AWS Inspector V2 is not detecting nodes for CIS scans.

Question

AWS inspector classic worked fine for CIS benchmarks on our EC2 nodes. Trying to move over to V2 there are issues detecting nodes. All CIS scans currently show no checked resources and 0 checks.

1. I've ensured SSM is working and at the latest versions. Associations status shows success
2. Created necessary VPC Endpoints for SSM, S3, and EC2. 
3. Allowed the proper S3 buckets via region through IAM
3. The correct IAM policies are applied to the nodes( AmazonSSMManagedInstanceCore and AmazonInspector2ManagedCisPolicy) 
4. All the instances are Amazon Linux 2023
5. I've validated the CIS configuration tags exist on the target instances.

I've checked the SSM logs and Inspector logs on the EC2 instances, AWS Inspector doesn't show any helpful errors or output making it hard to troubleshoot further. Any insight or thoughts would be appreciated.

Sunil Punjabi · Answer

Please keep in mind that the CIS standards are intended for x86_64 operating systems.

Reference to documentation: [Click here](https://docs.aws.amazon.com/inspector/latest/user/supported.html#:~:text=CIS%20standards%20are%20intended%20for%20x86_64%20operating%20systems.%20Some%20checks%20may%20not%20be%20evaluated%20or%20return%20invalid%20remediation%20instructions%20on%20ARM%2Dbased%20resources.)

Sunil Punjabi · Answer

Check the CIS scan configuration to verify that target resource tags are correctly defined and present.
**Adding tags to a CIS scan configuration:**
* You can add tags to a CIS scan configuration during creation. For more information, see [Creating a CIS scan configuration.](https://docs.aws.amazon.com/inspector/latest/user/scanning-cis-create-cis-scan-configuration.html)
* You can also edit a CIS scan configuration to include tags. For more information, see [Editing a CIS scan configuration](https://docs.aws.amazon.com/inspector/latest/user/scanning-cis-view-edit-cis-scan-configuration.html).

AWS Inspector V2 is not detecting nodes for CIS scans.

답변 추가

관련 콘텐츠