your VPC and then select Flow logs.

  2. Create a new flow log:

    1. Select Create flow log.

    2. Configure the log with the same VPC and use the same S3 destination ARN.

    3. In Log record format, select Custom and Select all.

    4. In Log file format, select Text.

    5. Verify that all required fields are included in the configuration.