Partial scan warnings

Why scans can be incomplete, what each warning means, and how partial scans differ from failed scans.

Last updated July 4, 2026

Sometimes a scan finishes successfully but could not read every data source. Parsivex records these as partial scan warnings — yellow alerts on your report and scan results page titled Partial scan — some data was unavailable.

Partial scans are not failures. They mean Parsivex finished the scan with gaps in coverage. Findings for accessible resources are still generated and saved.

Why partial scans happen

Partial warnings appear when a non-fatal error occurs during data collection:

CauseWhat happens
Permission gapsThe IAM role can be assumed, but specific API calls return access denied (Cost Explorer, DynamoDB, ELB, etc.)
Cost Explorer not enabledAWS Cost Explorer has not been activated on the account yet
API throttlingRare for inventory services; required services that hit rate limits can fail the scan instead of warning
Per-resource errorsA single S3 bucket or resource returns an error; that resource is skipped while the rest of the scan continues

Parsivex is designed so that one missing permission or one unreachable resource does not block findings for everything else.

Warning labels you may see

The app shows clear messages for each issue. Here are the warnings Parsivex can surface, matching the labels shown in your report:

Cost Explorer not enabled

Label shown:

AWS Cost Explorer is not yet enabled on this account. It can take up to 24 hours after your first AWS visit before cost data becomes available. Cost-based findings (e.g. NAT Gateway overuse, Reserved Instance opportunities) were skipped. Re-run the scan once Cost Explorer is active.

What to do: Open the AWS Billing console and enable Cost Explorer. Wait up to 24 hours for AWS to activate it, then run a new scan.

Cost Explorer access denied

Label shown:

Access was denied to AWS Cost Explorer. Check that the Parsivex IAM role has the ce:GetCostAndUsage permission. Cost-based findings were skipped.

What to do: Attach the full Parsivex read-only policy from /security or redeploy the CloudFormation/Terraform template. See Connection troubleshootingMissing permissions during verify or scan.

DynamoDB access denied

Label shown:

Access was denied to DynamoDB. Re-deploy the Parsivex CloudFormation stack or add dynamodb:ListTables and dynamodb:DescribeTable to your IAM role. DynamoDB findings were skipped.

What to do: Update your IAM policy with DynamoDB read permissions. The IaC templates include these statements — see Deploy with CloudFormation or Terraform.

Elastic Load Balancing access denied

Label shown:

Access was denied to Elastic Load Balancing. Re-deploy the Parsivex CloudFormation stack or add elasticloadbalancing:Describe* to your IAM role. Load balancer findings were skipped.

What to do: Add ELB describe permissions to your role. Compare your policy against /security.

Other service access denied (inventory)

Label shown:

Access was denied to . Related findings were skipped.

This generic message appears when an optional inventory source returns access denied. DynamoDB and ELB have more specific messages above; other services use this fallback.

What to do: Review Connection troubleshooting and ensure your role matches the Parsivex minimal policy.

Other Cost Explorer errors

If Cost Explorer fails for another reason, Parsivex shows the underlying error message. Common causes include temporary credentials expiring mid-scan (retry the scan) or an unexpected AWS API error (retry; contact support if it persists).

Partial scans still produce findings

When you see partial scan warnings:

  • Findings for accessible resources are included in your report with full savings estimates
  • Skipped checks simply do not appear — for example, no NAT Gateway finding if Cost Explorer was unavailable
  • Your scan counts as complete — it shows as Completed, not Failed
  • Parsivex can still mark findings as resolved on successful scans, so waste you fixed before a partial scan can be verified on a later successful scan

Re-run the scan after fixing permissions or enabling Cost Explorer to fill in the gaps.

Partial scans vs failed scans

Partial scan (warnings)Failed scan
StatusCompleted (with warnings)Failed
ReportGenerated with available findingsNot generated
WarningsYellow partial-scan alertsError message on scan page
Previous findingsUnchanged unless new scan resolves themNot resolved — failed scans never trigger resolution
Typical causeMissing optional permission or Cost Explorer not enabledRequired inventory step failed (e.g. EC2 or RDS list denied)
  1. Compare your IAM role policy to the policy on /security
  2. Walk through Connection troubleshooting — especially Missing permissions during verify or scan and Partial scan warnings due to permission gaps
  3. If you deployed with IaC, redeploy or update the stack so new permission statements take effect — see IaC setup
  4. Run a new scan to confirm warnings are gone

Related articles