Skip to main content

Findings

The Findings page lists every misconfiguration GuardKite has surfaced across your connected AWS accounts. Filters, search, and the list layout work like any data table; this page covers what isn't obvious from looking at the screen.

What shapes the list

Only the regions you've opted into. GuardKite scans the regions enabled on each account. Findings for opted-out regions never appear, even for account-level checks.

Account-level checks share the list with resource-level ones. Some checks evaluate the account as a whole — "CloudTrail is enabled in this region", "the IAM root user has MFA". Their Resource ID is a region or account ID, not an ARN.

For some controls, the Resource ID column shows the resource's own name when one exists, and a region or account ID when none does. Filtering or grouping by resource type can make these two forms of the same control look unrelated.

"Before you fix this" annotations

Some findings carry an annotation chip on their row and a banner labelled Before you fix this in the detail drawer.

The only annotation in production today is Cost impact — a warning that the remediation will turn on a billable AWS service (GuardDuty, Inspector, Macie, or VPC flow logging on a real workload, for instance).

A cost-impact annotation includes:

  • The service that will start billing.
  • A cost tier (low / medium / high).
  • The cost drivers — what scales the bill (e.g. number of EC2 instances analysed, log volume ingested).

How findings open and close

Each scan upserts the findings it detects. When a resource no longer fails its check, or no longer exists, the row is removed at the end of that scan. No retention, no soft-delete, no cooldown.

The Events page records when findings opened and closed — use it to answer "when did this break?" or "when did the fix land?" The Findings page only shows current state.

In the detail drawer

Most fields are self-describing. Three are worth a closer look:

  • Resource ID is a link to the AWS Console when one is available — click through to jump to the resource.
  • Value extended holds structured fields specific to the check (the port a security group exposes, the algorithm a KMS key uses). Useful for cross-referencing with your own inventory.
  • First detected at vs Last scanned at — when GuardKite first saw the failure, and when it most recently confirmed it. Together they tell you how long the issue has been live.