Troubleshooting a canary on a VPC - Amazon CloudWatch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting a canary on a VPC

If you have issues after creating or updating a canary on a VPC, one of the following sections might help you troubleshoot the problem.

New canary in error state or canary can't be updated

If you create a canary to run on a VPC and it immediately goes into an error state, or you can't update a canary to run on a VPC, the canary's role might not have the right permissions. To run on a VPC, a canary must have the permissions ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, and ec2:DeleteNetworkInterface. These permissions are all contained in the AWSLambdaVPCAccessExecutionRole managed policy. For more information, see Execution Role and User Permissions.

If this issue happened when you created a canary, you must delete the canary, and create a new one. If you use the CloudWatch console to create the new canary, under Access Permissions, select Create a new role. A new role that includes all permissions required to run the canary is created.

If this issue happens when you update a canary, you can update the canary again and provide a new role that has the required permissions.

"No test result returned" error

If a canary displays a "no test result returned" error, one of the following issues might be the cause:

  • If your VPC does not have internet access, you must use VPC endpoints to give the canary access to CloudWatch and Amazon S3. You must enable the DNS resolution and DNS hostname options in the VPC for these endpoint addresses to resolve correctly. For more information, see Using DNS with Your VPC and Using CloudWatch and CloudWatch Synthetics with interface VPC endpoints .

  • Canaries must run in private subnets within a VPC. To check this, open the Subnets page in the VPC console. Check the subnets that you selected when configuring the canary. If they have a path to an internet gateway (igw-), they are not private subnets.

To help you troubleshoot these issues, see the logs for the canary.

To see the log events from a canary
  1. Open the CloudWatch console at

  2. In the navigation pane, choose Log groups.

  3. Choose the name of the canary's log group. The log group name starts with /aws/lambda/cwsyn-canary-name.