Logging AD sync and configurable AD sync errors
You can enable logging on your Active Directory (AD) sync and configurable AD sync configurations to receive logs with information about errors that can occur during the sync process. With these logs, you can monitor if there is an issue with your AD sync and configurable AD sync and take action if applicable. You can send your logs to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Data Firehose with cross account delivery supported for Amazon S3 buckets and Firehose.
For more information about limitations, permissions, and vended logs, see Enabling logging from AWS services.
Note
You are charged for logging. For more information, see Vended Logs
To enable AD sync and configurable AD sync error logs
-
Sign in to the IAM Identity Center console
. -
Choose Settings.
-
On the Settings page, choose the Identity source tab, choose Actions, and then choose Manage logs.
-
Choose Add log delivery and one of the following destination types.
-
Choose To Amazon CloudWatch Logs. Then choose or enter the destination log group.
-
Choose To Amazon S3. Then choose or enter the destination bucket.
-
Choose To Firehose. Then choose or enter the destination delivery stream.
-
-
Choose Submit.
To disable AD sync and configurable AD sync error logs
-
Sign in to the IAM Identity Center console
. -
Choose Settings.
-
On the Settings page, choose the Identity source tab, choose Actions, and then choose Manage logs.
-
Choose Remove for the destination that you want to remove.
-
Choose Submit.
AD sync and configurable AD sync error log fields
See the following list for possible error log fields.
sync_profile_name-
The name of the sync profile.
error_code-
The error code that represents what type of error has occurred.
error_message-
A message that contains detailed information about the error that occurred.
sync_source-
The sync source is where entities are being synced from. For IAM Identity Center, this is an Active Directory (AD) managed by AWS Directory Service. The sync source contains the domain and ARN of the directory affected.
sync_target-
The sync target is the destination where entities are being saved. For IAM Identity Center, this is an Identity Store. The sync target contains the Identity Store ARN affected.
source_entity_id-
A unique identifier for the entity that is causing the error. For IAM Identity Center, this is the SID of the entity.
source_entity_type-
The type of entity causing the error. The value can be
USERorGROUP. eventTimestamp-
The timestamp when the error occurred.
AD sync and configurable AD sync error log examples
Example 1: An error log for an expired password for an AD directory
{ "sync_profile_name": "EXAMPLE-PROFILE-NAME", "error" : { "error_code": "InvalidDirectoryCredentials", "error_message": "The password for your AD directory has expired. Please reset the password to allow Identity Sync to access the directory." }, "sync_source": { "arn": "arn:aws:ds:us-east-1:123456789:directory/d-123456", "domain": "EXAMPLE.com" }, "eventTimestamp": "1683355579981" }
Example 2: An error log for a user with a non-unique username
{ "sync_profile_name": "EXAMPLE-PROFILE-NAME", "error" : { "error_code": "ConflictError", "error_message": "The source entity has a username conflict with the sync target. Please verify that the source identity has a unique username in the target." }, "sync_source": { "arn": "arn:aws:ds:us-east-1:111122223333:directory/d-123456", "domain": "EXAMPLE.com" }, "sync_target": { "arn": "arn:aws:identitystore::111122223333:identitystore/d-123456" }, "source_entity_id": "SID-1234", "source_entity_type": "USER", "eventTimestamp": "1683355579981" }
