Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • Bad Parameters
  • Non-supported Regions for Console Deployment
  • v7 Upgrade Failure
  • UserPoolUserAdminGroupAttachment Failure
  • Update Rollback Failed
  1. Troubleshooting

CloudFormation Stack failures

The two most common CloudFormation stack failures customers see are a result of either bad parameters specified within the CloudFormation template or deploying in a non-supported region.

PreviousTroubleshootingNextCross-Region Scanning on with private network

Last updated 2 months ago

Bad Parameters

As the section describes, there are 5 parameters you need to make sure you get right.

  • Virtual Private Cloud (VPC) ID

  • Subnet A ID

  • Subnet B ID

  • Console Security Group CIDR Block

  • Email

Ensure that the subnets you select for Subnet A and Subnet B are unique (to each other) and both are a part of the VPC you selected.

Rules have been added to ensure you select these values correctly.

Ensure the CIDR range is a value that you can access. Specify a network range that represents the specific network you will be accessing from (i.e,. your work network) or open it up to everyone with a value of 0.0.0.0/0.

Using 0.0.0.0/0 will make it accessible to the outside world. SSL based authentication is in place, but you still may want to consider whether "wide open" is the strategy you want to take.

Non-supported Regions for Console Deployment

Antivirus for Amazon S3 uses many native AWS services. Not all AWS services are supported in all AWS regions. Cognito is a service leveraged for authentication and user management, but it is not supported in all regions. Markeplace is not supported in all regions either to use ECS fargate.

Below, you will find a list of supported regions. Please deploy the console to one of these regions.

Supported regions for Console deployment
  • us-east-1 (N. Virginia)

  • us-east-2 (Ohio)

  • us-west-1 (California)

  • us-west-2 (Oregon)

  • ap-south-1 (Mumbai)

  • ap-northeast-1 (Tokyo)

  • ap-northeast-2 (Seoul)

  • ap-southeast-1 (Singapore)

  • ap-southeast-2 (Sydney)

  • ap-southeast-4 (Melbourne)

  • ca-central-1 (Canada)

  • eu-central-1 (Frankfurt)

  • eu-south-1 (Milan)

  • eu-west-1 (Ireland)

  • eu-west-2 (London)

  • eu-west-3 (Paris)

  • eu-north-1 (Stockholm)

  • me-south-1 (Bahrain)

  • sa-east-1 (Sao Paulo)

  • GovCloud (West) AWS regions

Missing regions in this list are due to Amazon Cognito not being supported in those regions.

The scanning agent and console will run in any region that supports Amazon ECS Fargate.

v7 Upgrade Failure

We've noticed instances of upgrading from v6 to v7 through the console where the upgrade will fail. This is usually because the console doesn't have the proper permissions. The error should look similar to the below failure:

This will cause the outbound rules of your console/load balancer security group to be removed. You'll need to add back outbound rules to the security group and then run the upgrade manually through CloudFormation using the latest v7 CloudFormation template.

UserPoolUserAdminGroupAttachment Failure

In some instances, we have seen CloudFormation lose the order of the events that need to execute in order to stand the console up successfully. One instance where this happens is with the UserPoolUserAdminGroupAttachment creation.

If you encounter an error similar to the one below you'll want to retry your deployment through a new Stack again.

Update Rollback Failed

There are some cases where, after failing to update, for example, from versions lower than v6.06, the update fails because you are bypassing major versions and skipping some in-between required resources and permissions added on those major versions. What we have usually seen is:

  • Versions lower than 6.06: Previous Security groups inbound/outbound rules deletion, check your security group for the ConsoleService: ECS -> Css Cluster, ConsoleService, Configuration and networking, Security group:

    • Inbound rules should be 443 and 80 for 0.0.0.0/0 if it's public and restricted for your VPN/Proxy/IP range if it's private.

    • Outbound rules should be all traffic for 0.0.0.0/0. Once this is checked, you can go back to CloudFormation > Stack Actions > Continue Update Rollback. Advanced troubleshooting:

      • If it fails, click on View Root Cause. If that shows you UserPool failed, click on Continue update rollback again in stack actions and check only the UserPool checkbox.

If you are still having issues after ensuring these two criteria are met, please .

If you are upgrading from v6 to v7, make sure you are on the .

If the rollback completes: Good, you can try updating the stack again with .

This should be the last step, and everything should go back to normal. You can then update to the same way and then go to the through the CloudStorageSecurity Console or through CloudFormation once again.

How to Deploy
Contact Us
latest version of v6 before going to v7
v6.06.000 template
v7.11
latest v8