- Newest
- Most votes
- Most comments
Are you using Inspector Classic or Inspector v2? If using Inspector v2 then as long as you have the SSM agent installed it will work.
Check the output of the IAM role check - even though it shows 'Succeeded' what that means is that the check succeeded, NOT that the settings are necessarily correct. I had the same issue and found that the EC2 Instance Role used by the EC2 instance was missing the AmazonSSMManagedInstanceCore permissions policy.
Thanks Alex. I replied in an answer because it does not look like you can format a commetn/reply.
Switched to version 2 and 29/35 instances aren't being scanned. I checked and the SSM agent is installed via Snap(Ubuntu 18.04).
Under Inspector > Settings > Account Management > Instances > Not Scanning > Reason it says Unmanaged Ec2 instance.
When I hover over the reason it says "This EC2 instance is not managed by SSM. Please follow these instructions to remediate the issue."
I click on the instructions and it brings me to AWS Systems Manager > Automation > Execute
Document name
AWSSupport-TroubleshootManagedInstance
Document version
$DEFAULT
Document description
AWSSupport-TroubleshootManagedInstance
This automation document checks if the instance meets the prerequisites for EC2 Instances to come up as SSM Managed Instances. This documents runs checks related to VPC configuration like security group rules, VPC endpoints, Network ACL configuration,Route table and if IAM role is attached or not. At the last, it shares information about SSM Agent troubleshooting kit which can be downloaded and run on the instances to check OS level issues in related to SSM agent. Supports both Windows and Linux.
I add one of the instance ids and execute this document. I get a success from all of the steps. Now what are my next steps since all of those passed?
Execution status
Overall status
Success
All executed steps
11
# Succeeded
11
# Failed
0
# Cancelled
0
# TimedOut
0
Thanks for the reply Alex, and good advice. Here is the output of the CheckInstanceIAM step:
OutputPayload
{"Payload":{"output":"5. Checking if Instance Profile is attached :
PASSED: Found Instance profile attached to the Instance: arn:aws:iam::(redacted):instance-profile/(redacted). AWS Managed policy,AmazonEC2RoleforSSM is attached to the Instance profile."}}
The role on this instance is called "AmazonEC2RoleforSSM", here is the service list:
CloudWatch
Limited: Write
All resources
CloudWatch Logs
Limited: List, Write
All resources
Directory Service
Limited: List, Write
All resources
EC2
Limited: List
All resources
EC2 Messages
Full access
All resources
S3
Limited: List, Read, Write
All resources
SSM Messages
Full access
All resources
Systems Manager
Limited: List, Read, Write
All resources
I clicked on "Attach Policies" to compare these permissions to the ones you specified (AmazonSSMManagedInstanceCore) It looks like all those permissions are already attached to the instances with the existing AmazonEC2RoleforSSM policy.
EC2 Messages
Full access
All resources
SSM Messages
Full access
All resources
Systems Manager
Limited: List, Read, Write
All resources
Relevant content
- asked 4 months ago
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Looks like I'm running classic. Apparently those are the instructions I found while searching. Before enabling Inspector we didn't have any agents of either type installed. Bummer the automated install didn't work on most of them.