Skip to content

Troubleshooting

If your events aren’t reaching their destination, follow the troubleshooting steps that correspond to the deployment method for your environment:

The sections below outline the troubleshooting steps for each method.

AQtive Guard CloudFormation template

If you used the AQtive Guard CloudFormation template, the following specific naming conventions and configurations are required for the integration to succeed.

Verify EventBridge rule

Verify that the EventBridge rule is set up correctly:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Rules in the menu on the left.
  3. Under Event pattern rules, locate the rule named AQtiveGuardFilteredEventsRule.
  4. Ensure that the Status column shows Enabled (with CloudTrail read-only Management events).

Verify rule target

Verify that the rule target is set up correctly in AWS:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Rules in the menu on the left.
  3. Under Event pattern rules, locate the rule named AQtiveGuardFilteredEventsRule and select it.
  4. On the Rule details page, select the Targets tab.
  5. Look for the API destination named AQGAWSDestinationApiRoute and select it.
  6. Under the API destination details, ensure that the status is Active.

Check connection authorization

Verify that your connection is authorized:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Connections in the menu on the left.
  3. Locate the connection named AQGAWSConnectionKey and select it.
  4. Under the Connection details, ensure that the status is Authorized.

If the status is Deauthorized, you’ll need to re-authenticate the connection.

Note

Connections can become deauthorized for several reasons, such as credential expiration or manual revocation. For a full list of scenarios, refer to the AWS documentation.

If your rule is enabled, your destination is active, and your connection is authorized but events are still not flowing, please contact us through our support portal.

AWS StackSets troubleshooting

Because StackSet outcomes vary based on your specific deployment preferences (such as failure tolerance and region order), progress should be monitored directly through the AWS Console. You can track the real-time status of each region and account under the Operations and Stack instances tabs.

  • Primary region check: Ensure the region you designated as PrimaryRegion in the parameters was selected in the Regions deployment step. If the primary region stack fails, regional forwarders will have no destination.
  • Stack instances: Check the Stack instances tab in your StackSet. If an individual region shows OUTDATED or FAILED, drill down into that specific stack’s events to see the error.
  • Permissions check: Verify that your Administration role has an inline policy allowing it to sts:AssumeRole for the Execution role.

Custom setup

If you manually configured your EventBridge resources, verify the status and configuration of your custom components. Refer to the AWS reference for the full list of required API permissions.

Verify rule state

Verify that your custom rule is enabled:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Rules in the menu on the left.
  3. Under Event pattern rules, locate your custom rule.
  4. Ensure that your rule is Enabled. A disabled rule will not process any incoming event patterns.

Verify rule target

Verify that your custom API destination exists and is active:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Rules in the menu on the left.
  3. Under Event pattern rules, locate your custom rule and select it.
  4. On the Rule details page, select the Targets tab.
  5. Look for your custom API destination and select it.
  6. Under the API destination details, ensure that the status is Active.

Check connection authorization

Verify that your connection is authorized:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Connections in the menu on the left.
  3. Locate your manually created connection attached to your custom rule and select it.
  4. Under the Connection details, ensure that the status is Authorized.

If the status is Deauthorized, you’ll need to re-authenticate the connection.

Note

Connections can become deauthorized for several reasons, such as credential expiration or manual revocation. For a full list of scenarios, refer to the AWS documentation.

Re-authenticate the connection

If your connection status is Deauthorized, follow these steps to restore the integration.

  1. From Connection Details, select Edit.
  2. In the Configure authorization section, select API key.
  3. In the API key name field, enter X-API-Key.
  4. In the Value field, enter your AQG API token. This is the same API key used during initial stack setup. For details on retrieving or generating an AQG token, refer to Create an API token.
  5. Select Update and confirm that the Connection details page now shows a status of Authorized.

If your rule is enabled, your destination is active, and your connection is authorized but events are still not flowing, please contact us through our support portal.