Skip to main content

Severity levels and finding states

Two concepts appear throughout the platform: a finding's severity (how urgent it is) and its state (open vs closed).

Severity

Every finding carries one of four severity levels, set by the check that produced it. Severity follows the same conventions AWS uses for its own security control catalogues, so a Critical or High finding should be triaged the same way you'd triage one from any AWS-native security service.

  • Critical — Issues that materially expose your account to compromise: publicly reachable storage holding sensitive data, IAM principals with admin access from untrusted sources, missing baseline protections on the root account. Treat as priority work.
  • High — Significant security risks that should be addressed soon: broadly permissive policies, missing encryption at rest on regulated workloads, gaps in logging or monitoring.
  • Medium — Configurations that aren't ideal but don't immediately expose the account. Address as part of routine hardening.
  • Low — Minor hygiene issues. Worth fixing for completeness; rarely urgent on their own.

Severity is set on the check, not on the individual resource. Every resource that fails the same check carries the same severity.

States

A finding is either open or closed:

  • Open — A check is currently failing for a resource. Open findings appear on the Findings page and contribute to the severity counts on the Dashboard.
  • Closed — The check no longer fails — either you remediated the issue, or the resource was deleted from your account. Closed findings disappear from the Findings list at the end of the next successful scan.

There is no intermediate "acknowledged" or "in-progress" state. A finding is either still failing or it isn't.

State transitions — open → closed and closed → open — are recorded on the Events timeline. The Findings page itself only shows what's open right now.