Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
AWS Systems Manager Inventory cannot be set up if Amazon Inspector is enabled?
Hi all
AWS Systems Manager Inventory cannot be set up if Amazon Inspector is enabled? I saw the following error when I tried to set up AWS Systems Manager Inventory:
Multiple apply all associations with document 'AWS-GatherSoftwareInventory' are not supported.
I could see from the AWS Systems Manager State Manager that AWS-GatherSoftwareInventory is already used by InspectorInventoryCollection-do-not-delete association which is probably created by Amazon Inspector.
The troubleshooting pages - https://docs.aws.amazon.com/systems-manager/latest/userguide/syman-inventory-troubleshooting.html - says If necessary, you can delete the existing inventory association for all nodes and then create a new one. , but I don't think I can delete this association.
Thanks.
- Language
- English
- Newest
- Most votes
- Most comments
You're correct in your observation, and this situation highlights an important interaction between AWS Systems Manager Inventory and Amazon Inspector.
The error message you encountered, "Multiple apply all associations with document 'AWS-GatherSoftwareInventory' are not supported," indicates that there's already an inventory association configured for all nodes in your AWS account and region.
In this case, the existing association is likely the one created by Amazon Inspector, named "InspectorInventoryCollection-do-not-delete". Amazon Inspector automatically creates this association to collect software application inventory, which it needs for its vulnerability scanning functionality.
You're also correct that you shouldn't delete this association, as it's required for Amazon Inspector to function properly. Deleting it could interfere with Inspector's ability to perform its scans.
The good news is that you don't need to set up a separate Systems Manager Inventory collection if Amazon Inspector is already doing it. The inventory data collected by Inspector can be used for general Systems Manager Inventory purposes as well. Both services use the same underlying mechanism to gather inventory data.
If you need to configure additional inventory collection beyond what Inspector is already doing, you have a couple of options:
-
You can modify the existing Inspector-created association to include additional inventory types or change the collection frequency. However, be cautious with this approach as it might affect Inspector's functionality.
-
You can create targeted inventory associations for specific instances or groups of instances using tags or instance IDs, rather than trying to create another "all instances" association.
Remember, a managed node can only have one inventory association at a time. The inventory data collected by the Inspector-created association should be available through the Systems Manager Inventory dashboard, so you should still be able to view and use this data for your inventory needs.
Sources
Troubleshooting problems with Systems Manager Inventory - AWS Systems Manager
Scanning Amazon EC2 instances with Amazon Inspector - Amazon Inspector
Using the AWS CLI to configure inventory data collection - AWS Systems Manager
Relevant content
- asked 2 years ago
- asked 10 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 9 months ago
