AWS IoT
Developer Guide

Diagnosing Rules Issues

CloudWatch Logs is the best place to debug issues you are having with rules. When you enable CloudWatch Logs for AWS IoT, you can see which rules are triggered and their success or failure. You also get information about whether WHERE clause conditions match.

The most common rules issue is authorization. The logs show if your role is not authorized to perform AssumeRole on the resource. Here is an example log generated by fine-grained logging:

{ "timestamp": "2017-12-09 22:49:17.954", "logLevel": "ERROR", "traceId": "ff563525-6469-506a-e141-78d40375fc4e", "accountId": "123456789012", "status": "Failure", "eventType": "RuleExecution", "clientId": "iotconsole-123456789012-3", "topicName": "test-topic", "ruleName": "rule1", "ruleAction": "DynamoAction", "resources": { "ItemHashKeyField": "id", "Table": "trashbin", "Operation": "Insert", "ItemHashKeyValue": "id", "IsPayloadJSON": "true" }, "principalId": "ABCDEFG1234567ABCD890:outis", "details": "User: arn:aws:sts::123456789012:assumed-role/dynamo-testbin/5aUMInJH is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:123456789012:table/testbin (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: AKQJ987654321AKQJ123456789AKQJ987654321AKQJ987654321)" }

Here is a similar example log generated by global logging:

2017-12-09 22:49:17.954 TRACEID:ff562535-6964-506a-e141-78d40375fc4e PRINCIPALID:ABCDEFG1234567ABCD890:outis [ERROR] EVENT:DynamoActionFailure TOPICNAME:test-topic CLIENTID:iotconsole-123456789012-3 MESSAGE:Dynamo Insert record failed. The error received was User: arn:aws:sts::123456789012:assumed-role/dynamo-testbin/5aUMInJI is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:123456789012:table/testbin (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: AKQJ987654321AKQJ987654321AKQJ987654321AKQJ987654321). Message arrived on: test-topic, Action: dynamo, Table: trashbin, HashKeyField: id, HashKeyValue: id, RangeKeyField: None, RangeKeyValue: 123456789012 No newer events found at the moment. Retry.

For more information, see Viewing Logs.

External services are controlled by the end user. Before rule execution, make sure external services are set up with enough throughput and capacity units.