On 2018-10-01 from approximately 1pm ET to 8pm ET, a number of EC2 and EC2-dependent services in the us-west-2 AWS region experienced increased levels of API errors. As of 8:10 PM, these error rates have returned to normal and AWS has stated that the event is closed.
CloudSploit's scans are fully dependent on AWS's APIs to obtain the metadata required to produce its security reports. During AWS service disruptions, we are unable to obtain the data required from our users' accounts. However, to provide our users with the freshest data, we do not suspend or block scanning during times when AWS is experiencing these disruptions. Instead, the results we are unable to obtain are marked as "UNKNOWN" in the report. Other, unaffected services will be listed as normal in the same report. During subsequent scans, the previously unknown results will switch back to their previous PASS/WARN/FAIL status.
During the aforementioned AWS service disruption, CloudSploit saw EC2 API error rates exceeding 95% in the us-west-2 region. These errors resulted in elevated unknown results because we were unable to obtain the metadata required to produce an accurate scan result. Numerous plugins were affected, including security group checks, ELB checks, instance limit checks, and VPC resource checks. The most common error message is "Request limit exceeded."
As a result of today's event, CloudSploit has modified the criteria used to produce its "new risk" alerts and emails. Previously, if a result was reported as "unknown" in one scan and then returned to "warn" or "fail" in the next scan, that would trigger a "new risk detected" email. As of 2018-10-01 at 10 PM ET, this behavior has been changed so that the subsequent "warn" or "fail" will not be treated as a new risk if the prior scan reported it as "unknown." This will reduce the number of false positives following AWS downtime events.
If you have any questions, please don't hesitate to contact our support team.