Browse through the questions and answers listed below or filter and sort to narrow down your results.
Why does Inspector not scan my instances?
I have some EC2 linux instances with Amazon Linux 2 and SSM agent (ie amazon-ssm-agent-3.1.1575.0-1 ) running on them. I've modified the Roles for the instances and added the AmazonSSMManagedInstanceCore policy. In the past the inspector has worked in the past and I have some scan data, but now the instances are showing up as "Unmanaged EC2 instance". So per the suggestion I ran AWSSupport-TroubleshootManagedInstance, and everything passes with flying colors if I leave out the Role to assume. If I try to set the Role to be the same as the Role used by the instance then things fails. However, it's unclear what the Role should be as most of the permissions it's failing on seem to be the caller of SSM agent would need and not the agent itself. I'm stuck as to why this suddenly not working. So why's it not working? ssm logs: ``` 2022-09-11 03:23:14 ERROR [UpdateAssociationStatus @ service.go.367] [ssm-agent-worker] [MessageService] [Association] unable to update association status, RequestError: send request failed caused by: Post "https://ssm.us-east-1.amazonaws.com/": dial tcp 172.x.x.x:443: i/o timeout 2022-09-11 03:23:14 ERROR [HandleAwsError @ awserr.go.49] [ssm-agent-worker] [MessageService] [Association] error when calling AWS APIs. error details - RequestError: send request failed caused by: Post "https://ssm.us-east-1.amazonaws.com/": dial tcp 172.x.x.x:443: i/o timeout 2022-09-11 03:23:41 ERROR [HandleAwsError @ awserr.go.49] [ssm-agent-worker] [MessageService] [Association] error when calling AWS APIs. error details - RequestError: send request failed caused by: Post "https://ssm.us-east-1.amazonaws.com/": dial tcp 172.x.x.x:443: i/o timeout 2022-09-11 03:24:30 ERROR [replaceLogger @ ssmlog.go.153] New logger creation failed 2022-09-11 03:24:30 ERROR [replaceLogger @ ssmlog.go.154] xml has no content ```
Amazon Linux 2022 ECR Basic Scan
From another post regarding an updated [GLIBC of 2.27+](https://repost.aws/questions/QUrXOioL46RcCnFGyELJWKLw/glibc-2-27-on-amazon-linux-2), it was suggested to use preview of Amazon Linux 2022. This does in fact solve a request to update GLIBC, however, also introduces a new issue where images built from AL2022 fail the Basic Scan in ECR with `UnsupportedImageError: The operating system 'amzn' version '2022' is not supported.` Is there a recommended way to push/scan new images from AL2022 since the AL2 images were supported for basic scans?
Solution to delete new ECR images, from PutImage actions, that contain CRITICAL vulnerabilites
I'm trying to create a solution to capture new ECR image push, check ECR scan result to see if there is any CRITICAL finding, if it does then delete the image (based on image tag). There are existing 'bad' images that we can't cleanup yet, that's why I need this solution to only delete newly created images. Workflow will be like this: Docker push -> EventBridge captures PutImage API and trigger lambda -> Lambda function parses the input data, get the image ID, calls DescribeImageScanFindings API to get CRITICAL finding count, if > 1 then proceed to delete that image. Now here's the problem: When new image gets pushed up and lambda checks for scan result, it is either not available yet or still in progress (CRITICAL finding not yet found), and there is no way to tell if scan is still running. In the response from DescribeImageScanFindings API, there is a property called `imageScanStatus`, but it's the status of scan configuration. The value is always 'ACTIVE' for me. If I keep calling DescribeImageScanFindings API, the results change each time and imageScanStatus is still ACTIVE. We're using continuous scanning and StartImageScan API is disabled, so there is no way to scan on demand and check status. Is there a way to get the scan status after new image gets pushed up?
