By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why are my EC2 instances not reporting their compliance status to SSM Patch Manager?

0

In SSM Patch Manager, under Compliance Reporting, our Amazon Linux 2 EC2 instances appear but in the 'Compliance status' column say 'Never reported'. The instances appear in Fleet Manager with 'SSM Agent ping status' of 'Online', and I can connect to the instances remotely using SSM start-session.

I've checked all the troubleshooting steps in the docs at Troubleshooting SSM Agent, this article about SSM logs and Troubleshooting Patch Manager, and everything appears to be set up properly (the instance role has the right permissions, the named servers are reachable, and the instances can reach public S3 buckets via the internet, we're not using a VPC endpoint).

I've also tried restarting the SSM Agent.

In the SSM Agent logs on the instance, I'm seeing:

2022-10-25 00:36:48 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: Amazon SSM Agent v3.1.1732.0 is running
...
2022-10-25 01:15:00 INFO [ssm-agent-worker] [HealthCheck] HealthCheck reporting agent health.
2022-10-25 01:16:48 INFO [ssm-agent-worker] [MessageService] [MessageHandler] started idempotency deletion thread
2022-10-25 01:16:48 WARN [ssm-agent-worker] [MessageService] [MessageHandler] [Idempotency] encountered error open /var/lib/amazon/ssm/i-XXXXXXXXXXXXXXXXX/idempotency: no such file or directory while listing directories in /var/lib/amazon/ssm/i-XXXXXXXXXXXXXXXXX/idempotency
2022-10-25 01:16:48 INFO [ssm-agent-worker] [MessageService] [MessageHandler] ended idempotency deletion thread
2022-10-25 01:16:50 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] send failed reply thread started
2022-10-25 01:16:50 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] send failed reply thread done
2022-10-25 01:17:05 INFO [ssm-agent-worker] [MessageService] [Association] Schedule manager refreshed with 0 associations, 0 new associations associated
2022-10-25 01:20:00 INFO [ssm-agent-worker] [HealthCheck] HealthCheck reporting agent health.

Any clues why the instances aren't reporting their compliance status to Patch Manager?

What additional steps can I use to troubleshoot this?

Topics
ComputeManagement & Governance
Tags
Linux ProvisioningAmazon EC2AWS Systems ManagerCompute
Language
English
Graham Lea
asked 2 years ago1908 views
2 Answers
0

Hello,

Patch compliance is reported for an instance after AWS-RunPatchBaseline is executed for it either in scan mode or install mode. Once the patching task is done, ssm-agent uploads the compliance information via PutInventory API.

Please execute patch manager on your instance and then verify the details in compliance dashboard.

In case of any error during patching please refer this link.

Hope this helps.

AWS
SUPPORT ENGINEER
Vinay_S
answered a year ago
0

you need to add iam role of ssm to ec2 instance and then you need create stack in CFN for Reporting resources.

AWS
Sibgat
answered 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content