The following problems are well-known:
EC2 Instance launch failure: Client.InternalError: Client error on launch
If no EC2 instances are started, and the Auto Scaling Group shows the error “Client.InternalError: Client error on launch”, it is likely an issue with your KMS key that you use for EBS default encryption. Please modify the KMS key policy and add these two statements to allow EC2 Autop Scaling to use the key. The EC2 Instances will start after a couple of minutes.
CloudFormation Template error: Fn::Select cannot select nonexistent value at index
Fn::GetAZs function returns availability zones with a default subnet unless none has a default subnet; in that case, all availability zones are returned.
Double-check that your default VPC has at least two default subnets in two availability zones to fix the error. If you deleted them before, you could create default subnets for your default VPC.
The specified instance type is not valid
Unfortunately, not all instance types are available in all availability zones.
Sometimes, you can see an error like “The specified instance type t3a.small is not valid” even though you selected the instance type
t3.small. This is caused by the capacity strategy
SpotOnly which defines fallback instance types for better availability. To fix the issue, set the CapacityStrategy configuration parameter to
OnDemandOnly during installation.
If you still see the error, select a different InstanceType configuration parameter. Our default
m5.large is a good choice.
Invalid DNS reply. Falling back to HTTP mode.
You will see the following log messages from time to time:
freshclam: ClamAV update process started at *** freshclam: Can't query no freshclam: WARNING: Invalid DNS reply. Falling back to HTTP mode. freshclam: Trying to retrieve CVD header from https://bucketav-clamav-mirror-***.amazonaws.com/daily.cvd freshclam: OK
Unfortunately, ClamAV does not allow us to properly turn off reaching out to a DNS server to get the latest virus database version number. We resolve the newest virus database version number from our mirror via HTTPS.
Network issues when using delivery method Existing VPC
Please follow the Existing VPC Network Guide.
Access Denied errors when copying or moving objects
Are you getting “Access Denied” errors when copying or moving objects after enabling bucketAV? By default, bucketAV adds a tag named
bucketav to scanned objects. Therefore, when copying or moving those files, you might need to grant permissions to the following actions.
For example, you will run into this issue when using IAM policies generated by AWS Transfer Family (e.g., SFTP) or AWS Storage Gateway.