CloudFormation Stack failures

The two most common CloudFormation stack failures customers see are a result of either bad parameters specified within the CloudFormation template or deploying in a non-supported region.

Bad Parameters

As the How to Deploy section describes, there are 5 parameters you need to make sure you get right.

  • Virtual Private Cloud (VPC) ID

  • Subnet A ID

  • Subnet B ID

  • Console Security Group CIDR Block

  • Email

Ensure that the subnets you select for Subnet A and Subnet B are unique (to each other) and both are a part of the VPC you selected.

Rules have been added to ensure you select these values correctly.

Ensure the CIDR range is a value that you can access. Specify a network range that represents the specific network you will be accessing from (i.e. your work network) or open it up to everyone with a value of

Using will make it accessible to the outside world. SSL based authentication is in place, but you still may want to consider whether "wide open" is the strategy you want to take.

Non-supported Regions for Console Deployment

Antivirus for Amazon S3 uses many native AWS services. Not all AWS services are supported in all AWS regions. Cognito is a service leveraged for authentication and user management, but it is not supported in all regions. Markeplace is not supported in all regions either to use ECS fargate.

Below you will find a list of supported regions. Please deploy the console to one of these regions.

Supported regions for Console deployment
  • us-east-1 (N. Virginia)

  • us-east-2 (Ohio)

  • us-west-1 (California)

  • us-west-2 (Oregon)

  • ap-south-1 (Mumbai)

  • ap-northeast-1 (Tokyo)

  • ap-northeast-2 (Seoul)

  • ap-southeast-1 (Singapore)

  • ap-southeast-2 (Sydney)

  • ap-southeast-4 (Melbourne)

  • ca-central-1 (Canada)

  • eu-central-1 (Frankfurt)

  • eu-south-1 (Milan)

  • eu-west-1 (Ireland)

  • eu-west-2 (London)

  • eu-west-3 (Paris)

  • eu-north-1 (Stockholm)

  • me-south-1 (Bahrain)

  • sa-east-1 (Sao Paulo)

  • GovCloud (West) AWS regions

Missing regions in this list are due to Amazon Cognito not being supported in those regions.

The scanning agent and console will run in any region that supports Amazon ECS Fargate.

If you are still having issues after ensuring these two criteria are met, please Contact Us.

v7 Upgrade Failure

We've noticed instances of upgrading from v6 to v7 through the console where the upgrade will fail. This is usually because the console doesn't have the proper permissions. The error should look similar to the below failure:

This will cause the outbound rules of your console/load balancer security group to be removed. You'll need to add back outbound rules to the security group and then run the upgrade manually through CloudFormation using the latest v7 CloudFormation template.

If you are upgrading from v6 to v7 make sure you are on the latest version of v6 before going to v7.

UserPoolUserAdminGroupAttachment Failure

In some instances we have seen CloudFormation lose the order of the events that need to execute in order to stand the console up successfully. One instance where this happens is with the UserPoolUserAdminGroupAttachment creation.

If you encounter an error similar to the one below you'll want to retry your deployment through a new Stack again.

Last updated