Troubleshooting assessment report issues - AWS Audit Manager

Troubleshooting assessment report issues

You can use the information on this page to resolve common assessment report issues in Audit Manager.

My assessment report failed to generate

Your assessment report might have failed to generate for a number of reasons. You can start to troubleshoot this issue by checking the most frequent causes. Use the following checklist to get started.

  1. Check if any of your AWS Region information doesn't match up:

    1. Does the AWS Region of your S3 bucket match the AWS Region of your assessment? The S3 bucket that you use as your assessment report destination must be in the same AWS Region as your assessment. For instructions on how to change the S3 bucket, see AWS Audit Manager settings, Assessment report destination.

    2. Does the AWS Region of your customer managed key match the AWS Region of your assessment? If you provided a customer managed key for data encryption, it must be in the same AWS Region as your assessment. For instructions on how to change the KMS key, see AWS Audit Manager settings, Data encryption.

  2. Check the permissions of the S3 bucket that you’re using as the assessment report destination:

    1. Does the IAM entity that’s generating the assessment report have the necessary permissions for the S3 bucket? The IAM entity must have the required S3 bucket permissions to publish reports in that bucket. We provide an example policy that you can use. For instructions on how to specify a different S3 bucket, see AWS Audit Manager settings, Assessment report destination.

    2. Does the S3 bucket have a bucket policy that requires server-side encryption (SSE) using SSE-KMS? If yes, the KMS key that's used in that bucket policy must match the KMS key that's specified in your Audit Manager data encryption settings. If you didn't configure a KMS key in your Audit Manager settings, and your S3 bucket policy requires SSE, ensure that the bucket policy allows SSE-S3. For instructions on how to configure the assessment report destination and the KMS key that's used for data encryption, see AWS Audit Manager settings.

If you’re still unable to successfully generate an assessment report, review the following issues on this page.

I followed the checklist above, and my assessment report still failed to generate

Audit Manager can support up to approximately 22,000 evidence items in a single assessment report. If you try to generate a report that contains more evidence than this, the operation might fail.

As a workaround, you can generate multiple assessment reports rather than one larger assessment report. By doing this, you can export evidence from your assessment into more manageable-sized batches.

I’m unable to unzip the assessment report

If you can't unzip the assessment report on Windows, it's likely that Windows Explorer can't extract it because its file path has several nested folders or long names. This is because, under the Windows file naming system, the folder path, file name, and file extension can’t exceed 259 characters. Otherwise, this results in a Destination Path Too Long error.

To resolve this issue, try moving the zip file to the parent folder of its current location. You can then try again to unzip it from there. Alternatively, you can also try shortening the name of the zip file or extracting it to a different location that has a shorter file path.

I get an access denied error when I try to generate a report

You will get an access denied error if your assessment was created by a delegated administrator account that the KMS key that's specified in your Audit Manager settings doesn't belong to. To avoid this error, when you designate a delegated administrator for Audit Manager, make sure that the delegated administrator account has access on the KMS key that you provided when setting up Audit Manager.

You might also receive an access denied error if you don't have write permissions for the S3 bucket that you're using as your assessment report destination.

If you get an access denied error, make sure that you meet the following requirements:

  • Your KMS key in your Audit Manager settings gives permissions to the delegated administrator. You can configure this by following the instructions in Allowing users in other accounts to use a KMS key in the AWS Key Management Service Developer Guide. For instructions on how to review and change your encryption settings in Audit Manager, see Data encryption.

  • You have a permissions policy that grants you write access for the S3 bucket that you're using as the assessment report destination. More specifically, your permissions policy contains an s3:PutObject action, specifies the ARN of the S3 bucket, and includes the KMS key that's used to encrypt your assessment reports. For an example policy that you can use, see Identity-based policy examples for AWS Audit Manager.

Note

If you change your Audit Manager data encryption settings, these changes apply to the new assessments that you create moving forward. This includes any assessment reports that you create from your new assessments.

The changes don't apply to existing assessments that you created before you changed your encryption settings. This includes new assessment reports that you create from existing assessments, in addition to existing assessment reports. Existing assessments—and all their assessment reports—continue to use the old KMS key. If the IAM identity that’s generating the assessment report doesn’t have permissions to use the old KMS key, you can grant permissions at the key policy level.

My assessment report generation is stuck in In progress status, and I'm not sure how this impacts my billing

Assessment report generation has no impact on billing. You're only billed based on the evidence that your assessments collect. For more information about pricing, see AWS Audit Manager Pricing.