I recently enabled Amazon Inspector. Upon reviewing the instances in Inspector settings, I noticed that all of them were in state "Actively monitoring with partial errors: Actively monitoring, but deep inspection has no inventory". Digging in, I found that the InvokeInspectorLinuxSsmPlugin-do-not-delete SSM State Manager association was erroring. Looking at the logs for one of the runs, I saw the following error printed:
Inspector ssm plugin did not run successfully
I was able to find logs for that run at /var/log/amazon/inspector/scitor.log.2023-10-03-22, which contained the following:
Tue Oct 03 22:54:42 2023 UTC scitor 7356-0@ip-10-0-0-201.us-east-2.compute.internal:0 [INFO] MandoSecurityContentEvaluator/main.go:44 main.execCmd(): Version: 1.0.843.0
Tue Oct 03 22:54:42 2023 UTC scitor 7356-0@ip-10-0-0-201.us-east-2.compute.internal:0 [INFO] MandoSecurityContentEvaluator/main.go:45 main.execCmd(): UTC Build Time: 2023-09-25T16:10:43+0000
Tue Oct 03 22:54:42 2023 UTC scitor 7356-0@ip-10-0-0-201.us-east-2.compute.internal:0 [INFO] MandoSecurityContentEvaluator/cmd/bpm.go:59 golang.a2z.com/inspectorssmplugin/cmd.ExecBpmScan(): bpm scan started
Tue Oct 03 22:54:42 2023 UTC scitor 7356-0@ip-10-0-0-201.us-east-2.compute.internal:0 [INFO] MandoSecurityContentEvaluator/identity/identity.go:44 golang.a2z.com/inspectorssmplugin/identity.NewIdentity(): ec2 metadata region=us-east-2 instance-id=i-058b50dba1cd4a8ef instance-type=t3.medium
Tue Oct 03 22:54:42 2023 UTC scitor 7356-0@ip-10-0-0-201.us-east-2.compute.internal:0 [INFO] MandoSecurityContentEvaluator/identity/identity.go:82 golang.a2z.com/inspectorssmplugin/identity.(*Identity).Credentials(): use ec2 role provider for credentials
Tue Oct 03 22:54:42 2023 UTC scitor 7356-0@ip-10-0-0-201.us-east-2.compute.internal:0 [ERROR] MandoSecurityContentEvaluator/cmd/bpm.go:323 golang.a2z.com/inspectorssmplugin/cmd.getParameterValueFromSsm(): failed to retrieve parameter or parameter doesn't exist, parameterName=[/inspector-aws/service/inspector-linux-application-paths]
Tue Oct 03 22:54:42 2023 UTC scitor 7356-0@ip-10-0-0-201.us-east-2.compute.internal:0 [ERROR] MandoSecurityContentEvaluator/cmd/bpm.go:73 golang.a2z.com/inspectorssmplugin/cmd.ExecBpmScan(): error in deep scan paths retrieval from ssm store: operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: 2c843c16-666f-4518-97ef-d1f7f47d6e6e, api error AccessDeniedException: User: arn:aws:sts::XXXXX:assumed-role/XXXXX/i-XXXXX is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-2:XXXXX:parameter/inspector-aws/service/inspector-linux-application-paths because no identity-based policy allows the ssm:GetParameter action
Tue Oct 03 22:54:43 2023 UTC scitor 7356-0@ip-10-0-0-201.us-east-2.compute.internal:0 [INFO] MandoSecurityContentEvaluator/appconfig/appconfig.go:144 golang.a2z.com/inspectorssmplugin/appconfig.CleanupLogs(): logs cleanup started
Tue Oct 03 22:54:43 2023 UTC scitor 7356-0@ip-10-0-0-201.us-east-2.compute.internal:0 [INFO] MandoSecurityContentEvaluator/appconfig/appconfig.go:166 golang.a2z.com/inspectorssmplugin/appconfig.CleanupLogs(): number of log files 6 is less than or equal the limit 7
Tue Oct 03 22:54:43 2023 UTC scitor 7356-0@ip-10-0-0-201.us-east-2.compute.internal:0 [INFO] MandoSecurityContentEvaluator/appconfig/appconfig.go:169 golang.a2z.com/inspectorssmplugin/appconfig.CleanupLogs(): logs cleanup completed
I redacted some parts of the assumed role and account ID.
My understanding is that "Default Host Management Configuration" for SSM should ensure that things work without explicitly adding anything SSM-related to my roles. Indeed, that's been the case - SSM has been working great. I will note that the Inspector setup docs (https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html) mention configuring a role for SSM, but the page it links to (https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html) is exactly where "Default Host Management Configuration" is described, so I would expect that to work instead of having to ignore the "Recommended configuration" and use the "Alternative configuration" instead.
This looks similar to https://repost.aws/questions/QUH3GbwkeWTVWRoy_jH91XAg/inspector-ssm-plugin-not-allowed-to-ssm-getparameter, but that doesn't make any mention of Default Host Management Configuration.
AWS OFFICIALUpdated a year ago
