Aqua CSPM uses a variety of processes to fetch the latest, most accurate API data from cloud providers. At times, this data cannot be fetched due to circumstances beyond Aqua's control. Depending on why the scan report produced an unknown result, you may be able to make changes to fix these results.

An example "UNKNOWN" scan result.

Steps to Debug Unknown Scan Results

Follow the below steps to troubleshoot your unknown scan results.

Step 1: Ensure the account connection is still valid

If your scan report contains hundreds or thousands of "unknown" results, the most likely culprit is an invalid or broken cloud account connection. For example, in AWS, this may mean that the IAM role used to deploy CSPM has been deleted from your AWS account, or that its IAM permissions have been modified.

Step 2: Ensure the permissions are valid

Each cloud account connection has associated permissions that must be added. If you see an error message in your scan report with the words "access denied" or "invalid permissions," chances are that the permission set is incorrect.

  • Use the Cloud Account Connection Wizard to obtain the most recent set of permissions required for your account.
  • If your existing IAM role or AD application still exists in your cloud account, you can simply update the permissions in place. If the role has been deleted, follow the steps in Step 1 above to recreate it.

Step 3: Determine if the Aqua is being rated limited

Some results may not be able to be determined because Aqua has been rate-limited while querying the necessary APIs. This sometimes happens in very large infrastructure accounts with hundreds or thousands of resources. If this occurs, simply waiting for the next scan report to run often resolves the issue. If not, you can either suppress the results or contact support to discuss more custom options for your environment.

Step 4: Use the Live Run tool to evaluate response data

The Live Run tool is a helpful debugging tool that allows you to see the exact response data that the Aqua is receiving from the cloud provider API call.

  • Select the cloud account and affected plugin from the list.
  • Use the toggle to access the source API data.