Scan Preferences
Scan Preferences let you control how Guardian Pro scans your AWS infrastructure. You can configure which regions to scan, which services to include or exclude, and how frequently automated scans run. These preferences help you focus on the parts of your environment that matter most while managing scan time and noise.
Accessing Scan Preferences
Navigate to Settings > Scan Preferences from the left sidebar. You need the org:read permission to view preferences and org:write to modify them.
Scan Frequency
Guardian Pro supports both on-demand and scheduled scanning. You can configure the automatic scan schedule to match your operational cadence.
Scheduled Scans
| Frequency | Description | Best For |
|---|---|---|
| Every 6 hours | Scans run four times daily | High-change environments with frequent deployments |
| Every 12 hours | Scans run twice daily | Active environments with regular changes |
| Daily | Scans run once per day at a configured time | Most environments (recommended default) |
| Weekly | Scans run once per week on a configured day | Stable environments with infrequent changes |
| Manual only | No scheduled scans; scans run only when triggered manually | Testing or evaluation scenarios |
To set the scan frequency:
- Navigate to Settings > Scan Preferences.
- Under Scan Schedule, select your preferred frequency.
- If applicable, choose the time of day (in UTC) for the scan to run.
- Click Save.
We recommend daily scans for most environments. This provides continuous visibility without excessive resource usage. For environments with frequent infrastructure changes (such as CI/CD-driven deployments), consider increasing to every 12 or 6 hours.
On-Demand Scans
You can trigger a scan at any time from the Dashboard by clicking Run Scan. On-demand scans use the same region and service filters configured in Scan Preferences. On-demand scans do not affect your scheduled scan timing -- the next scheduled scan will still run at its configured time.
Only one scan can run at a time per account. If a scheduled scan is already in progress when you trigger an on-demand scan, the on-demand request will be queued and run after the current scan completes.
Region Configuration
By default, Guardian Pro scans all AWS regions where your account has active resources. You can customise this to focus on specific regions or exclude regions you do not use.
Configuring Regions
- Navigate to Settings > Scan Preferences.
- Under Regions, you will see a list of all available AWS regions.
- Toggle regions on or off to include or exclude them from scans.
- Click Save.
Region Configuration Options
| Option | Description |
|---|---|
| All regions | Scan every AWS region (default). New regions are automatically included as they become available. |
| Active regions only | Scan only regions where Guardian Pro has previously discovered resources. Reduces scan time for accounts that use a small number of regions. |
| Custom selection | Manually select which regions to scan. You have full control but must add new regions manually if you expand. |
Global resources (such as IAM policies, S3 bucket configurations, and CloudFront distributions) are always scanned regardless of region selection. These resources are not tied to a specific region and are evaluated during every scan.
Region Recommendations
Guardian Pro analyses your resource distribution and may suggest region configuration changes:
- Unused regions -- Regions with no discovered resources that can be excluded to reduce scan time.
- New regions -- If you have added resources in a region that is currently excluded from scans, Guardian Pro will alert you.
Service Filters
You can include or exclude specific AWS services from scanning. This is useful when you want to focus on particular services or suppress findings for services managed by a different team.
Configuring Service Filters
- Navigate to Settings > Scan Preferences.
- Under Services, you will see a list of all supported AWS service categories.
- Toggle services on or off to include or exclude them.
- Click Save.
Supported Service Categories
Guardian Pro scans resources across the following service categories:
| Category | Example Services |
|---|---|
| Compute | EC2, Lambda, ECS, App Runner |
| Storage | S3, EBS, EFS |
| Database | RDS, DynamoDB, ElastiCache, OpenSearch |
| Networking | VPC, ELB, CloudFront, Route 53, API Gateway |
| Security | IAM, KMS, Secrets Manager, WAF, Security Groups |
| Monitoring | CloudWatch, CloudTrail, Config |
| Serverless | Lambda, Step Functions, EventBridge, SQS, SNS |
| Containers | ECS, ECR, EKS |
| DevOps | CodePipeline, CodeBuild |
| AI/ML | SageMaker, Bedrock |
Excluding a service from scanning means Guardian Pro will not discover resources or run checks for that service. Findings for excluded services will not appear in the Action Centre, and compliance controls that depend on those checks will show as "Not Applicable."
Service Filter Impact on Compliance
If you exclude a service that is required by one of your subscribed compliance frameworks, the affected compliance controls will be marked as Not Applicable rather than Pass or Fail. This may affect your overall compliance score.
Guardian Pro displays a warning when excluding a service that impacts active compliance frameworks.
Scan Scope Summary
The Scan Preferences page includes a Scan Scope Summary that shows:
- Regions included -- The number of regions that will be scanned.
- Services included -- The number of service categories included.
- Estimated scan time -- An approximate time for the next scan based on your current configuration and environment size.
- Checks enabled -- The number of security, cost, and best-practice checks that will run.
This summary updates in real time as you modify your preferences, so you can see the impact of changes before saving.
Per-Account Overrides
While scan preferences are configured at the organisation level by default, you can create per-account overrides for specific accounts. This is useful when:
- Certain accounts require more frequent scanning (e.g., production accounts).
- Certain accounts use a limited set of regions or services.
- You want to exclude sandbox or development accounts from automated scans.
To create a per-account override:
- Navigate to Settings > Scan Preferences.
- Click the Account Overrides tab.
- Select the account you want to customise.
- Configure the frequency, regions, and services for that account.
- Click Save.
Account-level overrides take precedence over organisation-level preferences for the specified account.
Next Steps
- Compliance Frameworks -- Subscribe to frameworks that depend on your scan coverage.
- Dashboard -- Trigger on-demand scans and view results.
- Action Centre -- Review findings from your scans.
- Resource Explorer -- Browse discovered resources.