Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

How can I fix the AWS Inspector v2 error "Two state changes cannot be made at the same time."?

0

I cannot enable AWS Inspector v2 - I'm receiving the error message "Two state changes cannot be made at the same time. Wait till current status change completes.". It's been like this for a couple of weeks.

How I got here:

  1. I originally enabled inspector V2 and it generated a ton of findings for old ECR images that I have already patched.

  2. I turned off inspector V2 and went back to classic.

  3. I figure out the various rules/suppressions I wanted to implement in V2.

  4. I tried to re-enable inspector V2 and I've been getting the above error message.

This is happening in two different accounts that I have. Any ideas would be appreciated. We don't currently have a paid support plan, so I don't have a way to file a technical ticket to address this.

Thanks,

Bruce

Themen
Sicherheit, Identität & Konformität
Tags
Amazon Inspektor
Sprache
English
BruceRoberts
gefragt vor 2 Jahren347 Aufrufe
1 Antwort
0

I had the same issue - I fixed it by using the aws cli. This seems to be a bug in aws console. You are able to enable inspector but if it gets stuck in a disabling state there is no way to disable from the UI because you cannot access inspector in order to disable it... The command line allows you to send a disable command to inspector even when the state is disabling.

aws inspector2 enable --region us-east-2 --account-ids 111111111111 --resource-types EC2
{
    "accounts": [],
    "failedAccounts": [
        {
            "accountId": "111111111111",
            "errorCode": "DISABLE_IN_PROGRESS",
            "errorMessage": "Two state changes cannot be made at the same time. Wait till current statu>
            "resourceStatus": {
                "ec2": "DISABLED",
                "ecr": "DISABLED"
            },
            "status": "DISABLE_FAILED"
        }
    ]
}

aws inspector2 disable --region us-east-2 --account-ids 1111111111 --resource-types EC2
{
    "accounts": [
        {
            "accountId": "1111111111",
            "resourceStatus": {
                "ec2": "DISABLED",
                "ecr": "DISABLED"
            },
            "status": "DISABLING"
        }
    ],
    "failedAccounts": []
}

aws inspector2 enable --region us-east-2 --account-ids 1111111111 --resource-types EC2
{
    "accounts": [
        {
            "accountId": "1111111111",
            "resourceStatus": {
                "ec2": "ENABLING",
                "ecr": "DISABLED"
            },
            "status": "ENABLING"
        }
    ],
    "failedAccounts": []
}

aws inspector2 batch-get-account-status --region us-east-2 --account-ids 1111111111
{
    "accounts": [
        {
            "accountId": "1111111111",
            "resourceState": {
                "ec2": {
                    "status": "ENABLING"
                },
                "ecr": {
                    "status": "DISABLED"
                }
            },
            "state": {
                "status": "ENABLED"
            }
        }
    ],
    "failedAccounts": []
}
djmarcus
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt