# Troubleshooting issues in Security Lake
Troubleshooting

If you encounter issues when working with Amazon Security Lake, use the following troubleshooting resources.

The following topics provide troubleshooting advice for errors and issues that you might encounter related to data lake status, Lake Formation, querying in Amazon Athena, AWS Organizations and IAM. If you find an issue that is not listed here, you can use the `Feedback` button on this page to report it.

Consult the following topics if you encounter issues while using Security Lake.

**Topics**
+ [

# Troubleshooting data lake status
](securitylake-data-lake-troubleshoot.md)
+ [

# Troubleshooting Lake Formation issues
](securitylake-lf-troubleshoot.md)
+ [

# Troubleshooting querying in Amazon Athena
](querying-troubleshoot.md)
+ [

# Troubleshooting Organizations issues
](securitylake-orgs-troubleshoot.md)
+ [

# Troubleshooting Amazon Security Lake identity and access
](security_iam_troubleshoot.md)

# Troubleshooting data lake status


The **Issues** page of the Security Lake console shows you a summary of issues that are affecting your data lake. For example, Security Lake can't enable log collection for AWS CloudTrail management events if you haven't created a CloudTrail trail for your organization. The **Issues** page covers issues that have occurred in the last 14 days. You can see a description of each issue and the suggested remediation steps.

To programmatically access a summary of issues, you can use the [https://docs.aws.amazon.com/security-lake/latest/APIReference/API_ListDataLakeExceptions.html](https://docs.aws.amazon.com/security-lake/latest/APIReference/API_ListDataLakeExceptions.html) operation of the Security Lake API. If you're using the AWS CLI, run the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securitylake/list-data-lake-exceptions.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securitylake/list-data-lake-exceptions.html) command. For the `regions` parameter, you can specify one or more Region codes—for example, `us-east-1` for the US East (N. Virginia) Region—to see the issues affecting those Regions. If you don't include the `regions` parameter, issues affecting all Regions are returned. For a list of Region codes, see [Amazon Security Lake endpoints](https://docs.aws.amazon.com/general/latest/gr/securitylake.html) in the *AWS General Reference*.

For example, the following AWS CLI command lists issues that are affecting the `us-east-1` and `eu-west-3` Regions. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws securitylake list-data-lake-exceptions \
--regions "us-east-1" "eu-west-3"
```

To notify a Security Lake user about an issue or error, use the [https://docs.aws.amazon.com/security-lake/latest/APIReference/API_CreateDataLakeExceptionSubscription.html](https://docs.aws.amazon.com/security-lake/latest/APIReference/API_CreateDataLakeExceptionSubscription.html) operation of the Security Lake API. The user can be notified through email, delivery to an Amazon Simple Queue Service (Amazon SQS) queue, delivery to an AWS Lambda function, or another supported protocol.

For example, the following AWS CLI command sends notifications of Security Lake exceptions to the specified account by SMS delivery. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws securitylake create-data-lake-exception-subscription \
--notification-endpoint "123456789012" \
--exception-time-to-live 30 \
--subscription-protocol "sms"
```

To view details about an exception subscription, you can use the [https://docs.aws.amazon.com/security-lake/latest/APIReference/API_GetDataLakeExceptionSubscription.html](https://docs.aws.amazon.com/security-lake/latest/APIReference/API_GetDataLakeExceptionSubscription.html) operation. To update an exception subscription, you can use the [https://docs.aws.amazon.com/security-lake/latest/APIReference/API_UpdateDataLakeExceptionSubscription.html](https://docs.aws.amazon.com/security-lake/latest/APIReference/API_UpdateDataLakeExceptionSubscription.html) operation. To delete an exception subscription and stop notifications, you can use the [https://docs.aws.amazon.com/security-lake/latest/APIReference/API_DeleteDataLakeExceptionSubscription.html](https://docs.aws.amazon.com/security-lake/latest/APIReference/API_DeleteDataLakeExceptionSubscription.html) operation.

# Troubleshooting Lake Formation issues


Use the following information to help you diagnose and fix common issues that you might encounter when working with Security Lake and AWS Lake Formation databases or tables. For more Lake Formation troubleshooting topics, see the [Troubleshooting](https://docs.aws.amazon.com/lake-formation/latest/dg/troubleshooting.html) section of the *AWS Lake Formation Developer Guide*.

## Table not found


You may receive this error when attempting to create a subscriber.

To resolve this error, make sure that you have added sources in the Region already. If you added sources when the Security Lake service was in preview release, you must add them again before creating a subscriber. For more information on adding sources, see [Source management in Security Lake](source-management.md).

## 400 AccessDenied


You may receive this error when you [add a custom source](adding-custom-sources.md) and call the `CreateCustomLogSource` API.

To resolve the error, review your Lake Formation permissions. The IAM role that's calling the API should have **Create table ** permissions for the Security Lake database. For more information, see [Granting database permissions using the Lake Formation console and the named resource method](https://docs.aws.amazon.com/lake-formation/latest/dg/granting-database-permissions.html) in the *AWS Lake Formation Developer Guide*.

## SYNTAX\$1ERROR: line 1:8: SELECT \$1 not allowed from relation that has no columns
SYNTAX\$1ERROR

You may receive this error when querying a source table for the first time in Lake Formation.

To resolve the error, grant `SELECT` permission to the IAM role you are using when signed into your AWS account. For instructions on how to grant `SELECT` permission, see [Granting table permissions using the Lake Formation console and the named resource method](https://docs.aws.amazon.com/lake-formation/latest/dg/granting-table-permissions.html) in the *AWS Lake Formation Developer Guide*.

