In AWS accounts that have many resources, such has thousands of EC2 instances, AWS paginates the response data that is returned via their APIs. Historically, CloudSploit has attempted to retrieve as many resources as possible in a single API call via the "MaxResults" parameter. However, in AWS accounts where the number of resources exceeds the maximum allowed value, CloudSploit has not had visibility into the additional pages of results.
As of July 1, 2019, CloudSploit now supports pagination of the AWS API, allowing us to scan all resources in an account, even if they exceed a single API response call. Because this is a change in behavior that may lead to new scan results, CloudSploit is providing the ability for existing users to opt into this functionality. We strongly recommend that you opt in as soon as possible.
Q. How do I opt into AWS pagination?
A. Navigate to "Infrastructure Accounts" > "Amazon Web Services" and select "Edit" next to the account you'd like to enroll. In the popup box, check the box next to "AWS Pagination."
Q. When will pagination take effect?
A. Pagination will apply to the next scan that is run following the enrollment of the account.
Q. Why should I enable pagination?
A. For most AWS accounts, the in-use resources can fit into a single AWS API response call. However, if your account has large numbers of resources, multiple API calls will be required to retrieve them all. Enabling pagination allows CloudSploit to make multiple requests to audit all of your resources for security risks.
Q. How can I test this setting?
A. To test how pagination affects your account, enroll the account (see the steps above) and then click "Scan" next to your account. This will generate a new scan report. Any newly-detected results will be marked as "new" findings.
Q. What kinds of issues should I watch for?
A. After enabling pagination, please alert support if you see any of the following issues with your accounts: scans that fail to complete, an elevated number of "unknown" scan results, scan timeouts, 403 or 401 errors in your results, or missing results.
Q. Which AWS resources support pagination?
A. CloudSploit has enabled pagination for: ACM certificates, Athena workgroups, AutoScaling groups, CloudWatch log groups, DirectConnect gateways, Directory Service directories, EC2 subnets, EC2 instances, EC2 VPCs, EC2 NAT gateways, EC2 VPC peering connections, EC2 route tables, EFS file systems, ElasticTranscoder pipelines, ELBs, ELB target groups, IAM certificates, IAM groups, IAM users, IAM roles, KMS keys, Lambda functions, RDS instances, Redshift clusters, Route53 domains, SageMaker notebooks, SES identities, SNS topics, SSM parameters, Transfer service servers, and Workspace groups.
Q. I have a lot of AWS accounts, can I opt-in globally?
A. We recommend opting in your larger accounts first to ensure your results are as expected. However, if you would like to enroll all of your accounts at once, please open a support ticket and we will enable your accounts globally.
If you have any additional questions, please contact support.