API (self-hosted on AWS): Troubleshooting

The following problems are well-known:

EC2 Instance launch failure: Client.InternalError: Client error on launch (#)

If no EC2 instances are started, and the Auto Scaling Group shows the error “Client.InternalError: Client error on launch”, it is likely an issue with your KMS key that you use for EBS default encryption. Please modify the KMS key policy and add these two statements to allow EC2 Auto Scaling to use the key. The EC2 Instances will start after a couple of minutes.

CloudFormation Template error: Fn::Select cannot select nonexistent value at index (#)

CloudFormation’s Fn::GetAZs function returns availability zones with a default subnet unless none has a default subnet; in that case, all availability zones are returned.

Double-check that your default VPC has at least two default subnets in two availability zones to fix the error. If you deleted them before, you could create default subnets for your default VPC.

The specified instance type is not valid (#)

Unfortunately, not all instance types are available in all availability zones. Select a different InstanceType configuration parameter. Our default m5.large is a good choice.

Network issues when using fulfillment option Existing VPC (#)

Please follow the Existing VPC Network Guide.

Unauthorized SSM requests in CloudTrail (#)

The following unauthorized calls in CloudTrail are caused when you use AWS Systems Manager features other than Session Manager (e.g., Patch Manager).

User: arn:aws:sts::123456789012:assumed-role/attachmentav-ScanIAMRole-123/i-123456 is not authorized to perform: ssm:PutComplianceItems on resource: arn:aws:ec2:us-east-1:123456789012:instance/i-123456 because no identity-based policy allows the ssm:PutComplianceItems action
User: arn:aws:sts::123456789012:assumed-role/attachmentav-ScanIAMRole-123/i-123456 is not authorized to perform: ssm:GetDocument on resource: arn:aws:ssm:us-east-1::document/AWS-GatherSoftwareInventory because no identity-based policy allows the ssm:GetDocument action
User: arn:aws:sts::123456789012:assumed-role/attachmentav-ScanIAMRole-123/i-123456 is not authorized to perform: ssm:UpdateInstanceAssociationStatus on resource: arn:aws:ssm:us-east-1:123456789012:association/123456 because no identity-based policy allows the ssm:UpdateInstanceAssociationStatus action

When you set the SystemsManagerAccess configuration parameter to true, you “Enable AWS Systems Manager Session Manager to connect to the EC2 instances.” In other words, only the permissions required by SSM Session Manager are added. If you plan to use any other SSM feature, you must also grant the necessary permissions. One approach is to use the AWS official managed policy AmazonSSMManagedInstanceCore. To do so, set the ManagedPolicyArns configuration parameter to arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore.