Why are my EC2 instances not reporting their compliance status to SSM Patch Manager?

Question

In SSM Patch Manager, under Compliance Reporting, our Amazon Linux 2 EC2 instances appear but in the 'Compliance status' column say 'Never reported'. The instances appear in Fleet Manager with 'SSM Agent ping status' of 'Online', and I can connect to the instances remotely using SSM `start-session`.

I've checked all the troubleshooting steps in the docs at [Troubleshooting SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-ssm-agent.html), [this article about SSM logs](https://aws.amazon.com/premiumsupport/knowledge-center/ssm-agent-logs/) and [Troubleshooting Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-troubleshooting.html#patch-manager-troubleshooting-contact-support), and everything appears to be set up properly (the instance role has the right permissions, the named servers are reachable, and the instances can reach public S3 buckets via the internet, we're not using a VPC endpoint).

I've also tried restarting the SSM Agent.

In the SSM Agent logs on the instance, I'm seeing:
```
2022-10-25 00:36:48 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: Amazon SSM Agent v3.1.1732.0 is running
...
2022-10-25 01:15:00 INFO [ssm-agent-worker] [HealthCheck] HealthCheck reporting agent health.
2022-10-25 01:16:48 INFO [ssm-agent-worker] [MessageService] [MessageHandler] started idempotency deletion thread
2022-10-25 01:16:48 WARN [ssm-agent-worker] [MessageService] [MessageHandler] [Idempotency] encountered error open /var/lib/amazon/ssm/i-XXXXXXXXXXXXXXXXX/idempotency: no such file or directory while listing directories in /var/lib/amazon/ssm/i-XXXXXXXXXXXXXXXXX/idempotency
2022-10-25 01:16:48 INFO [ssm-agent-worker] [MessageService] [MessageHandler] ended idempotency deletion thread
2022-10-25 01:16:50 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] send failed reply thread started
2022-10-25 01:16:50 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] send failed reply thread done
2022-10-25 01:17:05 INFO [ssm-agent-worker] [MessageService] [Association] Schedule manager refreshed with 0 associations, 0 new associations associated
2022-10-25 01:20:00 INFO [ssm-agent-worker] [HealthCheck] HealthCheck reporting agent health.
```

Any clues why the instances aren't reporting their compliance status to Patch Manager?

What additional steps can I use to troubleshoot this?

Answer

Hello,

Patch compliance is reported for an instance after AWS-RunPatchBaseline is executed for it either in scan mode or install mode. Once the patching task is done, ssm-agent uploads the compliance information via PutInventory API.

Please [execute patch manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-on-demand.html#run-patch-now) on your instance and then verify the details in compliance dashboard.

In case of any error during patching please refer [this link](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-troubleshooting.html).

Hope this helps.

Answer

you need to add iam role of ssm to ec2 instance and then you need create stack in CFN for Reporting resources.

Why are my EC2 instances not reporting their compliance status to SSM Patch Manager?

相关内容