Remediation & prevention
Auto-fix the safe cases; guardrail the rest.
Detecting a compliance violation is only half the job; closing it is the other. Remediation — from automated fixes to tracked manual work — is what turns findings into resolved controls, and doing it well is a balance of speed and safety.
Auto-remediate the safe, well-understood cases
For clear-cut, low-risk violations, automated remediation closes the gap in seconds: re-enable a storage account’s public-access block, turn on encryption or logging that was disabled, add a missing required tag, revert a security group to its baseline. Cloud platforms support this through event-driven functions (a Config rule marks a resource non-compliant and triggers a remediation action), and it keeps posture continuously compliant without waiting for a human. The discipline is scoping: auto-remediate only fixes that are well-understood and cannot break legitimate workloads. Re-enabling encryption is safe; auto-deleting a resource is not — higher-risk remediations should require review.
# Config rule detects a bucket with public access → trigger a remediation.# The remediation re-applies the compliant baseline automatically:aws configservice put-remediation-configurations --remediation-configurations '[{"ConfigRuleName": "s3-no-public-access","TargetType": "SSM_DOCUMENT","TargetId": "AWS-DisableS3BucketPublicReadWrite","Automatic": true}]'# Safe, reversible fix → applied in seconds. Risky fixes → route to a human.
Track everything, prevent where possible
Not every violation should auto-fix, so the program needs a tracked remediation workflow: findings become tickets with an owner and a due date, prioritized by severity and blast radius, so nothing lingers unresolved and you can measure time-to-remediate — a key program metric. Better than fixing repeatedly is preventing recurrence: if the same violation keeps appearing, add a preventive guardrail (an SCP, an admission policy, an IaC gate) so it cannot be created in the first place. The mature loop is detect → remediate (auto where safe, tracked where not) → prevent, so each class of violation is eventually designed out rather than endlessly re-fixed.