5.1.3. Troubleshooting Authentication Issues

First Principle: Authentication failures produce specific, diagnosable error patterns. Systematic troubleshooting starts with identifying the authentication mechanism, checking the error message, and working through the common failure causes for that mechanism.

Common Authentication Failures:

CloudTrail for Authentication Troubleshooting:

• Every authentication event is logged in CloudTrail
• Failed AssumeRole calls show the error reason
• Failed console logins appear as ConsoleLogin events with errorMessage
• Filter by errorCode: "AccessDenied" to find all auth failures

Identity Center Troubleshooting:

• Verify the identity source connection (AD Connector health, SAML metadata)
• Check permission set assignments (user → group → permission set → account)
• Verify the permission set's IAM policy matches the required actions
• Check AWSServiceRoleForSSO exists in target accounts

AWS Directory Service Troubleshooting:

• AD Connector requires network connectivity to on-premises AD (VPN or Direct Connect)
• DNS resolution must work for AD domain
• Service account credentials must be valid and not expired
• Security group must allow AD-related ports (LDAP 389, LDAPS 636, Kerberos 88)

⚠️ Exam Trap: The most common cause of federation failures is a misconfigured trust policy — the target role doesn't trust the IdP or the calling principal. Always check trust policies first when cross-account or federated access fails.

Scenario: Developers report they can't access a specific AWS account through Identity Center. You check CloudTrail and find AssumeRole failures with errorCode: AccessDenied. The permission set is assigned correctly, but the IAM role's trust policy in the target account was manually modified and no longer trusts the Identity Center service principal.

Reflection Question: Why is CloudTrail the first tool to check for authentication failures, and what specific event fields help you diagnose the root cause?