AWS Inspector V2 and AWS Inspector Classic findings are different


I am using Ubuntu 20.04 EC2 Instances and was investigating the difference between AWS Inspector Classic and AWS Inspector V2.

There seemed to be many differences but the main one was the actual findings.

With Inspector Classic a number of CVE would be found while with Inspector V2 the same instance once scanned would say No Findings.

Inspector Classic

finds 53 CVE's Enter image description here

Same instance with InspectorV2

Just show No findings Enter image description here

With Inspector Classic I did attach a rule called Common Vulnerabilities and Exposures-1.1. I'm not sure what Inspector V2 actually checks against either.

During my search to make this work did find that I needed the following Systems Managers manager Association needed to work InspectorInventoryCollection-do-not-delete. It's working now and show success for all ec2 instances.

I am unsure if the InvokeInspectorSsmPlugin-do-not-delete Association needs to work as well. Not quite sure what this is used for but it shows skipped for all instances and when I look at the detailed status output on a specific instances is just says InvalidPlatform. Not sure if this is related.

Can InspectorV2 actually be used to check Ubuntu 20.04 CVE's. If so how. Is there some special IAM or SSM config/setup that needs to be applied?

1 Answer

As per AWS docs, Ubuntu 20.4 is indeed support

Operating systemVersion
Ubuntu (Focal)20.04 (LTS) x86_64, ARM64
Ubuntu (Jammy)22.04 (LTS) x86_64, ARM64

Amazon Inspector uses AWS Systems Manager (SSM) and the SSM Agent to collect information about the software application inventory of your EC2 instances. This data is then scanned by Amazon Inspector for software vulnerabilities. Therefore, the instance must be a managed instance in Amazon EC2 Systems Manager (SSM). For that, there are 2 things:

  • An SSM managed instance has the SSM Agent installed and running
  • Has an attached AWS IAM instance profile that allows SSM to manage the instance. Make sure that IAM role has "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" attached to it.

In order to troubleshoot, request you to kindly check the status of SSM agent:

sudo systemctl status

Once that is done, make sure that Instance is listed as SSM Managed Instanced in:

"AWS System Manager" >> "Node Management" >> "FleetManager".

If you're able to see the Instance ID listed here, that means that instance is an SSM Managed Instance. You may also check the associated related to the instance by following command:

aws ssm list-associations | grep i-0db211234567890

In regard to your specific question related to InvokeInspectorSsmPlugin-do-not-delete SSM association, it runs the Amazon Inspector SSM plug-in at regular intervals to collect instance data and generate Amazon Inspector findings.

To Summarize:

  • Ubuntu 20.4 is supported OS, I replicated the same in my environment, and I was able to get the findings.
  • Kindly check and confirm, if instance is SSM managed instance. You can confirm it from "Fleet Manager" in System Manager's console. Also, check the latest associations.
  • Make sure the role associated with the EC2 instance has at least "AmazonSSMManagedInstanceCore" & "AmazonSSMPatchAssociation" managed policy attached to it.

If even after checking above points, still EC2 instance is not scanning, request you to kindly reach out to us via Support Case with AWS Inspector team, and we will further be able to troubleshoot.

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions