I'm trying to run a patch scan on EC2 instances managed by AWS Systems Manager. The instances run Ubuntu 24.04.1 LTS and have IMDSv2 required. The instances are assigned a custom IAM role that includes the following policies (among others):
- AmazonSSMManagedEC2InstanceDefaultPolicy
- AmazonSSMManagedInstanceCore
- AWSQuickSetupPatchPolicyBaselineAccess
The output of the scan is:
/usr/bin/python3
/usr/bin/apt-get
Reading package lists...
Building dependency tree...
Reading state information...
python3-apt is already the newest version (2.7.7ubuntu3).
0 upgraded, 0 newly installed, 0 to remove and 35 not upgraded.
Using python binary: 'python3'
Using Python Version: Python 3.12.3
09/24/2024 18:17:25 root [INFO]: Downloading payload from https://s3.us-east-1.amazonaws.com/aws-ssm-us-east-1/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.140.tar.gz
09/24/2024 18:17:25 root [INFO]: Attempting to import entrance file os_selector
09/24/2024 18:17:25 root [ERROR]: Error loading entrance module.
Traceback (most recent call last):
File "/var/log/amazon/ssm/patch-baseline-operations/common_startup_entrance.py", line 202, in execute
entrance_module = __import__(module_name)
^^^^^^^^^^^^^^^^^^^^^^^
File "/var/log/amazon/ssm/patch-baseline-operations/os_selector.py", line 11, in <module>
import common_os_selector_methods
File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 12, in <module>
from patch_common.baseline_override import load_baseline_override
File "/var/log/amazon/ssm/patch-baseline-operations/patch_common/baseline_override.py", line 6, in <module>
from patch_common.downloader import download_file, load_json_file, is_access_denied
File "/var/log/amazon/ssm/patch-baseline-operations/patch_common/downloader.py", line 14, in <module>
from patch_common.client_selector import get_default_client
File "/var/log/amazon/ssm/patch-baseline-operations/patch_common/client_selector.py", line 2, in <module>
import boto3
File "/var/log/amazon/ssm/patch-baseline-operations/boto3/__init__.py", line 16, in <module>
from boto3.session import Session
File "/var/log/amazon/ssm/patch-baseline-operations/boto3/session.py", line 17, in <module>
import botocore.session
File "/var/log/amazon/ssm/patch-baseline-operations/botocore/session.py", line 28, in <module>
import botocore.configloader
File "/var/log/amazon/ssm/patch-baseline-operations/botocore/configloader.py", line 19, in <module>
from botocore.compat import six
File "/var/log/amazon/ssm/patch-baseline-operations/botocore/compat.py", line 26, in <module>
from urllib3 import exceptions
File "/var/log/amazon/ssm/patch-baseline-operations/urllib3/__init__.py", line 8, in <module>
from .connectionpool import (
File "/var/log/amazon/ssm/patch-baseline-operations/urllib3/connectionpool.py", line 11, in <module>
from .exceptions import (
File "/var/log/amazon/ssm/patch-baseline-operations/urllib3/exceptions.py", line 2, in <module>
from .packages.six.moves.http_client import (
ModuleNotFoundError: No module named 'urllib3.packages.six.moves'
09/24/2024 18:17:25 root [ERROR]: No module named 'urllib3.packages.six.moves'
Traceback (most recent call last):
File "/var/log/amazon/ssm/patch-baseline-operations/common_startup_entrance.py", line 202, in execute
entrance_module = __import__(module_name)
^^^^^^^^^^^^^^^^^^^^^^^
File "/var/log/amazon/ssm/patch-baseline-operations/os_selector.py", line 11, in <module>
import common_os_selector_methods
File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 12, in <module>
from patch_common.baseline_override import load_baseline_override
File "/var/log/amazon/ssm/patch-baseline-operations/patch_common/baseline_override.py", line 6, in <module>
from patch_common.downloader import download_file, load_json_file, is_access_denied
File "/var/log/amazon/ssm/patch-baseline-operations/patch_common/downloader.py", line 14, in <module>
from patch_common.client_selector import get_default_client
File "/var/log/amazon/ssm/patch-baseline-operations/patch_common/client_selector.py", line 2, in <module>
import boto3
File "/var/log/amazon/ssm/patch-baseline-operations/boto3/__init__.py", line 16, in <module>
from boto3.session import Session
File "/var/log/amazon/ssm/patch-baseline-operations/boto3/session.py", line 17, in <module>
import botocore.session
File "/var/log/amazon/ssm/patch-baseline-operations/botocore/session.py", line 28, in <module>
import botocore.configloader
File "/var/log/amazon/ssm/patch-baseline-operations/botocore/configloader.py", line 19, in <module>
from botocore.compat import six
File "/var/log/amazon/ssm/patch-baseline-operations/botocore/compat.py", line 26, in <module>
from urllib3 import exceptions
File "/var/log/amazon/ssm/patch-baseline-operations/urllib3/__init__.py", line 8, in <module>
from .connectionpool import (
File "/var/log/amazon/ssm/patch-baseline-operations/urllib3/connectionpool.py", line 11, in <module>
from .exceptions import (
File "/var/log/amazon/ssm/patch-baseline-operations/urllib3/exceptions.py", line 2, in <module>
from .packages.six.moves.http_client import (
ModuleNotFoundError: No module named 'urllib3.packages.six.moves'
And the error is:
/var/log/amazon/ssm/patch-baseline-operations/patch_common/constant_repository.py:211: SyntaxWarning: invalid escape sequence '\d'
CVE_PATTERN = "CVE-\d{4}-\d{4,7}"
/var/log/amazon/ssm/patch-baseline-operations/patch_common/constant_repository.py:212: SyntaxWarning: invalid escape sequence '\d'
KERNEL_PATTERN = "kernel-[\d.]*-.*" # already querying for kernel so just need a loose match
/var/log/amazon/ssm/patch-baseline-operations/patch_common/constant_repository.py:213: SyntaxWarning: invalid escape sequence '\d'
KERNEL_LIVEPATCH_PATTERN = "kernel-livepatch-[\d.]*-.*" # already querying for kernel livepatch so a loose match
No IMDS credentials found on instance.failed to run commands: exit status 156
The instance has an assigned IAM role and the role has these policies attached (among others): AmazonSSMManagedEC2InstanceDefaultPolicy, AmazonSSMManagedInstanceCore, AWSQuickSetupPatchPolicyBaselineAccess