Account Audit

The Aviatrix Controller periodically checks the accounts it manages to make sure they are intact:

  1. The Controller instance’s IAM role aviatrix-role-ec2 is attached to the instance.

  2. The Controller instance’s IAM role aviatrix-role-app exists.

  3. An access account IAM role aviatrix-role-ec2 exists.

  4. An access account IAM role aviatrix-role-app exists.

  5. An access account IAM role aviatrix-role-ec2 has associated policies.

  6. An access account IAM role aviatrix-role-app has associated policies.

  7. An access account has trust relationship to the primary account (the Controller’s AWS account).

  8. An access account has an expired, deleted, or invalid credential.

If any of the above condition fails, the Controller sends out alert email and logs the event. In addition, the controller will also send alert email on behalf of any of the above condition failures reported by a gateway upon the first detection and subsequently every 24 hours until the problem is rectified.

Note the event requires immediate attention; otherwise, it can lead to catastrophic operation outage. Go through the above conditions to repair the configuration.

If you need help, please open a support ticket at the Aviatrix Support Portal.

Note

  • Account auditing does not work with the new enhancement “customized IAM role name” in 6.4. In the current design, the account auditing feature looks for the Aviatrix standard IAM role names, which are aviatrix-role-app and aviatrix-role-ec2 and the Aviatrix standard policy name, which is aviatrix-app-policy.

  • The account auditing feature also does not work if the IAM app role has more than one policy attached because only the first policy is used.