For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
Why doesn't Amazon Inspector scan my Amazon EC2 instances?
I want Amazon Inspector to scan my Amazon Elastic Compute Cloud (Amazon EC2) instance, but it doesn’t seem to work.
Short description
If you get one the following status messages, then Amazon Inspector didn't scan your Amazon EC2 instance: "EC2 instance stopped", "Unmanaged EC2 instance", "Unsupported OS", "Internal error", "Pending initial scan", or "No inventory."
Amazon Inspector might not scan your EC2 instances for the following reasons:
- AWS Systems Manager Agent (SSM Agent) isn't up to date.
- The EC2 instance isn't in the Running state.
- The operating system (OS) isn't compatible.
- Your instance isn't connected to AWS Systems Manager.
- Amazon Inspector isn't associated with Systems Manager.
You can use the Amazon Inspector dashboard to monitor the status for your instances. For more information, see Scanning Amazon EC2 instances with Amazon Inspector.
Prerequisite: Make sure that the target instance is a managed instance. For more information, see Working with managed nodes.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Update the SSM Agent version
To scan instances, SSM Agent must run on Amazon Inspector. If you have an earlier version of SSM Agent, then update to the latest version. For more information on how to update to the latest version, see Releases · aws/amazon-ssm-agent on the GitHub website. It's a best practice to configure Systems manager to automatically update SSM Agent.
To manually update SSM Agent, subscribe to SSM Agent notifications. Then, use Run Command to update SSM Agent. You can also subscribe to SSM Agent release notes on the GitHub website.
Confirm that your instance is in Running status
If your instance is in EC2 instance stopped status, then the instance has stopped, and Amazon Inspector paused the scan. To begin the scan again, start your EC2 instance.
Amazon Inspector keeps previous scan results when the EC2 instance is stopped. Amazon Inspector scans intervals that you specify in Systems Manager associations. You can modify scan intervals for Linux instances and Windows instances.
Check that Amazon Inspector supports the OS
If your instance is in Unsupported OS status, then Amazon Inspector doesn't support the OS that the instance uses.
To check your Linux version, run the following command:
cat /etc/os-releaselsb_release -ahostnamectl
For Windows, search for System Information and then open the application. Then, check the list of supported operating systems to scan instances to determine whether Amazon Inspector supports your OS.
Confirm that you connected your instance to Systems Manager
If your instance doesn't appear on the Systems Manager console, then run the AWSSupport-TroubleshootManagedInstance runbook to automatically identify Systems Manager configuration issues. For more information, see Why isn't Systems Manager showing my Amazon EC2 instance as a managed instance?
To manually check your instance's connection to Systems Manager, complete the following steps:
- Open the Systems Manager console in the same AWS Region as Amazon Inspector and your instance.
- Choose Fleet Manager.
- In Managed nodes, check the SSM Agent ping status.
If the status is Online, then your instance is connected to SSM Agent.
If the SSM Agent ping status is Connection Lost, then make sure that your instance meets the Systems Manager prerequisites. To determine the issue and troubleshoot, run the following get-diagnostics ssm-cli:ssm-cli.exe get-diagnostics --output table
Check that you associated Amazon Inspector with Systems Manager
To gather software application inventory, Amazon Inspector requires an association with State Manager, a capability of Systems Manager, in your AWS account. If you get the No inventory status, then Amazon Inspector didn't find the software application inventory to scan your instance.
To check that you associated Amazon Inspector and State Manager, complete the following steps:
- Open the Systems Manager console in the same Region as Amazon Inspector and your instance.
- Choose State Manager.
- In Associations, make sure that the InspectorInventoryCollection-do-not-delete association exists and Status is Success.
- If the InspectorInventoryCollection-do-not-delete association doesn't exist, then run the AWS-GatherSoftwareInventory SSM document on your instances. Choose the Association id for the instance that didn't scan, and then choose the Execution history tab for more details.
- If the InspectorInventoryCollection-do-not-delete association Status is Failed, then choose the Association id. Then, choose Apply association now. Check the InspectorInventoryCollection-do-not-delete association Status to confirm that it changed from Failed to Success.
Amazon Inspector automatically installs the Amazon Inspector SSM plugin for Windows on your Windows instances. If you activate EC2 scanning, then Amazon Inspector creates new SSM associations for your Windows resources.
The SSM associations include InspectorDistributor-do-not-delete, InspectorInventoryCollection-do-not-delete, and InvokeInspectorSsmPlugin-do-not-delete. If the status for the associations is Failed, then apply the association again.
If the InspectorSsmPlugin.exe file doesn't exist, then the InspectorDistributor-do-not-delete SSM association automatically reinstalls the plugin during the next Windows scan. For more information, see Scanning Amazon EC2 instances with Amazon Inspector.
Check that the node exists in the software application
Complete the following steps:
- Open the Systems Manager console in the same Region as Amazon Inspector and your instance.
- Choose Fleet Manager.
- In Managed nodes, choose your Node ID.
- Choose the Inventory tab to check for software applications in your instance's inventory.
It's a best practice to set the inventory collection rate to run every 30 minutes. To optimize inventory collection, edit the InspectorInventoryCollection-do-not-delete association and then set the cron expression rate for 30 minutes.
Related information
Assessing Amazon Inspector coverage of your AWS environment
How do I set up Amazon Inspector Classic to run security assessments on my Amazon EC2 instances?
- Language
- English
It is stated that upon restart of the instance, the scanning by the inspector would be resumed. But an information I cannot find within the documentation is, when exactly the individual scan for that restarted instance is triggered. Do I need to wait for the next 24h-scheduled scan of the inspector as it is only readded to the discovery list of instances? Or is an individual scan directly triggered by the switch to the running state after the EC2 event has been sent to the EventBridge?
In case I overlooked the docs that are as explicit, so they can answer this question, I would be very happy for a hint. :)
Best regards
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 3 years ago
