Troubleshooting

The following problems are well-known:

EC2 Instance launch failure: Client.InternalError: Client error on launch (#)

If no EC2 instances are started, and the Auto Scaling Group shows the error “Client.InternalError: Client error on launch”, it is likely an issue with your KMS key that you use for EBS default encryption. Please modify the KMS key policy and add these two statements to allow EC2 Auto Scaling to use the key. The EC2 Instances will start after a couple of minutes.

CloudFormation Template error: Fn::Select cannot select nonexistent value at index (#)

CloudFormation’s Fn::GetAZs function returns availability zones with a default subnet unless none has a default subnet; in that case, all availability zones are returned.

Double-check that your default VPC has at least two default subnets in two availability zones to fix the error. If you deleted them before, you could create default subnets for your default VPC.

The specified instance type is not valid (#)

Unfortunately, not all instance types are available in all availability zones.

Sometimes, you can see an error like “The specified instance type t3a.small is not valid” even though you selected the instance type t3.small. This is caused by the capacity strategy SpotOnly which defines fallback instance types for better availability. To fix the issue, set the CapacityStrategy configuration parameter to OnDemandOnly during installation.

If you still see the error, select a different InstanceType configuration parameter. Our default m5.large is a good choice.

Invalid DNS reply. Falling back to HTTP mode. (#)

You will see the following log messages from time to time:

freshclam: ClamAV update process started at *** 
freshclam: Can't query no
freshclam: WARNING: Invalid DNS reply. Falling back to HTTP mode.
freshclam: Trying to retrieve CVD header from https://bucketav-clamav-mirror-***.amazonaws.com/daily.cvd
freshclam: OK     

Unfortunately, ClamAV does not allow us to properly turn off reaching out to a DNS server to get the latest virus database version number. We resolve the newest virus database version number from our mirror via HTTPS.

Network issues when using delivery method Existing VPC (#)

Please follow the Existing VPC Network Guide.

Access Denied errors when copying or moving objects (#)

Are you getting “Access Denied” errors when copying or moving objects after enabling bucketAV? By default, bucketAV adds a tag named bucketav to scanned objects. Therefore, when copying or moving those files, you might need to grant permissions to the following actions.

  • s3:PutObjectTagging
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:PutObjectVersionTagging

For example, you will run into this issue when using IAM policies generated by AWS Transfer Family (e.g., SFTP) or AWS Storage Gateway.

S3 Event Notification error: Configuration is ambiguously defined (#)

When creating an S3 Event Notification, you receive the following error:

Configuration is ambiguously defined. Cannot have overlapping suffixes in two rules if the prefrixes are overlapping for the same event type.

Find a solution here.

Unauthorized SSM requests in CloudTrail (#)

The following unauthorized calls in CloudTrail are caused when you use AWS Systems Manager features other than Session Manager (e.g., Patch Manager).

User: arn:aws:sts::123456789012:assumed-role/bucketav-ScanIAMRole-123/i-123456 is not authorized to perform: ssm:PutComplianceItems on resource: arn:aws:ec2:us-east-1:123456789012:instance/i-123456 because no identity-based policy allows the ssm:PutComplianceItems action
User: arn:aws:sts::123456789012:assumed-role/bucketav-ScanIAMRole-123/i-123456 is not authorized to perform: ssm:GetDocument on resource: arn:aws:ssm:us-east-1::document/AWS-GatherSoftwareInventory because no identity-based policy allows the ssm:GetDocument action
User: arn:aws:sts::123456789012:assumed-role/bucketav-ScanIAMRole-123/i-123456 is not authorized to perform: ssm:UpdateInstanceAssociationStatus on resource: arn:aws:ssm:us-east-1:123456789012:association/123456 because no identity-based policy allows the ssm:UpdateInstanceAssociationStatus action

When you set the SystemsManagerAccess configuration parameter to true, you “Enable AWS Systems Manager Session Manager to connect to the EC2 instances.” In other words, only the permissions required by SSM Session Manager are added. If you plan to use any other SSM feature, you must also grant the necessary permissions. One approach is to use the AWS official managed policy AmazonSSMManagedInstanceCore. To do so, set the ManagedPolicyArns configuration parameter to arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email