This is the user guide for Amazon Inspector Classic. For information about the
new Amazon Inspector, see the Amazon Inspector User
Guide. To access the Amazon Inspector Classic console, open the Amazon Inspector console at https://console.aws.amazon.com/inspector/
Exclusions in Amazon Inspector Classic
Exclusions are an output of Amazon Inspector Classic assessment runs. Exclusions show which of your security checks can't be completed and how to resolve the issues. For example, issues can be caused by the absence of an agent on the specified target's EC2 instances, the use of an unsupported operating system, or unexpected errors.
You can view exclusions on the Assessment runs page on the console. For more information, see Viewing post-assessment exclusions.
To avoid incurring unnecessary AWS fees, Amazon Inspector Classic allows you to preview exclusions before running an assessment. You can find the previews on the Assessment templates page on the console. For more information, see Previewing exclusions.
Note
You can generate post-assessment exclusions only for runs that occur after June 25, 2018. That's when exclusions in Amazon Inspector Classic became available. However, exclusion previews are available for all assessment templates regardless of date.
Exclusion types
Amazon Inspector Classic can produce the following exclusion types.
Exclusion Type | Description | Recommendation |
---|---|---|
No instances in target |
There are no EC2 instances with the tags specified in the assessment target. |
Check that the tags in your assessment target match the tags of your target EC2 instance. |
Agent is already running |
An assessment run is already in progress on the target EC2 instance. |
Wait until the current assessment run on the target EC2 instance has completed. |
Agent not found |
An Amazon Inspector Classic agent was not found on the target EC2 instance. |
Install or reinstall an Amazon Inspector Classic agent on the target EC2 instance. For more information, see Installing Amazon Inspector Classic agents. |
Agent is unhealthy |
The Amazon Inspector Classic agent on the target EC2 instance is in an unhealthy state. |
Check the status of the Amazon Inspector Classic agent on this instance and take necessary action. For more information, see Inspector Agents. |
Unsupported OS version |
The operating system of the target EC2 instance is not supported for Amazon Inspector Classic assessments. |
Remove the target EC2 instance from the assessment target, or create a target that doesn't include this instance. For a list of supported operating systems, see Amazon Inspector Classic Supported Operating Systems and Regions. |
Deprecated rules package |
The assessment template includes a deprecated rules package. |
Create an assessment template without the deprecated rules package, and use it for future assessment runs. |
Rules package not supported by OS |
The operating system of the target EC2 instance is not supported by a rules package included in the assessment template. |
Create an assessment template without the conflicting rules packages or remove the target EC2 instance from the assessment template. For a list of rules package support by operating system, see Rules Package Availability Across Supported Operating Systems. |
Rules evaluation error for single instance |
An internal error has caused the rules evaluation to fail for this instance. |
Attempt to run your assessment again. Contact support |
Rules evaluation error |
An internal error has caused the rules evaluation to fail for your assessment. |
Attempt to run the assessment again. Contact support |
Network Reachability error –internet |
An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable from the internet. You might get findings for other Network Reachability types. |
Attempt to run the assessment again. Contact support |
Network Reachability error – internet through an Application Load Balancer | An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable from the internet through an Application Load Balancer. You might get findings for other Network Reachability types. | Attempt to run the assessment again. Contact support |
Network Reachability error – internet through an Elastic Load Balancing load balancer | An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable from the internet though an Elastic Load Balancing load balancer. You might get findings for other Network Reachability types. | Attempt to run the assessment again. Contact support |
Network Reachability error –VPN | An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable from VPN. You might get findings for other Network Reachability types. | Attempt to run the assessment again. Contact support |
Network Reachability error – AWS Direct Connect | An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable through AWS Direct Connect. You might get findings for other Network Reachability types. | Attempt to run the assessment again. Contact support |
Network Reachability error – VPC peering | An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable from a peered VPC. You might get findings for other Network Reachability types. | Attempt to run the assessment again. Contact support |
Previewing exclusions
Amazon Inspector Classic allows you to preview potential exclusions before running an assessment.
To preview assessment exclusions
Sign in to the AWS Management Console and open the Amazon Inspector Classic console at https://console.aws.amazon.com/inspector/
. -
In the navigation pane, choose Assessment templates.
-
Expand a template, and in the Assessment templates section, choose Preview exclusions.
-
Review the descriptions of all detected exclusions and the recommendations for addressing them.
You can also list and describe exclusions by using the
ListExclusions
andDescribeExclusions
operations.
Viewing post-assessment exclusions
After an assessment run, you can view details about any exclusions.
To view details about exclusions
Sign in to the AWS Management Console and open the Amazon Inspector Classic console at https://console.aws.amazon.com/inspector/
. -
In the navigation pane, choose Assessment runs.
-
In the Exclusions column, choose the active link that is associated with an assessment run.
-
Review the descriptions of all detected exclusions and the recommendations for addressing them.
You can also list and describe exclusions by using the
ListExclusions
andDescribeExclusions
operations.