Why does my instance appear as non-compliant in the Systems Manager Compliance dashboard?

Lesedauer: 6 Minute
0

My Amazon Elastic Compute Cloud (Amazon EC2) instance appears as non-compliant in the AWS Systems Manager Compliance dashboard.

Short description

The Systems Manager Compliance capability provides compliance data for your fleet of managed instances. The compliance status of a managed instance is determined to be compliant or non-compliant based on the following factors:

  • The status of Patch Manager patching
  • The status of State Manager associations
  • If applicable, the status of custom compliance items

To determine the compliance status of an instance, you can view the configuration compliance report. When reviewing the compliance report, identify the Compliance Type for each non-compliant instance.

  • Compliance Type Patch indicates that the instance is non-compliant due to Patch Manager patching.
  • Compliance Type Association indicates that the instance is non-compliant due to State Manager associations.

Note: The prerequisites to get started with Compliance must be met before Systems Manager Compliance can begin reporting compliance data.

The patch compliance status of an instance is updated when a patching document that supports compliance is run. The following SSM patching documents support updating the compliance status:

You can configure patching using the Quick Setup or Patch Manager.

Resolution

Non-compliance based on the status of Patch Manager patching

An instance can appear as non-compliant based on Patch Manager patching for the following reasons:

Patching document didn't run on the instance

The patch document using the Install operation didn't run on the instance after patches were approved according to the instance patch baseline document settings. Follow these steps to resolve the issue:

  1. View the configuration compliance report. Choose the Patch tab, and then review the Patch Summary. If Updates Needed is anything other than 0, your instance is non-compliant because one or more approved patches must be installed.
  2. To determine the patches that must be installed, scroll down, select the search bar, and look for patches with the state set to Missing.
    Note: Each patch in your managed instance is assigned a compliance state value. The value determines the compliance status of that instance.
  3. Run the AWS-RunPatchBaseline document using the Install operation on the non-compliant instance. You can start the patching operation using the Patch now option in the Patch Manager console. Or, you can run the AWS-RunPatchBaseline document either using Run Command or as part of a maintenance window.

Note: The default AWS-RunPatchBaseline settings set auto-approval 7 days from the day that the patch was released. You can also create a custom patch baseline for Windows, macOS, and Linux. For more information, see Working with custom patch baselines.

Patching document ran, but some approved patches failed to install

The AWS-RunPatchBaseline document using the Install operation ran on the instance. However, some of the approved patches failed to install on the instance for reasons specific to the instance. Follow these steps to identify the instance-specific issue:

  1. View the configuration compliance report. Choose the Patch tab, scroll down, select the search bar, and look for patches with the state set to Failed.
  2. Note the failed patches, and then log in to your instance using SSH or Session Manager.
  3. Review the SSM Agent logs in the instance and the specific operation logs to identify any instance-specific issues.
    Linux-based instances:
    /var/log/amazon/ssm/amazon-ssm-agent.log
    /var/lib/amazon/ssm/InstanceID/document/orchestration/CommandID
    Windows-based instances:
    %PROGRAMDATA%\Amazon\SSM\Logs\amazon-ssm-agent.log
    %PROGRAMDATA%\Amazon\PatchBaselineOperations
    Note: Look for a log file named Install-PatchBaselineOperation-date

Note: Patch Manager doesn't provide patches. Instead, Patch Manager orchestrates patching by using the built-in mechanism for each operating system (OS) to install updates on an instance. For example, Patch Manager relies on Windows Update to install patches on instances running Microsoft Windows. Similarly, Patch Manager relies on yum for instances running Amazon Linux 2.

Patch document ran, but the RebootOption parameter is set to NoReboot

The patch document using the Install operation ran on the instance, and all approved patches were successfully installed. However, the RebootOption parameter in the AWS-RunPatchBaseline document is set to NoReboot. Follow these steps to resolve the issue:

  1. View the configuration compliance report. Choose the Patch tab, scroll down, select the search bar, and look for patches with the state set to InstalledPendingReboot.
    Note: The InstalledPendingReboot state holds the instance in non-compliant state until the instance is rebooted and scanned.
  2. Reboot the instance.
  3. Scan the instance and verify that the instance appears as compliant in the Systems Manager Compliance dashboard.

Patch document ran, but some rejected patches were present on the instance

The patch document using the Install operation ran on the instance, and all approved patches were successfully installed. However, some rejected patches were also present on the instance. Follow these steps to resolve the issue:

  1. View the configuration compliance report. Note the Association ID that corresponds to the non-compliant association type for later use.
  2. Choose the Patch tab, scroll down, select the search bar, and look for patches with the state set to InstalledRejected.
    Note: The InstalledRejected state indicates that a patch was installed before it was added to a list of rejected patches.
  3. Note the rejected patches, and then log in to your instance using SSH or Session Manager.
  4. Remove any rejected patches.

Patch document ran, but it failed

The patch document was initiated on an instance but it failed to run successfully. If the patch process doesn't run successfully on the instance, then compliance for that instance doesn't update.

For more information, see Errors when running AWS-RunPatchBaseline on Linux and Errors when running AWS-RunPatchBaseline on Windows Server.

Non-compliance based on the status of State Manager associations

When a Systems Manager State Manager association is created, a configuration state is defined for the instance. If that state isn't maintained, then the Systems Manager Compliance dashboard reports the instance as non-compliant. Follow these steps to resolve the issue:

  1. View the configuration compliance report. Note the Association ID that corresponds to the non-compliant association type for later use.
  2. From the Systems Manager console, view the association history.
  3. Review the output to understand the reason for the failed association. For more information, see How do I troubleshoot a State Manager association that's stuck in "Failed" or "Pending" status?

AWS-GatherSoftwareInventory document issues

If your instance is non-compliant due to issues running the AWS-GatherSoftwareInventory document, then troubleshoot problems with Systems Manager Inventory.

Monitoring compliance events with AWS CloudTrail

The PutComplianceItems API call is made when new compliance information is added for a custom compliance object or association. The PutInventory API call adds or updates and inventory item if it doesn't exist.

For more information, see Logging Systems Manager API calls with CloudTrail.

AWS OFFICIAL
AWS OFFICIALAktualisiert vor 10 Monaten