Why is Amazon Inspector not scanning my Amazon EC2 instances?

5 minute read

I turned on Amazon Inspector but it's not scanning my Elastic Compute Cloud (Amazon EC2) instance. The Amazon Inspector dashboard status is "Unmanaged EC2 instance", "Unsupported OS", "Internal Error", "Pending initial scan" or "No Inventory".

Short description

Amazon Inspector uses AWS Systems Manager and the AWS Systems Manager Agent (SSM Agent) to scan software applications installed on your Amazon EC2 instances. The telemetry data collected by the SSM agent is then scanned by Amazon Inspector for software vulnerabilities. You can use the Amazon Inspector dashboard to monitor the status for your Amazon EC2 instances. For more information, see Scanning Amazon EC2 instances with Amazon Inspector.

If Amazon Inspector isn't scanning your Amazon EC2 instances, make sure that the:

SSM Agent is up to date.
Amazon EC2 instance is running.
Operating system is supported.
Connectivity to Systems Manager is configured.
Systems Manager associations and software application are configured.

Resolution

Check the SSM Agent version

Amazon Inspector must have the SSM Agent running to scan Amazon EC2 instances. If you are using an earlier version of the SSM Agent, then you might need to update it to successfully scan Amazon EC2 instances. It's a best practice to automate the process of updating the SSM Agent. For instructions, see Automatically updating SSM Agent.

To update the SSM Agent manually, subscribe to SSM Agent notifications. Then, update the SSM Agent using Run Command. You can also subscribe to SSM Agent release notes on the GitHub website.

Check that the Amazon EC2 instance is running

The "EC2 instance stopped" status means that Amazon Inspector paused scanning for the instance because the instance is in a stopped state. Any existing findings persist until the instance is terminated. If the instance is restarted, Amazon Inspector automatically resumes scanning for the instance. To restart an Amazon EC2 instance, see Stop and start your instances.

Check that the operating system is supported

The "Unsupported OS" status means that the Amazon EC2 instance uses an operating system or architecture that Amazon Inspector doesn't support. For a table that lists the supported operating systems for scanning EC2 instances, see Supported operating systems: Amazon EC2 scanning.

To check your operating system version, follow these steps for Linux or Windows:

Linux OS

Run the following command:

cat /etc/os-release
lsb_release -a
hostnamectl

Windows OS

Choose the Windows logo key + R, enter msinfo32 in the Open box, and then choose OK.

Check connectivity to Systems Manager

Note: If your Amazon EC2 instance doesn't appear in the Systems Manager console, then additional configuration might be required. For more information, see Why is my EC2 instance not displaying as a managed node or showing a "Connection lost" status in Systems Manager?

Open the Systems Manager console in the same Region as Amazon Inspector and your Amazon EC2 instance.
In the navigation pane, choose Fleet Manager.
In Managed nodes, check the SSM Agent ping status. If the status is Online, then your Amazon EC2 instance is connected to the SSM Agent.

If the SSM Agent ping status is Connection Lost, then make sure that your Amazon EC2 instance meets the Systems Manager prerequisites. If you're using SSM Agent version 3.1.501.0 or higher, you can use the ssm-cli command line tool for further diagnosing and troubleshooting. For instructions, see Troubleshooting Amazon EC2 managed instance availability using ssm-cli.

You can also run the AWSSupport-TroubleshootManagedInstance Systems Manager Automation document to confirm whether the instance meets the prerequisites to be listed as a managed instance. For more information, see AWSSupport-TroubleshootManagedInstance.

Check the Systems Manager associations and software application

Amazon Inspector requires a Systems Manager State Manager association in your account to collect the software application inventory. Amazon Inspector automatically creates an association called InspectorInventoryCollection-do-not-delete. The "No inventory" status means that Amazon Inspector couldn't find the software application inventory to scan for your Amazon EC2 instance.

Check the associations status

Open the Systems Manager console in the same Region as Amazon Inspector and your Amazon EC2 instance.
In the navigation pane, choose State Manager.
In Associations, make sure that the InspectorInventoryCollection-do-not-delete association exists and the Status is Success.
If the InspectorInventoryCollection-do-not-delete association doesn't exist, then run the AWS-GatherSoftwareInventory document on all Amazon EC2 instances. Choose the Association id for the Amazon EC2 instance that didn't scan, and then choose the Execution history tab for more details.
If the InspectorInventoryCollection-do-not-delete association Status is Failed, choose the Association id, and then choose Apply association now.
Check the InspectorInventoryCollection-do-not-delete association Status again to confirm that it changed from Failed to Success.

Note: For Windows, the Amazon Inspector SSM plugin is required to scan Windows EC2 instances. When EC2 scanning is activated, Amazon Inspector creates the new SSM associations InspectorDistributor-do-not-delete, InspectorInventoryCollection-do-not-delete, and InvokeInspectorSsmPlugin-do-not-delete for your Windows resources. If any of these associations Status is Failed, try reapplying the association. If the InspectorSsmPlugin.exe file is deleted, the InspectorDistributor-do-not-delete SSM association will reinstall the plugin at the next Windows scan. For more information, see Scanning Windows EC2 instances with Amazon Inspector.

Verify that the software application exists in the node

Make sure that there are software packages in the inventory for your Amazon EC2 instance.

Open the Systems Manager console in the same Region as Amazon Inspector and your Amazon EC2 instance.
In the navigation pane, choose Fleet Manager.
In Managed nodes, choose your Node ID, and then choose the Inventory tab to check for software applications.

Check the software application inventory rate

It's a best practice to set the inventory collection rate to run every 30 minutes. Edit the InspectorInventoryCollection-do-not-delete association and set the cron expression rate for 30 minutes.

Related information

Assessing Amazon Inspector coverage of your AWS environment

How do I set up Amazon Inspector Classic to run security assessments on my Amazon EC2 instances?

Topics

Security, Identity, & Compliance

Relevant content

Prevent AWS inspector scanning AWS ec2 instance from autoscaling groups
rePost-User-5873557
asked a year ago
AWS Inspector CVE Scanning
Shivkumar
asked 9 days ago
Amazon Inspector Agent over Amazon Linux 2023
mr
asked 4 months ago
Amazon Inspector - Agent Status UNKNOWN
swan
asked 2 years ago
Why does Inspector not scan my instances?
chubbsondubs
asked 2 years ago
How do I install AWS Systems Manager Agent (SSM Agent) on an Amazon EC2 Windows instance at launch?
AWS OFFICIALUpdated a year ago
How do I push Systems Manager SSM Agent logs to CloudWatch?
AWS OFFICIALUpdated 3 years ago
Why can't I start SSM Agent on my Amazon EC2 Windows instance?
AWS OFFICIALUpdated 6 months ago
How do I use SSM Agent logs to troubleshoot issues with SSM Agent in my managed instance?
AWS OFFICIALUpdated a year ago
Support Automation Workflow (SAW) Runbook: Troubleshoot AWS Systems Manager Session Manager
EXPERT
Maya Karalic
published a year ago