The following results are generated by CSPM:

PASS: The test passed when run against your account. This could be because your account was not using the service being checked (i.e. the ELB checks will pass if no ELBs are in use) or because all resources adhered to the required security policies.

WARN: The test found results or resources that place the infrastructure at risk, but are not likely to lead to an immediate compromise. For example, user accounts with passwords last changed 100 days ago may trigger a warning.

FAIL: These results are more serious and could potentially put portions of, or the entire, infrastructure at risk. They also include results of a "yes/no" check when the result was "no." For example, if CloudTrail is enabled, the result will be PASS, but if it is not enabled, it will be FAIL.

UNKNOWN: These results could not be determined for a variety of reasons. The most likely is that the permissions given to the CSPM IAM role prevented it from making the API calls necessary to determine a result. Another possibility is that the API call failed due to a rate limit, AWS response time issue, or AWS API failure. If the latter is the case, the result will likely be correct in the next scan. If the former is the case, you will need to adjust the IAM permissions to match the CSPM requirements if you wish to see results for the affected tests.

In many cases, Unknown scan results are due to SCPs (service control policies) implemented which are restricting the IAM policies to assume the required permissions. This needs to be checked with the system admins.