By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I fix the AWS Inspector v2 error "Two state changes cannot be made at the same time."?

0

I cannot enable AWS Inspector v2 - I'm receiving the error message "Two state changes cannot be made at the same time. Wait till current status change completes.". It's been like this for a couple of weeks.

How I got here:

  1. I originally enabled inspector V2 and it generated a ton of findings for old ECR images that I have already patched.

  2. I turned off inspector V2 and went back to classic.

  3. I figure out the various rules/suppressions I wanted to implement in V2.

  4. I tried to re-enable inspector V2 and I've been getting the above error message.

This is happening in two different accounts that I have. Any ideas would be appreciated. We don't currently have a paid support plan, so I don't have a way to file a technical ticket to address this.

Thanks,

Bruce

Topics
Security, Identity, & Compliance
Tags
Amazon Inspector
Language
English
BruceRoberts
asked 2 years ago342 views
1 Answer
0

I had the same issue - I fixed it by using the aws cli. This seems to be a bug in aws console. You are able to enable inspector but if it gets stuck in a disabling state there is no way to disable from the UI because you cannot access inspector in order to disable it... The command line allows you to send a disable command to inspector even when the state is disabling.

aws inspector2 enable --region us-east-2 --account-ids 111111111111 --resource-types EC2
{
    "accounts": [],
    "failedAccounts": [
        {
            "accountId": "111111111111",
            "errorCode": "DISABLE_IN_PROGRESS",
            "errorMessage": "Two state changes cannot be made at the same time. Wait till current statu>
            "resourceStatus": {
                "ec2": "DISABLED",
                "ecr": "DISABLED"
            },
            "status": "DISABLE_FAILED"
        }
    ]
}

aws inspector2 disable --region us-east-2 --account-ids 1111111111 --resource-types EC2
{
    "accounts": [
        {
            "accountId": "1111111111",
            "resourceStatus": {
                "ec2": "DISABLED",
                "ecr": "DISABLED"
            },
            "status": "DISABLING"
        }
    ],
    "failedAccounts": []
}

aws inspector2 enable --region us-east-2 --account-ids 1111111111 --resource-types EC2
{
    "accounts": [
        {
            "accountId": "1111111111",
            "resourceStatus": {
                "ec2": "ENABLING",
                "ecr": "DISABLED"
            },
            "status": "ENABLING"
        }
    ],
    "failedAccounts": []
}

aws inspector2 batch-get-account-status --region us-east-2 --account-ids 1111111111
{
    "accounts": [
        {
            "accountId": "1111111111",
            "resourceState": {
                "ec2": {
                    "status": "ENABLING"
                },
                "ecr": {
                    "status": "DISABLED"
                }
            },
            "state": {
                "status": "ENABLED"
            }
        }
    ],
    "failedAccounts": []
}
djmarcus
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content