Background
CloudSploit relies heavily on the cloud provider APIs to obtain metadata associated with the account resources and makes its security evaluations. In some cases, the upstream provider (AWS, Azure, etc.) returns an error message due to a rate limit, outage, or internal server error. CloudSploit is configured to attempt to handle these issues via retries, but in some cases the final result may not be able to be obtained. Rather than failing the entire scan, CloudSploit marks these results as "Unknown" in the report to indicate that it could not obtain the data necessary to evaluate the security control.
Since these errors often disappear on subsequent scan attempts, the true result can later be obtained using the accurate data. However, because the previous result was marked as "Unknown," CloudSploit treats the new result as a "new finding" if it is in a non-passing state. Consider the following illustration:
Scan 1 --> Result Unknown --> Scan 2 --> Result Passing --> Scan 3 --> Result Unknown --> Scan 4 --> Result Failing
In the above case, the result flaps between an unknown, passing, and failing state. In the 4th scan, the result is failing, yet in the scan prior it is unknown. In this situation, CloudSploit marks the result in the 4th scan as "NEW" to indicate that it has changed to an insecure state since the previous scan.
Avoiding "New Risks Detected" Emails
When results move to a new state, CloudSploit sends a "New Risks Detected" email. Because of the potential for these emails to be triggered when a result moves from "passing" to "unknown" (without there being an underlying security concern), CloudSploit supports the ability to ignore the "unknown" state when calculating new risks. You can enable this option for your accounts by following these steps:
- Log into the CloudSploit console and navigate to the connected accounts for the selected cloud provider (AWS, Azure, etc).
- Find your account and click "Edit".
- In the popup, check the box next to "Ignore Unknown Results".
Suppressing Results
If you find that the service flaps too often between states and prevents you from gathering useful results, you can suppress the plugin in question via the "Scans" > "Suppressions" page.
Reducing Scan Frequency
Many of the above errors stem from rate limits imposed by the cloud provider on their APIs used by CloudSploit to gather data. If you scan too frequently, the rate limits may cause elevated unknown errors. You can decrease your scan frequency via the "Connected Accounts" page.
Frequently-Impacted Plugins
Due to additional rate limits imposed on the IAM and ELB APIs, the following plugins often experience the above issue more frequently than others:
- Access Keys Extra
- Access Keys Last Used
- Access Keys Rotated
- IAM User Admins
- ELB HTTPS Only
- ELB Logging Enabled
- ELB No Instances
- Insecure Ciphers