Exclusion types Previewing exclusions Viewing post-assessment exclusions

Exclusions in Amazon Inspector Classic

Exclusions are an output of Amazon Inspector Classic assessment runs. Exclusions show which of your security checks can't be completed and how to resolve the issues. For example, issues can be caused by the absence of an agent on the specified target's EC2 instances, the use of an unsupported operating system, or unexpected errors.

You can view exclusions on the Assessment runs page on the console. For more information, see Viewing post-assessment exclusions.

To avoid incurring unnecessary AWS fees, Amazon Inspector Classic allows you to preview exclusions before running an assessment. You can find the previews on the Assessment templates page on the console. For more information, see Previewing exclusions.

Note

You can generate post-assessment exclusions only for runs that occur after June 25, 2018. That's when exclusions in Amazon Inspector Classic became available. However, exclusion previews are available for all assessment templates regardless of date.

Exclusion types

Amazon Inspector Classic can produce the following exclusion types.

Exclusion Type	Description	Recommendation
No instances in target	There are no EC2 instances with the tags specified in the assessment target.	Check that the tags in your assessment target match the tags of your target EC2 instance.
Agent is already running	An assessment run is already in progress on the target EC2 instance.	Wait until the current assessment run on the target EC2 instance has completed.
Agent not found	An Amazon Inspector Classic agent was not found on the target EC2 instance.	Install or reinstall an Amazon Inspector Classic agent on the target EC2 instance. For more information, see Installing Amazon Inspector Classic agents.
Agent is unhealthy	The Amazon Inspector Classic agent on the target EC2 instance is in an unhealthy state.	Check the status of the Amazon Inspector Classic agent on this instance and take necessary action. For more information, see Inspector Agents.
Unsupported OS version	The operating system of the target EC2 instance is not supported for Amazon Inspector Classic assessments.	Remove the target EC2 instance from the assessment target, or create a target that doesn't include this instance. For a list of supported operating systems, see Amazon Inspector Classic Supported Operating Systems and Regions.
Deprecated rules package	The assessment template includes a deprecated rules package.	Create an assessment template without the deprecated rules package, and use it for future assessment runs.
Rules package not supported by OS	The operating system of the target EC2 instance is not supported by a rules package included in the assessment template.	Create an assessment template without the conflicting rules packages or remove the target EC2 instance from the assessment template. For a list of rules package support by operating system, see Rules Package Availability Across Supported Operating Systems.
Rules evaluation error for single instance	An internal error has caused the rules evaluation to fail for this instance.	Attempt to run your assessment again. Contact support if the exclusion persists when you rerun the assessment.
Rules evaluation error	An internal error has caused the rules evaluation to fail for your assessment.	Attempt to run the assessment again. Contact support if the exclusion persists when you rerun the assessment.
Network Reachability error –internet	An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable from the internet. You might get findings for other Network Reachability types.	Attempt to run the assessment again. Contact support if the exclusion persists when you rerun the assessment.
Network Reachability error – internet through an Application Load Balancer	An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable from the internet through an Application Load Balancer. You might get findings for other Network Reachability types.	Attempt to run the assessment again. Contact support if the exclusion persists when you rerun the assessment.
Network Reachability error – internet through an Elastic Load Balancing load balancer	An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable from the internet though an Elastic Load Balancing load balancer. You might get findings for other Network Reachability types.	Attempt to run the assessment again. Contact support if the exclusion persists when you rerun the assessment.
Network Reachability error –VPN	An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable from VPN. You might get findings for other Network Reachability types.	Attempt to run the assessment again. Contact support if the exclusion persists when you rerun the assessment.
Network Reachability error – AWS Direct Connect	An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable through AWS Direct Connect. You might get findings for other Network Reachability types.	Attempt to run the assessment again. Contact support if the exclusion persists when you rerun the assessment.
Network Reachability error – VPC peering	An internal error has caused a Network Reachability evaluation to fail on checks for ports reachable from a peered VPC. You might get findings for other Network Reachability types.	Attempt to run the assessment again. Contact support if the exclusion persists when you rerun the assessment.

Previewing exclusions

Amazon Inspector Classic allows you to preview potential exclusions before running an assessment.

To preview assessment exclusions

Sign in to the AWS Management Console and open the Amazon Inspector Classic console at https://console.aws.amazon.com/inspector/.
In the navigation pane, choose Assessment templates.
Expand a template, and in the Assessment templates section, choose Preview exclusions.
Review the descriptions of all detected exclusions and the recommendations for addressing them.

You can also list and describe exclusions by using the ListExclusions and DescribeExclusions operations.

Viewing post-assessment exclusions

After an assessment run, you can view details about any exclusions.

To view details about exclusions

Sign in to the AWS Management Console and open the Amazon Inspector Classic console at https://console.aws.amazon.com/inspector/.
In the navigation pane, choose Assessment runs.
In the Exclusions column, choose the active link that is associated with an assessment run.
Review the descriptions of all detected exclusions and the recommendations for addressing them.

You can also list and describe exclusions by using the ListExclusions and DescribeExclusions operations.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Assessment reports

Amazon Inspector Classic rules packages for supported operating systems