# ess-user Part of **ESS** # Auto Scaling User Management Troubleshooting Guide ## Problem Index | Problem | Symptom | Severity | Solution Summary | |--------|--------|----------|------------------| | Forgotten or Expired Password | Error: `Invalid username or password` on login | High | Reset password via console or contact administrator | | Account Locked Due to Repeated Failures | Error: `Account is temporarily locked` | Medium | Wait for lockout period to expire or request unlock | | Missing Required Permissions | Error: `Access denied` after successful login | Medium | Assign required Auto Scaling user roles or policies | ## Problem Details ### Problem 1: Forgotten or Expired Password **Symptoms** - Error message: `Invalid username or password` - Behavior: User cannot log in despite entering correct-looking credentials - Context: Occurs after password expiration, infrequent use, or accidental change **Root Cause** - The entered password does not match the stored credential due to expiration, reset by admin, or user error - Auto Scaling enforces periodic password rotation; expired passwords are rejected even if previously valid **Solution** 1. Navigate to the Auto Scaling Console login page 2. Click **Forgot Password?** 3. Enter your registered email or username 4. Follow the password reset link sent to your email 5. Create a new password meeting complexity requirements (minimum 8 characters, with uppercase, lowercase, number, and symbol) Alternatively, if self-service reset is disabled: 1. Contact your organization’s Auto Scaling administrator 2. Request a manual password reset 3. Provide identity verification as required by your security policy **Verification** - Attempt to log in with the new password - Expected behavior: Successful authentication and redirect to the Auto Scaling dashboard - If still failing, check for account lockout (see Problem 2) ### Problem 2: Account Locked Due to Repeated Failures **Symptoms** - Error message: `Account is temporarily locked` - Behavior: Login fails even with correct credentials after multiple incorrect attempts - Context: Typically occurs during password recovery or when using saved but outdated credentials **Root Cause** - Auto Scaling implements a security lockout mechanism after 5 consecutive failed login attempts within 15 minutes - The account remains locked for 30 minutes by default to prevent brute-force attacks **Solution** 1. Wait for the lockout duration (default: 30 minutes) to expire 2. Do not attempt additional logins during this period—this resets the timer 3. After waiting, try logging in with the correct password If urgent access is needed: 1. Contact your Auto Scaling administrator 2. Request an immediate account unlock via the user management interface 3. Administrator path: **User Management > Users > [Select User] > Unlock Account** **Verification** - After the lockout period, attempt login with correct credentials - Expected result: Successful authentication without error - Monitor login attempts in audit logs to confirm normal behavior ### Problem 3: Missing Required Permissions **Symptoms** - Error message: `Access denied` - Behavior: User logs in successfully but cannot view or manage Auto Scaling resources - Context: Occurs after role assignment changes or for newly created accounts with minimal permissions **Root Cause** - The user account lacks the necessary role-based access control (RBAC) policies to perform Auto Scaling operations - Default user roles may only grant read-only or no access until explicitly configured **Solution** 1. Log in as an administrator with user management privileges 2. Go to **User Management > Roles** 3. Assign one of the following predefined roles to the user: - `AutoScalingAdmin`: Full read/write access - `AutoScalingOperator`: Manage scaling activities but not configuration - `AutoScalingViewer`: Read-only access 4. Alternatively, attach a custom policy with required actions such as: ```json { "Version": "1", "Statement": [ { "Action": [ "ess:Describe*", "ess:Create*", "ess:Delete*" ], "Resource": "*", "Effect": "Allow" } ] } ``` **Verification** - Log in as the affected user - Navigate to the Auto Scaling resource list (e.g., Scaling Groups) - Expected behavior: Resources load without `Access denied` errors - Attempt a non-destructive action (e.g., view scaling activity history) to confirm permissions ## FAQ **Q: How do I know if my password has expired?** A: There is no explicit "password expired" message. If you’re certain your password is correct but still get `Invalid username or password`, expiration is likely. Try the password reset flow. **Q: What permissions are required to manage Auto Scaling users?** A: Only users with the `UserManagementAdmin` role or a custom policy granting `ess:UpdateUser`, `ess:UnlockUser`, and `ess:AttachRoleToUser` can manage other users. **Q: Can I disable the account lockout feature?** A: No, the lockout mechanism is a built-in security control and cannot be disabled. However, administrators can adjust the lockout duration via organizational security policies in the Identity & Access Management settings. **Q: Where can I find login failure logs for auditing?** A: Login attempts (success and failure) are recorded in the Audit Logs under **Monitoring > Audit Logs > Authentication Events**. Filter by event type `LoginAttempt`. **Q: How long does a password reset link remain valid?** A: Password reset links expire after 1 hour. If unused, a new request must be submitted.