- Newest
- Most votes
- Most comments
I managed to sort the issue:
Checking /var/log/amazon/ssm/errors.log i found an error message saying that the ec2 instance couldn't download a package from S3:
- error: failed to download installation package reliably, https://aws-ssm-document-attachments-eu-west-1.s3.eu-west-1.amazonaws.com/362/9999999999/AmazonInspector2-InspectorSsmPluginLinux%21f55555555...
The Ec2 instance didn't have access to buckets required by SSM specified here https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html#instance-profile-custom-s3-policy
These buckets need to be allowlisted in the VPC endpoint reaching S3. This is not written in the official documentation for Inspector2 because, i guess, they assume SSM is already fully setup, in my case SSM was only used for "session" to connect to remote instances and those S3 buckets weren't allowlisted. I hope this can help other people in the future.
You've followed the documentation and set up Amazon Inspector to scan your EC2 instances for CIS compliance, but the scans are failing with a "TIMED_OUT" error. Let's troubleshoot the issue:
-
Check Inspector logs: Go to the Amazon Inspector console, select the assessment run that failed, and click on "Logs" at the bottom of the page. Look for error messages or clues indicating what caused the timeout.
-
SSM Agent logs: Check the SSM Agent logs on your EC2 instances for any errors or issues related to Inspector. You can find these logs in /var/log/amazon/ssm/ (Linux) or C:\ProgramData\Amazon\SSM\Logs (Windows).
-
Instance resource utilization: Verify that your EC2 instances have sufficient resources (CPU, memory, disk space) to complete the scan within the allocated time.
-
Network connectivity: Double-check that your instances can communicate with the required VPC endpoints and S3 buckets. You can test connectivity using tools like curl or telnet.
-
IAM role permissions: Ensure the IAM roles associated with your instances have the necessary permissions for Inspector to access the instances and S3 buckets.
-
Inspector assessment template: Review the CIS assessment template configuration to ensure it's not too resource-intensive or time-consuming for your instances.
-
Timeout settings: Check the timeout settings for the Inspector assessment run. You can adjust the timeout value if needed.
-
Instance reboot or SSM restart: Try rebooting the instance or restarting the SSM agent to see if that resolves the issue.
-
AWS Support: If none of the above steps help, reach out to AWS Support for further assistance.
Relevant content
- asked 5 months ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Thank you for taking the time to answer,