How do I troubleshoot CloudWatch dashboard sharing issues?

Resolution

Troubleshoot Email-based dashboard sharing issues

Users don't receive invitation emails

If users don't receive the invitation email to access the shared dashboard, then verify the following:

1. Open the CloudWatch console.
2. In the navigation pane, choose Dashboards, and then select the dashboard you want to share.
3. Choose Actions and then choose Share dashboard.
4. Check that the email addresses are entered correctly.
5. Ask the recipients to check their spam or junk email folders for the invitation email.
6. Confirm that you haven't exceeded the per dashboard.
7. Check if the user exists in the CloudWatchDashboardSharing Amazon Cognito user pool.
   Note: You can't reuse an email address that exists in the CloudWatchDashboardSharing Amazon Cognito user pool for another registration. If you use the same email address to share another dashboard, then Amazon Cognito doesn't send a verification email. Instead, Amazon Cognito adds the user to the dashboard group automatically. The user then uses the same username and password to open the shared CloudWatch dashboard.
8. If the invitation email doesn't arrive, remove the email address from the sharing list and add the email address again.

Password creation or reset issues

Users who receive the invitation must create a password to access the dashboard. If users encounter password-related issues, then perform the following checks:

• Verify that the password meets the following requirements:
  At least 8 characters long.
  Contains at least one uppercase letter.
  Contains at least one lowercase letter.
  Contains at least one number.
  Contains at least one special character.
• If users forget their password, then direct them to the dashboard login page and choose Forgot your password? to initiate a password reset.
• Confirm that users check their email for the password reset verification code. The verification code expires after 24 hours.
• If users don't receive the password reset email, ask them to check their spam or junk folders.

Check if the temporary password has expired. If you receive a temporary password from an administrator, then you have seven days to use the password or until the user account expires. CloudWatch specifies the user account expiration date when it creates the user pool. If you reset the temporary password before the expiration, Cognito sets the user's account status to FORCE_CHANGE_PASSWORD. You can reset your password only when the status is CONFIRMED.

To check your account status, complete the following steps:

1. Open the Cognito console.
2. Choose User pool and then choose CloudWatchDashboardSharing.
3. Choose General setting and then choose Users & Group.
4. If your account's status is CONFIRMED, then, run the following admin-create-user command to reset your password:

   aws cognito-idp admin-create-user --user-pool-id example-user-pool-id --username example-user --message-action RESEND --region us-east-1

   Note: Replace example-user-pool-id with the user pool ID and example- user with the username.

"Access denied" errors that appear after successful logins

If users successfully log in but receive access denied errors when you view the dashboard, then complete the following checks:

1. Confirm that you didn't delete the dashboard.
2. Check that the user's email address exists in the sharing list for the dashboard.
3. Check that the user has sharing permissions.
4. Check that the dashboard contains valid metrics and widgets.

Troubleshoot public link sharing issues

Public link failures

If a public link doesn't work or shows errors, then complete the following steps:

1. Open the CloudWatch console.
2. In the navigation pane, choose Dashboards, and then select the dashboard.
3. Choose Actions and then choose Share dashboard.
4. Check that Public link is turned on for the dashboard.
5. Confirm that you're sharing the complete URL, including the https:// protocol.
6. Check that you didn't delete or rename the dashboard.
7. Check that the AWS account has the necessary permissions to access the CloudWatch metrics displayed in the dashboard.

Public links show outdated data

If the public link shows outdated data or doesn't refresh, then perform the following checks:

• Check the time range selector in the dashboard to confirm the correct time period is selected.
• Check that the metrics in the dashboard are still being published to CloudWatch.
• Clear the browser cache and cookies and then try accessing the link again.
• Confirm that the dashboard's auto-refresh settings are configured correctly. To check the auto-refresh settings, open the dashboard in the CloudWatch console and review the refresh interval.

Troubleshoot SSO integration with Amazon Cognito issues

Incorrect SSO configuration

If SSO integration doesn't function correctly, then perform the following checks:

• Confirm that you configured Amazon Cognito with your SAML-based identity provider. For more information, see Adding and managing SAML identity providers in a user pool.
• Check that the SAML assertion from your identity provider includes the email and name attributes.
• Check that the Amazon Cognito user pool is in the US East (N. Virginia) Region.
• Check that the identity provider's metadata is correctly configured in Amazon Cognito.
• Confirm that users successfully authenticate with your identity provider before they redirect to CloudWatch.
• Check the Amazon Cognito user pool logs for authentication errors or failures.

Users authenticated through SSO can't access dashboards

If users can authenticate through SSO but can't access dashboards, then perform the following checks:

• Confirm that the user's email address in the identity provider matches the email address format that Amazon Cognito expects.
• Check that you added the user to the correct group in the Amazon Cognito user pool.
• Check that the dashboard sharing configuration includes SSO users.
• Confirm that the user's AWS account has the necessary permissions to access CloudWatch metrics in the dashboards.
• Confirm that the user's session hasn't expired.

Troubleshoot common issues with Dashboard Sharing

You can't use a user pool in an AWS Region that's not US East (N. Virginia)

The dashboard sharing feature supports only user pools in US East (N. Virginia). If you create a user pool in another Region, then the console doesn't display the correct shared status and doesn't receive the shareable link.

The widgets aren't visible

The CloudWatch dashboard sharing feature doesn't support cross-account alarms and metrics explorer widgets. If you use those widgets in your dashboard, then you can't share your dashboard.