0

I enabled AWS Amazon Inspector (2) for a single EC2 instance that I have. It's an ubuntu with php and apache, nothing special, and the status shows Scanning for the last 3 hours.

I look at the htop of this machine, and I see that the /snap/amazon-ssm-agent/####/amazon-ssm-agent is running and that several /snap/amazon-ssm-agent/####/ssm-agent-worker are running. Still.... 3 hours passed, and I have no results.

Is it working? isn't it working? is there a more verbose status? Also, if someone have experience with this, can you share the avarage time you waited for results?

aws-inspector

Joe
  • 39
  • 7

2 Answers2

0

I've been in a similar situation - do inspector scans on EC2 as well as ECR. ECR was pretty quick for scans but for EC2 - it took about 4.5hrs to get to INITIAL_SCAN_COMPLETE state. Very concerning it takes this amount of time but noticed it was doing about 470 vulnerability checks.

apaterson
  • 13
  • 3
  • This is very frustrating, seems like a half baked feature by Amazon. A month passes, no data about any security vulnerability from the server (EC2) manifest. Used other tools to get the data about modules, running applications, dependencies etc. – Joe Jun 24 '22 at 13:24
  • 1
    Yeah find it very frustrating as well. We use Inspector for container image scanning and works perfectly. Not sure why EC2 is not the same. Also from looking at the Inspector docs it says API calls should be logged in CloudTrail but i don't see it. Only see references to SSM API actions. We've logged a support case with AWS. – apaterson Jun 25 '22 at 19:21
  • If you have any insights after that support session, I'd really be interested in hearing it – Joe Jun 26 '22 at 20:17
  • Yeah sure, will keep you updated. – apaterson Jun 27 '22 at 13:24
0

here's are the document contains the status information. https://docs.aws.amazon.com/inspector/latest/user/assessing-coverage.html

Scanning – Amazon Inspector is continuously monitoring and scanning the instance.

It won't just scan and leave it but instead continuously monitor the instance for future vulnerabilities too. Hence the status shows Scanning.

You need to get into findings tab to look into what's going on with the vulnerabilities. Findings -> By instance -> Select your instance to see findings related to your instance. Hope that helps.