Skip to main content

Scan Issues

Guardian Pro scans your AWS accounts to discover resources, evaluate security configurations, and detect compliance gaps. This page helps you resolve issues related to scans that get stuck, missing resources, region errors, and incomplete scan results.

Scan Stuck or Not Progressing

Symptoms

  • The scan progress indicator shows a percentage but does not advance.
  • The scan has been running for more than 30 minutes without completing.
  • The "Run Scan" button is disabled because a scan appears to be in progress.

Troubleshooting Steps

1. Refresh the Page

Sometimes the real-time progress connection may be interrupted. Refresh the browser page to reconnect and get the latest scan status.

2. Check the Scan Status

Navigate to the Dashboard and check the scan status indicator:

  • In Progress -- The scan is still running. Large environments with many resources across multiple regions can take 10-15 minutes.
  • Completed -- The scan finished but the UI may not have updated. Refresh the page.
  • Failed -- The scan encountered an error. See the error message for details.

3. Wait and Retry

Scans involve querying AWS APIs across all enabled regions, which can occasionally experience throttling from AWS. If a scan appears stuck:

  • Wait 5-10 minutes. Guardian Pro automatically retries throttled API calls.
  • If the scan has not progressed after 15 minutes, it may have encountered an unrecoverable error.

4. Start a New Scan

If a scan is truly stuck (no progress for more than 30 minutes):

  • Refresh the page. The stuck scan will be detected and its status will update.
  • Click Run Scan to start a new scan.
  • If the button is still disabled, wait a few more minutes for the system to recognise the previous scan as timed out.
info

Scan timeouts are handled automatically. A scan that does not complete within the maximum allowed time is marked as failed, and you can start a new one.

Missing Resources

Symptoms

  • Resources you know exist in your AWS account are not appearing in the Resource Explorer.
  • A scan completes but shows fewer resources than expected.
  • Specific service types (e.g., Lambda functions, RDS instances) are missing entirely.

Troubleshooting Steps

1. Check the Region

Guardian Pro scans all regions where it detects workload resources. If resources are deployed in a region that requires opt-in:

  1. Sign in to the AWS Console for the target account.
  2. Navigate to Account Settings > Regions.
  3. Ensure the region containing your resources is enabled.
  4. Run a new scan in Guardian Pro after enabling the region.

2. Check the Account Selection

Verify you are viewing the correct account in Guardian Pro:

  1. Check the account selector in the header.
  2. Ensure the selected account matches the AWS account where the resources are deployed.
  3. If viewing "All Accounts," the resources should appear in the aggregate view.

3. Verify Resource Support

Guardian Pro supports a wide range of AWS services. If a specific resource type is not appearing:

  • Check the Resource Explorer documentation for the list of supported resource types.
  • Some recently launched AWS services may not yet be supported. Guardian Pro adds support for new services regularly.

4. Check IAM Permissions

Missing resources for an entire service category often indicate a permission issue:

  1. Check the scan results for any error messages related to specific services.
  2. Verify the Guardian Pro IAM role has the necessary permissions for the missing service. See IAM Issues.
  3. Check for Service Control Policies (SCPs) that may restrict access to certain services.

5. Recently Created Resources

Resources created after the most recent scan will not appear until the next scan runs. Run a new scan to discover recently created resources.

tip

If specific resource types are consistently missing, check the IAM role's permissions for that service. The most common cause is a missing read permission for the service's describe or list API.

Region Errors

Symptoms

  • Scan results show errors for specific AWS regions.
  • The scan completes but notes that some regions failed.
  • Resources in certain regions are not discovered.

Common Causes

Region Not Enabled

Some AWS regions require explicit opt-in before they can be used:

  • Opt-in required regions: af-south-1 (Cape Town), ap-east-1 (Hong Kong), ap-south-2 (Hyderabad), eu-south-1 (Milan), eu-south-2 (Spain), me-south-1 (Bahrain), me-central-1 (UAE), and others.
  • Solution: Enable the region in your AWS account settings, then re-scan.

SCP Region Restrictions

Your AWS Organization may have SCPs that restrict which regions can be accessed:

  • Check with your cloud team or Organization administrator for active SCPs.
  • If a region is blocked by SCP, Guardian Pro cannot scan resources there.
  • This is expected behavior -- the SCP is intentionally limiting access.

Throttling

AWS API throttling in a specific region can cause transient scan failures:

  • Re-run the scan. Throttling issues are typically temporary.
  • If the same region consistently fails, the account may have heavy API usage in that region. Contact support if this persists.
note

Region-level scan errors do not prevent the rest of the scan from completing. Guardian Pro continues scanning other regions and reports results for all regions that succeeded.

Incomplete Scan Results

Symptoms

  • The scan completes but shows significantly fewer findings than expected.
  • The health score seems unexpectedly high (very few findings detected).
  • Compliance scores show many controls as "Not Applicable" when they should be evaluated.

Troubleshooting Steps

1. Check Resource Discovery

Navigate to the Resource Explorer and review the discovered resources:

  • If resources are missing, findings for those resources cannot be generated. See Missing Resources above.
  • If resources are discovered but findings are unexpectedly low, the resources may genuinely be well-configured.

2. Review Finding Filters

In the Action Centre, check that your filters are not hiding findings:

  • Clear all filters and check the unfiltered count.
  • Ensure you are not filtering by a specific severity that excludes lower-severity findings.
  • Check that no findings are suppressed or acknowledged that you expected to see.

3. Check Scan Scope

The scan evaluates resources across all supported check categories. If specific categories seem missing:

  • Verify that the Guardian Pro role has permissions for the relevant services.
  • Some checks require specific resource configurations to be evaluable (for example, a check for database encryption can only run if database instances exist).

4. Verify Compliance Framework Subscription

Compliance-related findings and controls only appear for subscribed frameworks:

  1. Navigate to Settings > Frameworks.
  2. Ensure your desired frameworks are subscribed.
  3. Run a new scan to evaluate the subscribed framework controls.

Scan Performance

Expected Scan Duration

Scan duration depends on the size of your environment:

Environment SizeApproximate Duration
Small (< 100 resources)2-3 minutes
Medium (100-1,000 resources)3-7 minutes
Large (1,000-10,000 resources)7-15 minutes
Very large (10,000+ resources)15-30 minutes

Optimising Scan Performance

  • Close unused regions: Disable AWS regions where you do not have workloads. This reduces the number of regions Guardian Pro needs to scan.
  • Clean up unused resources: Fewer resources means faster scans and fewer low-priority findings cluttering your results.

Scheduled Scans

Scheduled Scan Not Running

If you have configured scheduled scans but they are not executing:

  1. Verify your scan schedule configuration in Settings > Scan Preferences.
  2. Check that the account is in Active status in Settings > Organization.
  3. If the account has an IAM error, scheduled scans will be skipped. Resolve the IAM issue first.

Scan Frequency

Scan frequency depends on your subscription plan:

PlanScan Frequency
StarterDaily scheduled scans + on-demand
BusinessConfigurable schedule + on-demand
EnterpriseConfigurable schedule + on-demand + continuous monitoring

See Subscription Plans for full details.

Next Steps