Troubleshooting Missing EC2 Instance Inspector Scans

Chris B.
Chris B.
  • Updated



Administrators may notice their Inspector servers section of the vulnerabilities page says start setup:



Or if the section does populate there is a 'No scan found' status for the vulnerability status for some of their servers


 

This is often caused by the servers not having any vulnerabilities with fixes available, or the EC2 instance not having an actively monitored status in AWS. Other potential causes can include the region being scoped out of Vanta, or the Instances themselves being scoped out.

This article will go over troubleshooting steps for these. 

Prerequisites

  • Administrator access on Vanta
  • Access to Inspector in AWS

Verify Vanta Settings

The first thing an administrator should do is verify their Vanta settings for AWS.

1. They can head to the integrations page to make sure there is no banner saying to Reconnect AWS at the top of the page:mceclip8.png

2. Also check that the status is green and not a loading circle. It should say 'Connected': mceclip6.png
If there are any connection issues, please resolve them first as they may be why your scans are not coming through from Inspector. If your connection is fine move on to step three. 

3. Next, click on Configure scope for AWS, and the goal here is to confirm that all resources have fully loaded. There should be no spinning circles or any messages about loading resources:
mceclip7.png

If you see any kind of issues with loading resources please wait to write in for assistance. If you see no issues move on to step four. 

4. Please filter your resources by EC2
mceclip9.png

5. And confirm the EC2 instance(s) are marked in scope, or the specific EC2 instance you are not seeing vulnerabilities for is marked in scope and not toggled out of scope:

mceclip10.png

If the instance that is not showing scans is marked out of scope, they need to be made back in scope. See this article for more information. If the instance is in scope, please move on to the next step below.
6. The last thing to check on the Vanta side, is to go to the integrations page then select manage --> edit:


And then when taken to this page, click the pencil icon for the account the EC2 instances exist on:

And then confirm that the AWS Inspector feature is enabled:

If it is not enabled, please toggle it on.


If the AWS Inspector/Basic scanning feature is enabled, and the AWS connection is up and running, and the EC2 instance with the missing scan is in scope, please move on to the next section as things are setup correctly on the Vanta side. 

Verify Instance Status 

Vanta relies on the results from the inspector to populate the vulnerabilities page. If the inspector has no findings because no scans have been performed, the page will be blank. A common reason for an instance not having any scans is that the SSM agent is not installed or installed correctly. Instances in this state are unmonitored, meaning inspectors cannot run on them. To verify this, the administrator must: 

1. Go to the inspector dashboard inside of AWS, select Account Management from the left-hand menu, and then the instance tab:
mceclip1.png2. On this page, all of the EC2 instances being monitored by the inspector will populate along with their status (the last column). Please search for your EC2 example and confirm its status. 
If you are not sure how to do this, one easy method is to click the search bar, select Resource ID from the drop-down, and then enter the name of the EC2 instance in question:
mceclip2.gif

3. If the instance "Activley monitoring", the status is highlighted in green below, please proceed to the next section. 

mceclip0.png

If the status is "EC2 instance stopped", then the administrator must turn the instance back on for scans to populate.

If the status is not actively monitoring but instead "Unmanaged EC2 instance",  or "Actively monitoring with partial errors" the SSM agent has not been installed correctly on the EC2 instance. Another tale-tell sign of this is the Operating System column shows 'UNKNOWN':
This is needed for the inspector to work. Administrators can try the steps from AWS here, which detail how to install the agent and potentially resolve this. Administrators can also click the status directly to get linked to instructions on resolving the issue:

Administrators can also reach out to AWS Support if they continue to face issues. 

Additional Resources