AWS Serverless Integration Troubleshooting

Debug deployment, scanning, and update issues for the Mondoo serverless AWS integration.

Troubleshoot the Mondoo serverless AWS integration: CloudFormation, Lambda updates, VPC access, logging, and Terraform interactions.

To stop a scan at any time, open the ellipsis menu on the integration page and select Cancel Scans.

CloudFormation

Single-account stack failed to create

If CloudFormation can't complete a single stack, Mondoo reports the failure.

Check the AWS CloudFormation console for the error details.
Resolve the error.
On the integration's Configuration tab, re-launch the stack.

Organization StackSet failed to create

If the StackSet doesn't complete, you see an incomplete list of AWS accounts in Mondoo.

Check the AWS CloudFormation console for the error details and resolve it.
Open the StackSet in the AWS CloudFormation console.
From the Actions menu in the top-right corner, select Edit StackSet details.
Step through the wizard without changing values. Some fields require you to re-enter them.
Submit to update the StackSet.
On the Operations tab, refresh to see the update progress.

Requirements for deploying the Mondoo StackSet at the organization level

Your AWS Organization must follow AWS core principles. The most common blocker is missing organizational units (OUs).

In the AWS Organizations console, confirm:

The top-level entity is root, with an ID like r-ab12.
root contains one or more OUs with IDs like ou-ab12-1234abcd.

If the entities below root have IDs like o-abcd5678, an organization-level integration won't deploy. Use a single-account install for each account instead.

A failed org-level attempt leaves StackSets and roles in the target accounts. AWS often blocks deleting them from the console with this error:

An error occurred (ValidationError) when calling the DeleteStackInstances operation:
StackSets with SERVICE_MANAGED permission model can only have OrganizationalUnit as target

You must remove these StackSet instances with the AWS CLI.

Remove a faulty StackSet from the organization root

Use aws cloudformation delete-stack-instances:

WARNING

Read the AWS CLI reference before running this in your infrastructure.

STACK-SET-NAME-USUALLY-MONDOO: the StackSet name (default Mondoo).
ROOT-OU-ID: your Organization root ID, such as r-85mw.
REGION: the Organization's region, such as us-east-1.

aws cloudformation delete-stack-instances \
--stack-set-name STACK-SET-NAME-USUALLY-MONDOO \
--deployment-targets OrganizationUnitIds=ROOT-OU-ID \
--regions REGION \
--no-retain-stacks

Manually remove Mondoo roles from an AWS account

If you remove a Mondoo integration by hand, also delete every Mondoo IAM role in the account:

ebs-volume-scan-instance
ecs
ecsInstanceRole
ecsTaskExecutionRole
MondooEventBusRole
MondooLambdaRole

Not every role above will be present in every deployment.

The CloudFormation stack and the Lambda function update themselves every 8 hours, independently. A CloudFormation update can land in Update Failed: sometimes it's a chicken-and-egg issue that resolves on the next pass, sometimes it needs a manual stack update to grant extra permissions.

Force a Lambda update

You can force an update from the Mondoo App:

Mondoo Platform - force AWS Lambda update

Open the AWS integration.
In the top-right corner, select the ... menu.
Select Force Lambda Update.

Lambda VPC access

The Mondoo Lambda role has the AWSLambdaVPCAccessExecutionRole policy attached so it can discover and scan assets.

If the Lambda needs VPC access to reach private instances, follow Configuring a Lambda function to access resources in a VPC.

SSM-managed instance security groups must allow outbound traffic on port 443 (HTTPS) to Mondoo Platform at 34.98.71.94 so scan results can be sent back.

Logging and metrics

Lambda logs go to CloudWatch under the log group /aws/lambda/MondooLambda in the install region. Open the log group and use Search Log Group to query messages or filter by time range.

AWS CloudWatch Log Group Details Console

Enable debug logging

Add the environment variable DEBUG=1 to the MondooLambda function in the AWS Lambda console.

Lambda Console

Send diagnostics or metrics to Mondoo

If you're working with Mondoo support, you can share Lambda diagnostics and metrics from the integration page:

Mondoo Platform - send AWS information to Mondoo

Open the AWS integration.
In the top-right corner, select the ... menu.
Select Send Lambda Metrics or Send Diagnostics Data.

403 errors with Terraform

The Terraform aws_iam_policy_attachment resource creates exclusive attachments. Per HashiCorp's guidance:

Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other Terraform resources) will have that attached policy revoked by this resource.

If you attach a managed policy that Mondoo also uses to a role you manage with Terraform, Terraform revokes the attachment from Mondoo's role. Use a non-exclusive resource instead:

aws_iam_role_policy_attachment
aws_iam_user_policy_attachment
aws_iam_group_policy_attachment

Advanced debugging

The CloudFormation stack can always be deleted and recreated without data loss.

Mondoo Platform expects a check-in from the integration every 10 minutes. If no check-in arrives, the status updates in the Mondoo App.

If the status is not active or deleted:

Try Retry Setup to confirm the EventBridge rule is in place and refresh the stored service credentials.
Check the CloudFormation stack status and the CloudWatch logs.
Confirm the Mondoo credentials are present in the SSM Parameter Store under MondooAgentConfig (in the install region).
Confirm the EventBridge rule mondoo-customevent-lambda-rule exists.

Still stuck? Email support@mondoo.com or join the Mondoo Community Slack.