Problem: Enabling AWS Config in the prerequisite stack doesn’t work Problem: Activating AWS Config using CloudFormation StackSets fails when creating the configuration recorder Problem: AWS Config isn’t activated in member accounts

AWS Config errors

This section addresses known errors with AWS Config when deploying or using this solution.

Problem: Enabling AWS Config in the prerequisite stack doesn’t work

The following error occurs when you deploy solution’s aws-fms-prereq.template CloudFormation template with the Enable Config parameter set to Yes.

Screenshot showing CREATE_FAILED status with error message returned:stack set instance creation failed.

Reason: Trusted access for CloudFormation StackSets can only be enabled using the AWS CloudFormation console. Refer to Enabling trusted access with AWS CloudFormation Stacksets in the AWS Organizations User Guide.

Resolution

Sign in to the AWS CloudFormation console.
From the navigation menu, choose StackSets.
Choose Activate trusted access. Providing a registered delegated administrator is optional.

CloudFormation StackSets message: Activate trusted access with AWS Organizations to use service-managed permissions.
Deploy the aws-fms-prereq.template again.

Problem: Activating AWS Config using CloudFormation StackSets fails when creating the configuration recorder

The following error occurs in the StackSets console:

Example error text with ResourceStatusReason:Failed to put configuration recorder.

Reason: Each AWS Region supports only one configuration recorder. CloudFormation StackSets will fail to create a stack instance in the account and Region if the recorder already exists. This happens when you’re using AWS Config in that Region, or you used it in the past. For additional information, refer to Configuration Recorder in the AWS Config Developer Guide.

Resolution

Activate AWS Config in the appropriate Region and ensure that the necessary resource types are included in the recording group. For additional information, refer to Enable AWS Config in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.

Problem: AWS Config isn’t activated in member accounts

When AWS Config isn’t activated in member accounts, you see following error message in your Firewall Manager console:

Screenshot showing Noncompliant status for AWS accounts.

Resolution

If you’re using this solution’s prerequisite template to activate AWS Config, then this is a transient issue. It takes time for AWS Config to activate and propagate across AWS Organizations accounts. Allow some time for the update to complete its processing. If you are not using this solution’s prerequisite template, then access the individual accounts to activate AWS Config manually. For more information, refer to Enable AWS Config in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Troubleshooting

Other errors