Understanding Scan Results
Aqua CSPM scan reports contain a wealth of information related to the security posture of your cloud infrastructure environments. These reports contain security findings and results that indicate the status and severity of these security risks.
TABLE OF CONTENTS
Every scan report result is comprised of the following pieces of information:
|Examples||PASS, WARN, FAIL, UNKNOWN||Low, Medium, High, Critical||us-east-1, ap-northeast-1||arn:aws:s3:::example-bucket||"The S3 bucket is not encrypted"|
Each scan report result contains one of the following status codes:
- PASS: A passing result, indicating that the security risk is not present
- WARN: A warning result, indicating that a security risk may be present
- FAIL: A failing result, indicating that a security risk is present
- UNKNOWN: An unknown result, indicating that the security risk could not be determined
Each scan report result also contains one of the following severity levels:
- Low: The risk of a compromise is not significant
- Medium: There is a moderate chance of compromise, depending on other mitigating factors
- High: There is a considerable risk of compromise
- Critical: There is an immediate risk of compromise, or a compromise may have already occurred
The first scan report that runs in your account is used as a baseline for the second report, which becomes a baseline for the third and so on. As scans are run, new risks are detected and highlighted in your scan reports using the New Risk label. A new risk is a risk that was previously not present or passing in the previous report and is now warning or failing.
Examples of CSPM scan results
In general, the Result of a scan is explained in the "More Info" section of the Plugin Details window.
Similarly, in the following screenshot, the "Audit Logging Enabled" check is failed, because Audit logging is in fact disabled:
WARN results are usually non-critical alerts and settings that are outside the guidelines, but do not violate standards.
The reasons for a WARN result may vary. The following screenshot shows one specific example. The "IAM User Admins" produces a warning because the recommendation is to have two administrator users, but the checked instance has only one. While this doesn't pose a security risk (as it would if there were multiple administrators) it's still something you might want to change.
- Cloud provider (e.g., AWS, Azure, or GCP) documentation, white papers, and blog posts
- Common industry best practices
- Public benchmark programs, such as CIS
- Compliance programs, such as PCI and HIPAA
- Audit logging being enabled is a crucial part of security monitoring, and its being disabled poses some high security risks; therefore, Aqua considers it as a risk of "High" severity.
- Looking at the "Open Kibana" policy, it only applies to a specific port used by a specific service, so it doesn't a risk as important as that of disabling Audit logging; therefore, Aqua assigns it a "low" severity ranking.
Did you find it helpful? Yes NoSend feedback