Running Scans
Guardian Pro scans your AWS infrastructure to discover resources and evaluate them against hundreds of automated security, cost, and best-practice checks. Scans are the foundation of everything Guardian Pro does -- they populate findings in the Action Centre, feed the health score, update compliance assessments, and power the architecture advisor.
How Scanning Works
A Guardian Pro scan is a multi-stage, multi-region process:
- Resource Discovery -- Guardian Pro inventories your AWS resources across all enabled regions and services. This builds a comprehensive resource registry that serves as the source of truth for all subsequent analysis.
- Dependency Mapping -- Relationships between resources are identified and mapped (for example, an EC2 instance attached to a security group within a VPC). This powers the architecture map and failure simulation features.
- Check Evaluation -- Hundreds of automated checks are evaluated against your discovered resources. Each check assesses a specific configuration, best practice, or potential vulnerability.
- Results Processing -- Findings are generated for any check that fails, enriched with context, severity, and remediation guidance. Existing findings are reconciled: previously found issues that are now resolved are automatically marked as such.
Guardian Pro scans read your AWS configuration metadata. Scans do not modify any resources, access application data, or affect the operation of your workloads. The IAM roles used for scanning are read-only by default.
Running a Scan Manually
To trigger a scan on demand:
- Navigate to the Dashboard.
- Click the Run Scan button.
- The scan begins immediately. You will see a progress banner appear on the dashboard.
Manual scans are useful when you have recently made infrastructure changes and want to verify that everything is correctly configured, or when you want to confirm that a remediation has resolved an issue.
Selecting What to Scan
By default, a scan covers all connected AWS accounts and all enabled regions. If you have selected a specific account using the account switcher, the scan runs against that account only.
Monitoring Scan Progress
Once a scan is initiated, Guardian Pro provides real-time progress updates directly on the dashboard. The progress banner shows:
- Current stage -- Which phase the scan is in (discovery, check evaluation, etc.).
- Region progress -- Which regions have been scanned and which are in progress.
- Resource count -- The number of resources discovered so far.
- Estimated time remaining -- An approximate indication of when the scan will complete.
You do not need to stay on the dashboard while a scan runs. The scan continues in the background, and all pages will automatically reflect the latest results once the scan completes. You will receive a notification when the scan finishes.
Scan Duration
Scan duration varies based on the size and complexity of your AWS environment:
| Environment Size | Typical Duration |
|---|---|
| Small (1 account, 1-2 regions, fewer than 100 resources) | 1 -- 3 minutes |
| Medium (1-5 accounts, 3-5 regions, 100-1,000 resources) | 3 -- 7 minutes |
| Large (5+ accounts, many regions, 1,000+ resources) | 5 -- 15 minutes |
First-time scans may take slightly longer as the full resource registry is being built from scratch. Subsequent scans benefit from incremental processing.
Automatic Scans
Guardian Pro runs scheduled scans automatically to keep your data current without manual intervention. Automatic scans ensure that:
- New resources are discovered shortly after they are created.
- Configuration changes are detected and re-evaluated.
- Resolved findings are automatically closed.
- Your health score, compliance posture, and cost analysis stay up to date.
Scan Frequency
Automatic scans are configured based on your subscription tier and preferences:
| Tier | Default Frequency |
|---|---|
| Starter | Daily |
| Business | Every 12 hours |
| Enterprise | Configurable (minimum every 4 hours) |
You can adjust scan frequency from the Scan Preferences settings page.
Automatic scans run in the background and do not require the Guardian Pro console to be open. Results are available the next time you sign in.
Multi-Region Scanning
Guardian Pro scans across all AWS regions where you have active workloads. During onboarding, Guardian Pro identifies which regions contain resources and enables scanning for those regions automatically.
Region Coverage
- Active regions -- Regions where Guardian Pro has discovered resources are scanned on every run.
- Global services -- Services like IAM, S3, CloudFront, and Route 53 are global and are always included regardless of region configuration.
- Empty regions -- Regions with no resources are skipped to optimize scan performance.
You can review and modify which regions are scanned from the Scan Preferences page.
How Multi-Region Scanning Works
Guardian Pro processes regions in parallel to minimize total scan time. Each region is scanned independently, and results are aggregated after all regions complete. This means:
- A failure in one region does not block scanning in other regions.
- Resources that span multiple regions (such as CloudFront distributions backed by regional origins) are correctly mapped.
- Findings are tagged with the region where the affected resource resides.
What Gets Scanned
Guardian Pro scans dozens of AWS services across multiple categories:
| Category | Examples |
|---|---|
| Compute | EC2 instances, Lambda functions, ECS clusters, Auto Scaling groups |
| Storage | S3 buckets, EBS volumes, EFS file systems |
| Database | RDS instances, DynamoDB tables, ElastiCache clusters |
| Networking | VPCs, security groups, load balancers, NAT gateways |
| Identity & Access | IAM users, roles, policies, access keys |
| Monitoring | CloudWatch alarms, CloudTrail trails, VPC flow logs |
| Security | KMS keys, Secrets Manager, WAF rules, GuardDuty |
| And more | SNS, SQS, API Gateway, CloudFormation, Route 53, and others |
For a complete list of supported services and resource types, see the IAM Permissions reference.
After a Scan Completes
When a scan finishes, the following updates occur automatically:
- Health score recalculates based on the latest findings. See Health Score.
- Action Centre reflects new, resolved, and unchanged findings. See Action Centre.
- Compliance scores update for all subscribed frameworks. See Compliance.
- Architecture map refreshes with newly discovered resources and relationships. See Architecture Advisor.
- Cost enrichment correlates cost data with newly discovered resources.
You will receive a notification summarizing the scan results, including the number of new findings, resolved findings, and the updated health score.
Scan Errors and Partial Results
Occasionally, a scan may encounter errors in specific regions or for specific services. Common causes include:
- Insufficient permissions -- The IAM role in a member account may be missing permissions for certain services. Guardian Pro will scan all services it has access to and report which services were skipped.
- Service throttling -- AWS API rate limits may temporarily prevent data collection. Guardian Pro retries automatically with exponential backoff.
- Region availability -- A service may not be available in a particular region.
In these cases, Guardian Pro completes the scan with partial results and flags the affected areas. Findings from successfully scanned services are still valid and actionable.
If scans consistently fail for specific accounts, verify that the IAM roles deployed during onboarding have not been modified or deleted. See the Troubleshooting guide for common role issues.
Frequently Asked Questions
Can I run a scan while another scan is in progress?
No. Only one scan can run at a time per account. If a scan is already in progress, the Run Scan button will be disabled until the current scan completes.
Do scans affect my AWS bill?
Guardian Pro scans use AWS API calls to read configuration metadata. These API calls are included in the AWS free tier for most services and have negligible cost impact. Scans do not create, modify, or delete any AWS resources.
Can I exclude specific regions or services from scanning?
Yes. You can configure scan scope from the Scan Preferences page. Excluding regions or services is useful if you have regions with no workloads or services that are managed by another team.
Next Steps
- Dashboard Overview -- Return to the dashboard to review scan results.
- Health Score -- Understand how scan results affect your health score.
- Action Centre -- Review and act on findings from your scan.
- Scan Preferences -- Configure scan frequency, regions, and scope.