CoursesCompliance as codeDrift & IaC gates

Remediation & prevention

Auto-fix the safe cases; guardrail the rest.

Advanced30 min · lesson 12 of 15

Detecting a compliance violation is only half the job; closing it is the other. Remediation — from automated fixes to tracked manual work — is what turns findings into resolved controls, and doing it well is a balance of speed and safety.

Auto-remediate the safe, well-understood cases

For clear-cut, low-risk violations, automated remediation closes the gap in seconds: re-enable a storage account’s public-access block, turn on encryption or logging that was disabled, add a missing required tag, revert a security group to its baseline. Cloud platforms support this through event-driven functions (a Config rule marks a resource non-compliant and triggers a remediation action), and it keeps posture continuously compliant without waiting for a human. The discipline is scoping: auto-remediate only fixes that are well-understood and cannot break legitimate workloads. Re-enabling encryption is safe; auto-deleting a resource is not — higher-risk remediations should require review.

auto-remediate a clear violation
# Config rule detects a bucket with public access → trigger a remediation.
# The remediation re-applies the compliant baseline automatically:
aws configservice put-remediation-configurations --remediation-configurations '[{
"ConfigRuleName": "s3-no-public-access",
"TargetType": "SSM_DOCUMENT",
"TargetId": "AWS-DisableS3BucketPublicReadWrite",
"Automatic": true
}]'
# Safe, reversible fix → applied in seconds. Risky fixes → route to a human.

Track everything, prevent where possible

Not every violation should auto-fix, so the program needs a tracked remediation workflow: findings become tickets with an owner and a due date, prioritized by severity and blast radius, so nothing lingers unresolved and you can measure time-to-remediate — a key program metric. Better than fixing repeatedly is preventing recurrence: if the same violation keeps appearing, add a preventive guardrail (an SCP, an admission policy, an IaC gate) so it cannot be created in the first place. The mature loop is detect → remediate (auto where safe, tracked where not) → prevent, so each class of violation is eventually designed out rather than endlessly re-fixed.

Remediation loop
1violation detected
Config / CSPM / scan
2auto-remediate (safe)
or tracked ticket (risky)
3measure time-to-remediate
owner + due date
4prevent recurrence
guardrail / gate the class out
Auto-fix the safe cases, track the rest, and add preventive guardrails so recurring violations are designed out, not re-fixed forever.
Blind auto-remediation can cause its own outage
Automated fixes wired to every finding can break legitimate configurations — auto-deleting a "non-compliant" resource that was actually needed, or reverting an approved exception. Auto-remediate only well-understood, reversible, low-risk cases; route anything with real blast radius through human review, and test remediations before enabling them.