Need Help with Aws Cli Command for INSPECTOR 2 Report
Hi I am trying to get a Report of INSPECTOR 2 in CSV Format with only ACTIVE Findings, some how I am not able to, but I am getting the report with All Findings which is a huge file The command I am using -- aws inspector2 create-findings-report --report-format CSV --s3-destination bucketName=inspector-scan-report-$env,keyPrefix=$today_date,kmsKeyArn=arn:aws:kms:us-east-1:..... But I need this command to get only ACTIVE Findings, Can some one please help me with this, Thank you
AWS Inspector - Scan on-premise VMs - CIS Benchmarks
Hello, I would like to ask about the possibility to run Inspector Scan from AWS account to scan VMs which are existing in on-premise network. If that not doable at this time, could you please advise with any alternative tool to scan same Rules Package that Inspector does: **CIS Operating System Security Configuration Benchmarks-1.0** Many thanks, Maan
Linux Workspaces with AWS Inspector
Is there compatibility with Linux Workspaces and AWS Inspector for Vulnerability management. I'm looking into deploying Linux v2 workspaces but have some compliance requirements. Can Inspector scan the Workspaces hosts or Images and provide a list of the vulnerabilities ? If not what approach would you recommend for Vulnerably scanning with workspaces?
Better filters for AWS inspector
We recently installed AWS inspector and it found quite a lot of CVE's in our ECR repo. We run patching regularly and I thought a tool like Inspector would be useful in find things to patch. Unfortunately most of the images in the repo are old images that are only there for archive purposes and aren't deployed anywhere. I think in this case the only thing that can be done to shorten the list of vulnerabilities is to remove the old images and so also lose the history. Also most of the vulnerabilities appear to have no available patches as of yet. Is there a way to find only CVEs that really are an issue (images actually deployed to an EKS cluster somewhere) and have available patches? This would allow us to find only vulnerabilities that are both real and actionable. As it is, it's really time consuming sifting through a big list of vulnerabilities where 95% either aren't really a problem and/or there is nothing that can currently be done about them. Other security tools I've used in the past do this out of the box, but I can't seem to find a way in Inspector.
Amazon Inspector v2 Supporting Windows Targets
We are assessing Inspector as a replacement for our current vulnerability scanning solution, and would like to know if there is a timeline for Inspector v2 to support scanning Windows based hosts. Based on [comments from a similar question](https://repost.aws/questions/QU1oN9RzzhR-WqEdubLdMU3w/inspector-vuln-scan-doesnt-work-with-windows) from 5 or 6 months ago, it is on the roadmap, but is there a potential timeline for availability? Thanks in advance for your time and helpful input.
How to scan the server files
Hi, We have following queries. Can you please suggest on these also 1. Can we use AWS Marketplace: Antivirus for Amazon S3 - PAYG with 30 DAY FREE TRIAL for ours 2. Do we have the provision to do real time Antivirus scan using this 3. Can we run this on our own and do the scan 4. Do we have the possibility schedule this to do periodical scans and get the results 5. Whether this installation can be done free of cost 6. Apart from this do we have any alternate scanning tool Thanks
Amazon Inspector doesn't show ECR container critical package issues under "Critical findings"
Hi, We've an odd issue with Amazon inspector. Recently we've pushed multiple Docker images into private ECR repositories, and we're scanning them with "Enhanced scanning" and "Continuously scan all repositories" - we have no scanning overrides on individual repositories and no suppression rules; our "*" filter is actively scanning all images. The scan results appear fine in ECR if you select a repository then click the "See findings" link under "Vulnerabilities" - we see critical package vulnerabilities. However: in Inspector, the "Critical findings" panel of the dashboard always displays "0 Critical" under "ECR Container". It also doesn't show the critical issue findings if you filter "By container image" or "By repository" - nothing. But: if you select "All findings" the critical ECR package issues are visible... We had thought this might be some sort of dashboard update issue, but it's been like that for over 12 hours now. What do we need to do to get our scanned critical ECR image vulnerabilities reported on the main Inspector dashboard stats? Thanks. [Dashboard Findings: Criticals 0](https://ibb.co/ZcNBFm3) [Container Image Findings: Empty](https://ibb.co/Zgtg5NZ) [All Findings - Criticals present and correct](https://ibb.co/NTw8vpX)