Inspector2 CIS scans are failing (timing out)

0

I followed the documentation in this page https://docs.aws.amazon.com/inspector/latest/user/scanning-cis.html

  • My Ec2 instances are running on AL2023
  • SSM is enabled and i can access all instances via SSM sessions
  • I added AmazonSSMManagedInstanceCore and AmazonInspector2ManagedCisPolicy to the IAM roles associated to all instances
  • all VPC endpoints required have been created in my VPC (i can ping them from EC2 instances)
  • S3 buckets used for CIS scans have been allowlisted

Still CIS scans fail saying "TIMED_OUT" and i can't get any more information on the issue. Any ideas where to look?

asked 2 months ago254 views
2 Answers
0
Accepted Answer

I managed to sort the issue:

Checking /var/log/amazon/ssm/errors.log i found an error message saying that the ec2 instance couldn't download a package from S3:

- error: failed to download installation package reliably, https://aws-ssm-document-attachments-eu-west-1.s3.eu-west-1.amazonaws.com/362/9999999999/AmazonInspector2-InspectorSsmPluginLinux%21f55555555...

The Ec2 instance didn't have access to buckets required by SSM specified here https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html#instance-profile-custom-s3-policy

These buckets need to be allowlisted in the VPC endpoint reaching S3. This is not written in the official documentation for Inspector2 because, i guess, they assume SSM is already fully setup, in my case SSM was only used for "session" to connect to remote instances and those S3 buckets weren't allowlisted. I hope this can help other people in the future.

answered 2 months ago
0

You've followed the documentation and set up Amazon Inspector to scan your EC2 instances for CIS compliance, but the scans are failing with a "TIMED_OUT" error. Let's troubleshoot the issue:

  1. Check Inspector logs: Go to the Amazon Inspector console, select the assessment run that failed, and click on "Logs" at the bottom of the page. Look for error messages or clues indicating what caused the timeout.

  2. SSM Agent logs: Check the SSM Agent logs on your EC2 instances for any errors or issues related to Inspector. You can find these logs in /var/log/amazon/ssm/ (Linux) or C:\ProgramData\Amazon\SSM\Logs (Windows).

  3. Instance resource utilization: Verify that your EC2 instances have sufficient resources (CPU, memory, disk space) to complete the scan within the allocated time.

  4. Network connectivity: Double-check that your instances can communicate with the required VPC endpoints and S3 buckets. You can test connectivity using tools like curl or telnet.

  5. IAM role permissions: Ensure the IAM roles associated with your instances have the necessary permissions for Inspector to access the instances and S3 buckets.

  6. Inspector assessment template: Review the CIS assessment template configuration to ensure it's not too resource-intensive or time-consuming for your instances.

  7. Timeout settings: Check the timeout settings for the Inspector assessment run. You can adjust the timeout value if needed.

  8. Instance reboot or SSM restart: Try rebooting the instance or restarting the SSM agent to see if that resolves the issue.

  9. AWS Support: If none of the above steps help, reach out to AWS Support for further assistance.

profile picture
EXPERT
Sandeep
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Thank you for taking the time to answer,

    1. I went to the Inspector console but there are no assessments to check, maybe your suggestion refers to Inspector Classic, not the new inspector
    2. I checked /var/log/amazon/ssm and i found a useful error message to sort my issue, full details in my next comment

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions