CloudFormation Stack failures
The two most common CloudFormation stack failures customers see are a result of either bad parameters specified within the CloudFormation template or deploying in a non-supported region.
- Virtual Private Cloud (VPC) ID
- Subnet A ID
- Subnet B ID
- Console Security Group CIDR Block
Ensure that the subnets you select for Subnet A and Subnet B are unique (to each other) and both are a part of the VPC you selected.
Rules have been added to ensure you select these values correctly.
Ensure the CIDR range is a value that you can access. Specify a network range that represents the specific network you will be accessing from (i.e. your work network) or open it up to everyone with a value of
0.0.0.0/0will make it accessible to the outside world. SSL based authentication is in place, but you still may want to consider whether "wide open" is the strategy you want to take.
Antivirus for Amazon S3 uses many native AWS services. Not all AWS services are supported in all AWS regions. Cognito is a service leveraged for authentication and user management, but it is not supported in all regions.
Below you will find a list of supported regions. Please deploy the console to one of these regions.
- us-east-1 (N. Virginia)
- us-east-2 (Ohio)
- us-west-1 (California)
- us-west-2 (Oregon)
- ap-south-1 (Mumbai)
- ap-northeast-1 (Tokyo)
- ap-northeast-2 (Seoul)
- ap-southeast-1 (Singapore)
- ap-southeast-2 (Sydney)
- ca-central-1 (Canada)
- eu-central-1 (Frankfurt)
- eu-south-1 (Milan)
- eu-west-1 (Ireland)
- eu-west-2 (London)
- eu-west-3 (Paris)
- eu-north-1 (Stockholm)
- me-south-1 (Bahrain)
- sa-east-1 (Sao Paulo)
- GovCloud (West) AWS regions
Missing regions in this list are due to Amazon Cognito not being supported in those regions.
The scanning agent will run in any region that supports Amazon ECS Fargate.
We've noticed instances of upgrading from v6 to v7 through the console where the upgrade will fail. This is usually because the console doesn't have the proper permissions. The error should look similar to the below failure:
This will cause the outbound rules of your console/load balancer security group to be removed. You'll need to add back outbound rules to the security group and then run the upgrade manually through CloudFormation using the latest v7 CloudFormation template.
In some instances we have seen CloudFormation lose the order of the events that need to execute in order to stand the console up successfully. One instance where this happens is with the UserPoolUserAdminGroupAttachment creation.
If you encounter an error similar to the one below you'll want to retry your deployment through a new Stack again.