Scan Frequency for Agentless Scanning
The Scan Frequency for the existing agentless scan techniques vary greatly. These differences result from the different means of configuration and deployment. We have explained when you can expect your scans to run based on the technique and type of configurations you have made.
API-based Scans
The frequency for API-based scans depend on the connector polling frequency and the Eventbridge configuration.
The Connector Run
The connectors run the API-based scans every 4 hours by default. If the polling frequency of the connector is adjusted above 4 hours, such as 8 hours, then the connector runs the next scan based on the new polling frequency. In this instance, it would be 8 hours.
Manually running the connector does not trigger a scan until after 4 hours since the last scan.
Different connectors have their first connector run at different times, so their scans would also be run at different schedules.
The EventBridge Run
If EventBridge is configured (learn more), the Connector will listen to the events and run scans based on new deployments and instance state transitions (stop and start or new instances).
How long would it take for all of my VMs to be scanned?
The API-based scan will take around 4 to 8 hours to finish scanning all the VMs in your account.
Connector Run - The scan will take an hour or more over the polling frequency time for a large workload.
Eventbridge Run - Immediately discovers all the instances when a new event is identified.
Snapshot-based Scans
The snapshot scan does not depend on the connector polling frequency to run. The Snapshot scan frequency is determined by the polling frequency values provided in the AWS CFT-S and the EventBridge configuration. Refer below to learn more.
AWS Polling Frequency (configured on CFT-S)
The Scan Frequency, Batch Trigger Scan Duration, and Retry Discovery Interval all play a role in determining the frequency of your Snapshot scan. Each parameter has its own significance. Let's look at what each of them do to determine the frequency of your scan.
Scan Frequency - Determines when the instances in the account snapshot should be scanned next.
Batch Trigger Scan Duration - Determine when the next scan should be run on instances discovered via eventbridge configuration. This frequency is strictly for the event-based discovery; the instances in the account snapshot are not scanned again.
Retry Discovery Interval - Determine when the next account snapshot should be taken to discover all the instances in the account. This will capture instances not fetched by event-based discovery. This interval does not run the scan but only discovers the instances to be scanned.
The EventBridge Run
If EventBridge is configured (learn more), the Connector will listen to the events and run scans based on new deployments or stopped instances.
How long would it take for all of my VMs to be scanned?
Your initial snapshot scan run should be deployed within 60 minutes of deploying the CFTs. It is difficult to predict when the entire instances in your network will finish scanning as it depends on existing workloads and newly discovered events.