## Security Lake failed to add caller's principal ARN to Lake Formation data lake admin. Current data lake administrators may include invalid principals that no longer exist.
Failed to add caller's principal ARN to Lake Formation

You may receive this error when enabling Security Lake or adding an AWS service as a log source.

To resolve the error, follow these steps:

1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

1. Sign in as an administrative user.

1. In the navigation pane, under **Permissions**, choose **Administrative roles and tasks**.

1. In the **Data lake administrators** section, choose **Choose administrators**.

1. Clear principals that are labeled **Not found in IAM**, and then choose **Save**.

1. Try the Security Lake operation again.

## Security Lake CreateSubscriber with Lake Formation didn't create a new RAM resource share invitation to be accepted
CreateSubscriber with Lake Formation didn't create a new RAM resource share invitation

You may see this error if you shared resources with [Lake Formation version 2 or version 3 cross-account data sharing](https://docs.aws.amazon.com/lake-formation/latest/dg/optimize-ram.html) before creating a Lake Formation subscriber in Security Lake. This is because Lake Formation version 2 and version 3 cross-account sharing optimizes the number of AWS RAM resource shares by mapping multiple cross-account permission grants with one AWS RAM resource share.

Make sure to check that the resource share name has the external ID that you specified when creating the subscriber and the resource share ARN matches the ARN in the `CreateSubscriber` response.

# Troubleshooting querying in Amazon Athena


Use the following information to help you diagnose and fix common issues that you might encounter when using Athena to query objects that are stored in your Security Lake S3 bucket. For more Athena troubleshooting topics, see the [Troubleshooting in Athena](https://docs.aws.amazon.com/athena/latest/ug/troubleshooting-athena.html) section of the *Amazon Athena User Guide*.

## Querying isn't returning new objects in the data lake


Your Athena query may not return new objects in your data lake even when the S3 bucket for Security Lake contains those objects. This may occur if you've disabled Security Lake and then enabled it again. As a result, the AWS Glue partitions may not properly register the new objects.

To resolve the error, follow these steps:

1. Open the AWS Lambda console at [https://console.aws.amazon.com/lambda/](https://console.aws.amazon.com/lambda/).

1. From the navigation bar, on the Regions selector, choose the Region in which Security Lake is enabled but the Athena query isn't returning results.

1. From the navigation pane, choose **Functions**, and select the function from the following list depending on the source version:
   + `Source version 1 (OCSF 1.0.0-rc.2) ` – **SecurityLake\$1Glue\$1Partition\$1Updater\$1Lambda\$1*≪region>*** function.
   + `Source version 2 (OCSF 1.1.0)` – **AmazonSecurityLakeMetastoreManager\$1*≪region>*** function.

1. On the **Configurations** tab, choose **Triggers**.

1. Select the option next to the function, and choose **Edit**.

1. Select **Activate trigger**, and choose **Save**. This will turn the function state to **Enabled**.

## Unable to access AWS Glue tables


A query access subscriber may not be able to access AWS Glue tables that contain Security Lake data.

First, ensure that you've followed the steps outlined in [Setting up cross-account table sharing (subscriber step)](create-query-subscriber-procedures.md#grant-query-access-subscriber).

If the subscriber still doesn't have access, follow these steps:

1. Open the AWS Glue console at [https://console.aws.amazon.com/glue/](https://console.aws.amazon.com/glue/).

1. From the navigation pane, choose **Data Catalog** and **Catalog settings**.

1. Give permission to the subscriber to access the AWS Glue tables with a resource-based policy. For information about creating resource-based policies, see [Resource-based policy examples for AWS Glue](https://docs.aws.amazon.com/glue/latest/dg/security_iam_resource-based-policy-examples.html) in the *AWS Glue Developer Guide*.

# Troubleshooting Organizations issues


Use the following information to help you diagnose and fix common issues that you might encounter when working with Security Lake and AWS Organizations. For more Organizations troubleshooting topics, see the [Troubleshooting](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_troubleshoot.html) section of the *AWS Organizations User Guide*.

## An access denied error occurred when calling the CreateDataLake operation: Your account must be the delegated administrator account for an organization or a standalone account.
Access denied error

You may receive this error if you delete the organization that a delegated administrator account belonged to and then try to use that account to set up Security Lake by using the Security Lake console or the [CreateDataLake](https://docs.aws.amazon.com/security-lake/latest/APIReference/API_CreateDataLake.html) API.

To resolve the error, use a delegated administrator account from a different organization or a standalone account.

# Troubleshooting Amazon Security Lake identity and access
Troubleshooting IAM issues

Use the following information to help you diagnose and fix common issues that you might encounter when working with Security Lake and IAM.

## I am not authorized to perform an action in Security Lake


If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your credentials.

The following example error occurs when the `mateojackson` IAM user tries to use the console to view details about a fictional `subscriber` but does not have the fictional `SecurityLake:GetSubscriber` permissions.

```
User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: YOURSERVICEPREFIX:GetWidget on resource: my-example-widget
```

In this case, Mateo asks his administrator to update his policies to allow him to access the `subscriber` information using the `SecurityLake:GetSubscriber` action.

## I want to expand permissions beyond managed policy


All IAM roles created by a subscriber or custom log source APIs are bound by the `AmazonSecurityLakePermissionsBoundary` managed policy. If you want to expand the permissions beyond the managed policy, you can remove the managed policy from Permissions Boundary of the Role. However, when interacting with mutating Security Lake APIs for dataLakes and subscribers, the permissions boundary must be attached in order for IAM to mutate the IAM role.

## I'm not authorized to perform iam:PassRole


If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Security Lake.

Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.

The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Security Lake. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.

```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```

In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.

If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.

## I want to allow people outside of my AWS account to access my Security Lake resources


You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.

To learn more, consult the following:
+ To learn whether Security Lake supports these features, see [How Security Lake works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.