Domain 1 of 6 · Chapter 3 of 3

Troubleshooting Detection

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.

Included in this chapter:

  • The telemetry chain: producer, delivery, consumer
  • Missing logs: execution roles and account settings
  • Denied delivery: CloudTrail, KMS, and the CloudWatch agent
  • Findings that never fire: coverage and routing gaps
  • Exam-pattern recognition

Missing-telemetry symptom to first root cause to check

SymptomMost likely root causeWhere to lookTypical fix
Lambda emits no logsExecution role lacks logs:* permissionsFunction execution role policyAttach AWSLambdaBasicExecutionRole or the three logs: actions
API Gateway access logs emptyAccount CloudWatch Logs role ARN not setAPI Gateway account settings + stage loggingSet the account role ARN, enable stage logging, set log format
CloudTrail not delivering to S3Bucket policy or KMS key policy denies CloudTrailDestination bucket policy + key policyAllow cloudtrail.amazonaws.com PutObject and kms:GenerateDataKey
CloudWatch agent metrics missingBad agent config or instance roleAgent config / SSM parameter + instance roleFix the config JSON, grant PutMetricData, restart the agent
GuardDuty finding never firedData source off or account not enrolledProtection plans + Organizations membersEnable the data source, auto-enroll the member account
Alarm did not triggerMetric filter pattern or threshold wrongMetric filter + alarm definitionCorrect the filter pattern and the alarm threshold/missing-data rule

Decision tree

Managed-service finding?GuardDuty / Security Hub / ConfigNo (log/metric)YesRaw record at destination?read log group / S3 objectEnabled, Region, data source?SLR intact + member enrolledNoYesProducer / delivery faultgrant logs:* on the role, or fixbucket / KMS key / account role ARNConsumer faultfix metric filter patternor alarm thresholdNoYesCoverage gapenable service / Region / data source(e.g. GuardDuty S3 Protection)Finding in console?but no action ranNoYesSuppression ruleauto-archived the findingFix EventBridge patternrule did not match the event

Cheat sheet

  • A Lambda that emits no logs is missing logs: permissions on its role
  • API Gateway logging needs a one-per-Region account role ARN
  • CloudTrail delivery to S3 depends on the destination bucket policy
  • An encrypted CloudTrail also needs a KMS key grant to deliver
  • The CloudWatch agent is the only source of EC2 memory and disk metrics
  • The CloudWatch agent can load its config from SSM Parameter Store
  • Detection services go quiet when their service-linked role is broken
  • Detection services are Regional, so enable them in every Region you use
  • GuardDuty's foundational data sources do not include S3 data events
  • A new member account contributes no findings unless auto-enable is on
  • A finding that fires but triggers nothing is an EventBridge pattern miss
  • An expected finding that vanished is often an over-broad suppression rule
  • If the raw log exists but no alarm fired, fix the consumer not the pipeline
  • Isolate the broken link before changing any configuration
  • A missing log is a permission problem far more often than a feature problem
  • A Lambda in a private subnet cannot reach CloudWatch Logs without an egress path
  • A flow log Access Error to CloudWatch Logs is the IAM role's trust policy, not its permissions
  • A flow log to an SSE-KMS bucket needs the full KMS key ARN, not the key ID
  • Flow logs to an SSE-KMS bucket need the KMS key policy to allow the log delivery account
  • CloudTrail SSE-KMS needs the key in the bucket's Region, kms:Decrypt for readers, and an enabled key
  • Metric filters are case-sensitive, never retroactive, need a default value, and require the Standard log class
  • AWS Config reporting no results usually means delivery channel, invoke permission, or PutEvaluations
  • EventBridge finding patterns must use array values and mirror the event's JSON path

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. Analyzing log data with CloudWatch Logs metric filters
  2. Lambda execution role
  3. Set up CloudWatch logging for a REST API in API Gateway
  4. Configure and use standard logs (access logs) in CloudFront
  5. Amazon S3 bucket policy for CloudTrail
  6. Troubleshooting the CloudWatch agent
  7. Foundational data sources in GuardDuty
  8. Amazon EventBridge event patterns