When CloudSploit performs its scans, it relies heavily on the responses provided by the upstream cloud providers such as AWS and Azure. In some cases, these APIs return results that prevent us from performing our security analysis. For example, the API may return an internal server error, rate limit*, or permission denied response**, which CloudSploit cannot parse.
* CloudSploit automatically retries rate-limited calls, but to maintain report integrity, includes rate-limited calls as "unknown" after repeated failed attempts.
** Permission denied responses may be due to invalid permissions on the connected cloud account.
In these cases, CloudSploit has historically treated these results the same way it has passing, warning, and failing results and triggered "new risk detected" emails and third-party integrations, and marked the results as "new" in scan reports if the previous scan's result was also unknown.
This behavior is not always desirable, especially if the "unknown" results are transient. This flapping between an unknown and non-unknown result can trigger confusing emails and reports.
New Opt-In Setting
As of July 1, 2019, CloudSploit offers the ability to opt into preventing unknown results from being treated as "new" results. Opting into this setting will prevent unknown results, regardless of the reason behind the unknown status, from triggering a "new" result report, alert, or scan status. Before opting into this setting, it is important to understand the behavior described below.
Are scan reports sent when...?
|Scan Type/Findings||Ignore Unknown Results OFF (Default Behavior)||Ignore Unknown Results ON (Opt-In Behavior)|
|First scan of a new cloud account||NO||NO|
|Subsequent scans of the same cloud account, result moves from PASS to UNKNOWN||YES||NO|
|Subsequent scans of the same cloud account, result moves from WARN or FAIL to UNKNOWN||YES||NO|
|Subsequent scans of the same cloud account, result moves from UNKNOWN to PASS/WARN/FAIL||NO||NO|
|Subsequent scans of the same cloud account, new result found in UNKNOWN state||YES||NO|
|Subsequent scans of the same cloud account, new result found in WARN or FAIL state||YES||YES|
|Subsequent scans of the same cloud account, new result found in PASS state||NO||NO|
Enabling "Ignore Unknown Results"
- Log into your CloudSploit account as a group or account admin
- Navigate to the cloud accounts page for the account you would like to modify.
- Click "Edit" next to your account.
- In the popup box, check the box next to "Ignore Unknown Results".