Remediating Policy Violations

Policy violations occur when a cloud asset does not comply with one or more of your defined governance policies. Remediating these violations helps ensure your cloud environment remains secure, compliant, and aligned with best practices.

This guide explains how to remediate policy violations in Firefly, either by updating your Infrastructure as Code (IaC) to enforce the desired state or by applying changes directly in the cloud.

Note: Promptly addressing policy violations reduces risk and helps maintain compliance.

Before you begin

  • Ensure your Version Control System (VCS) is integrated with Firefly (e.g., GitHub, GitLab) if you plan to remediate via IaC.

  • Confirm you have the necessary permissions to update cloud resources and/or modify your IaC repositories.

Procedure

Go to Governance page: In the Firefly console, navigate to Governance page. Locate the policy with violations and click on the AI Remediation button to view the remediation options.

Option 1: IaC Patch (Recommended)

If the asset is managed by Infrastructure as Code (IaC), you can remediate by updating your codebase:

  1. Choose IaC Patch option.

  2. Select the IaC file you want to update and click on Review fix.

  3. Review the proposed changes and click on Create Pull Request.

  4. Firefly will generate a pull request to update your IaC source, ensuring the asset complies with the policy.

  5. Review and merge the pull request in your VCS to apply the change.

  6. Run a Terraform plan/apply or equivalent command to deploy the updated configuration.

# Example: Terraform code snippet to enable encryption on an S3 bucket
resource "aws_s3_bucket" "example" {
  # ... existing configuration ...
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}
# This block enforces encryption at rest for the S3 bucket

Option 2: Cloud Patch

If the asset is not managed by IaC (unmanaged), you can remediate directly in the cloud via given CLI commands:

  1. Choose Cloud Patch option.

  2. Select the asset you want to remediate.

  3. Firefly will provide CLI commands to manually update the resource in your cloud provider.

  4. Run the provided commands in your terminal or cloud console to bring the asset into compliance.

# Example: AWS CLI command to enable encryption on an S3 bucket
aws s3api put-bucket-encryption \
  --bucket my-bucket \
  --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'

Tip: Always review the proposed changes and test in a non-production environment when possible.

Summary

  • Policy violations indicate assets that do not comply with your governance rules.

  • You can remediate violations by updating your IaC code (recommended for managed assets) or by applying changes directly in the cloud (for unmanaged assets).

  • Firefly provides automated remediation suggestions and code/CLI snippets to help you resolve violations quickly.

  • After remediation, re-scan your environment in Firefly to confirm compliance.

PreviousCreating Policy-as-Code Governance RulesNextWorkflows

Last updated

Was this helpful?