Updated on October 5, 2023

Troubleshooting the Amazon Security Lake Plugin

Troubleshooting the Amazon Security Lake Plugin

  • If you see any error while configuring the Plugin.

    • Please check the logs from Logging (bottom left corner).

  • If you see any error while upgrading the plugin from v1.0.0 to v1.1.0:

    • This is due to the removal of “Secret Credentials” from the authentication method.

    If you have configured the plugin with secret credentials, you might see an error while upgrading to the latest plugin version as the secret credentials authentication method has been removed.

    1. Click on the Skip button and navigate to the Plugins page (where you will see the previously configured plugin).
    2. Select the edit icon on the plugin tile.
    3. Select the “IAM Roles Anywhere” or “Deployed on AWS” as the Authentication method and provide the required parameters for the selected authentication method and save the plugin.

    • If you don’t see any Parquet files in the destination bucket in 5-10 mins after configuring.
      • Please check in Log Shipper -> SEIM Mappings -> Total Logs Sent section if any log is sent or not.
      • To confirm if the logs are pulled or not, check logs from Logging (bottom left corner)
      • If you see that the data is sent from Netskope and still the parquet files are not visible in the destination bucket, in that case please confirm that the Bucket name in Netskope configuration and SRC_BUCKET in Lambda is the same. Also confirm that the destination bucket you are monitoring for the parquet files is the same bucket specified in DST_BUCKET in Lambda env.


      • While configuring plugin in Netskope CE if you see invalid credential message
        • After configuring everything correctly, if you see “Invalid AWS Access Key ID (PublicKey) or AWS Secret Access Key (Private Key) found in the configuration parameters.” refer to this doc.
      • While creating the Custom Source if you see the error as below:

      “An error occurred. Access denied: Insufficient Lake Formation permission(s): Required Create Table on amazon_security_lake_glue_db_ (Service: Glue, Status Code: 400, Request ID: d4508ff9-4030-446a-aa81-xxxxxxxxxxxx)
      requestId: 95012ca5-68c5-4806-8f07-xxxxxxxxxxxx”

      Error Snapshot:

      Perform the following steps:

      1. Go to the Lake Formation service in AWS Console.
      2. Select Data Lake Permissions from the Permissions tab.
      1. Click Grant.
      2. Select IAM users and roles.
      3. Choose the IAM Principal to add in the IAM users and roles.
      1. In the LF-Tags or catalog resources, select Named data catalog resources.
      2. Select the database from the dropdown that was seen in the error log earlier.
      1. Select the Create Table, Alter, and Describe database permissions.
      2. Select Grant.
      1. Now try creating the same custom source again but this time in the Service access choose Use an existing service role and select the service glue role created earlier while creating the custom source; it will contain the custom source name in the role name. (AWSSecurityLakeCustomDataGlueCrawler-).

      Reach Out to Us

      Please check the Connect with customer support section of https://www.netskope.com/customers#support.

Share this Doc

Troubleshooting the Amazon Security Lake Plugin

Or copy link

In this topic ...