Why does my instance appear as non-compliant in the Systems Manager Compliance dashboard?

Last updated: 2021-06-08

My Amazon Elastic Compute Cloud (Amazon EC2) instance appears as non-compliant in the AWS Systems Manager Compliance dashboard. What is causing this issue?

Short description

The Systems Manager Compliance capability provides compliance data for your fleet of managed instances. The compliance status of a managed instance is determined to be compliant or non-compliant based on the following factors:

  • The status of Patch Manager patching
  • The status of State Manager associations
  • If applicable, the status of custom compliance items

To determine the compliance status of an instance, you can view the configuration compliance report. When reviewing the compliance report, identify the Compliance Type for each non-compliant instance.

  • Compliance Type Patch indicates that the instance is non-compliant due to Patch Manager patching.
  • Compliance Type Association indicates that the instance is non-compliant due to State Manager associations.

Note: The prerequisites to get started with Compliance must be met before Systems Manager Compliance can begin reporting compliance data.

Resolution

Non-compliance based on the status of Patch Manager patching

An instance can appear as non-compliant based on Patch Manager patching for the following reasons:

AWS-RunPatchBaseline document didn't run on the instance

The AWS-RunPatchBaseline document using the Install operation didn't run on the instance after patches were approved according to the instance patch baseline document settings. Follow these steps to resolve the issue:

  1. View the configuration compliance report. Choose the Patch tab, and then review the Patch Summary. If Updates Needed is anything other than 0, your instance is non-compliant because one or more approved patches must be installed.
  2. To determine the patches that must be installed, scroll down, select the search bar, and look for patches with the state set to Missing.
    Note: Each patch in your managed instance is assigned a compliance state value. The value determines the compliance status of that instance.
  3. Run the AWS-RunPatchBaseline document using the Install operation on the non-compliant instance. You can start the patching operation using the Patch now option in the Patch Manager console. Or, you can run the AWS-RunPatchBaseline document either using Run Command or as part of a maintenance window.

AWS-RunPatchBaseline document ran, but some approved patches failed to install

The AWS-RunPatchBaseline document using the Install operation ran on the instance. However, some of the approved patches failed to install on the instance for reasons specific to the instance. Follow these steps to identify the instance-specific issue:

  1. View the configuration compliance report. Choose the Patch tab, scroll down, select the search bar, and look for patches with the state set to Failed.
  2. Note the failed patches, and then log in to your instance using SSH or Session Manager.
  3. Review the SSM Agent logs in the instance and the specific operation logs to identify any instance-specific issues.
    Linux-based instances:
    /var/log/amazon/ssm/amazon-ssm-agent.log
    /var/lib/amazon/ssm/InstanceID/document/orchestration/CommandID
    Windows-based instances:
    %PROGRAMDATA%\Amazon\SSM\Logs\amazon-ssm-agent.log
    %PROGRAMDATA%\Amazon\PatchBaselineOperations
    Note: Look for a log file named Install-PatchBaselineOperation-date

Note: Patch Manager doesn't provide patches. Instead, Patch Manager orchestrates patching by` using the appropriate built-in mechanism for each operating system (OS) to install updates on an instance. For example, Patch Manager relies on Windows Update to install patches on instances running Microsoft Windows. Similarly, Patch Manager relies on yum for instances running Amazon Linux 2.

AWS-RunPatchBaseline document ran, but the RebootOption parameter is set to NoReboot

The AWS-RunPatchBaseline document using the Install operation ran on the instance, and all approved patches were successfully installed. However, the RebootOption parameter in the AWS-RunPatchBaseline document is set to NoReboot. Follow these steps to resolve the issue:

  1. View the configuration compliance report. Choose the Patch tab, scroll down, select the search bar, and look for patches with the state set to InstalledPendingReboot.
    Note: The InstalledPendingReboot state holds the instance in non-compliant state until the instance is rebooted and scanned.
  2. Reboot the instance.
  3. Scan the instance and verify that the instance appears as compliant in the Systems Manager Compliance dashboard.

AWS-RunPatchBaseline document ran, but some rejected patches were present on the instance

The AWS-RunPatchBaseline document using the Install operation ran on the instance, and all approved patches were successfully installed. However, some rejected patches were also present on the instance. Follow these steps to resolve the issue:

  1. View the configuration compliance report. Note the Association ID that corresponds to the non-compliant association type for later use.
  2. Choose the Patch tab, scroll down, select the search bar, and look for patches with the state set to InstalledRejected.
    Note: The InstalledRejected state indicates that a patch was installed before it was added to a list of rejected patches.
  3. Note the rejected patches, and then log in to your instance using SSH or Session Manager.
  4. Remove any rejected patches.

Non-compliance based on the status of State Manager associations

When a Systems Manager State Manager association is created, a configuration state is defined for the instance. If that state isn't maintained, then the Systems Manager Compliance dashboard reports the instance as non-compliant. Follow these steps to resolve the issue:

  1. View the configuration compliance report. Note the Association ID that corresponds to the non-compliant association type for later use.
  2. From the Systems Manager console, view the association history.
  3. Review the output to understand the reason for the failed association. For more information, see How can I troubleshoot a State Manager association that failed or that is stuck in pending status?

AWS-GatherSoftwareInventory document issues

If your instance is non-compliant due to issues running the AWS-GatherSoftwareInventory document, then troubleshoot common problems with Systems Manager Inventory.


Did this article help?


Do you need billing or technical support?