Solving synchronization failures

API synchronization between Sophos Cloud Optix and cloud environments can fail for different reasons.

You can receive alerts referencing sync failure if an authorization problem causes a synchronization failure that you can solve.

Here we show what can cause this and how you can solve it for AWS, Microsoft Azure, and GCP cloud environments.

AWS synchronization failures

Failure reason

Solution

The Sophos-Optix-Role has been deleted from your AWS account. In legacy environments this may be called Avid-Role.

Add the environment to Sophos Cloud Optix again.

The trust relationship for the Sophos-Optix-Role has changed in your AWS account.

Add the environment again.

The external ID for the Sophos-Optix-Role has changed in your AWS account.

Add the environment again.

Explicit deny statements have been added to a role.

You can remove the explicit deny statements from the role or remove the role and add the environment again.

AWS service control policies (SCP) may deny access to some regions or services. For more information, see Testing effects of AWS service control policies

You can relax the SCP or change the allowed regions. For more details on changing the allowed regions, see Change API sync regions for AWS environments.

Microsoft Azure synchronization failures

Microsoft refers to client secrets as application secrets, but some of the error messages we receive still use the term client secret.

Failure reason

Solution

Sophos Cloud Optix has received error AADSTS7000222 from Microsoft. This means the provided client secret keys are expired.

Create a new application secret in Microsoft Azure, then use it for the Azure environment in Sophos Cloud Optix. For more details see Create new Azure secret.

The application secret for the Sophos Cloud Optix Azure AD app has been deleted or changed.

Create a new application secret in Microsoft Azure, then use it for your Azure environment in Sophos Cloud Optix. For more details see Create new Azure secret.

The Sophos Cloud Optix app has been deleted from your Azure AD tenant.

Add the environment to Sophos Cloud Optix again.

Your Azure subscription permissions have been revoked.

Add the environment again.

GCP synchronization failures

Failure reason

Solution

API disabled.

You must turn on the following APIs in your Google account for Sophos Cloud Optix:

container.googleapis.com

cloudbuild.googleapis.com

cloudapis.googleapis.com

admin.googleapis.com

stackdriver.googleapis.com

sqladmin.googleapis.com

storage-api.googleapis.com

cloudbilling.googleapis.com

cloudresourcemanager.googleapis.com

compute.googleapis.com

cloudkms.googleapis.com

dns.googleapis.com

logging.googleapis.com

cloudfunctions.googleapis.com

monitoring.googleapis.com

storage-component.googleapis.com

Permissions revoked.

Add the environment to Sophos Cloud Optix again.

Sophos Cloud Optix service account deleted.

Add the environment again.