Remediating Policy Violations

Policy violations occur when a cloud asset does not comply with one or more of your defined governance policies. Remediating these violations helps ensure your cloud environment remains secure, compliant, and aligned with best practices.

This guide explains how to remediate policy violations in Firefly, either by updating your Infrastructure as Code (IaC) to enforce the desired state or by applying changes directly in the cloud.

Note: Promptly addressing policy violations reduces risk and helps maintain compliance.

Before you begin

Ensure your Version Control System (VCS) is integrated with Firefly (e.g., GitHub, GitLab) if you plan to remediate via IaC.
Confirm you have the necessary permissions to update cloud resources and/or modify your IaC repositories.
Review the policy details and recommended remediation steps in the Firefly console.

Procedure

Go to Policy Violations: In the Firefly console, navigate to Governance > Policies. Locate the policy with violations and click on the number in the Violating Assets column to view affected resources.
View Violation Details: Select a violating asset to open its details. Review the policy description, rationale, and any remediation insights provided.

Option 1: IaC Patch (Recommended)

If the asset is managed by Infrastructure as Code (IaC), you can remediate by updating your codebase:

In the asset's violation details, click Remediation > IaC Patch (this is usually recommended for managed assets).
Firefly will generate a pull request or code snippet to update your IaC source, ensuring the asset complies with the policy.
Review and merge the pull request in your VCS to apply the change.
(Optional) Run a Terraform plan/apply or equivalent command to deploy the updated configuration.

# Example: Terraform code snippet to enable encryption on an S3 bucket
resource "aws_s3_bucket" "example" {
  # ... existing configuration ...
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}
# This block enforces encryption at rest for the S3 bucket

Option 2: Cloud Patch

If the asset is not managed by IaC (unmanaged or ghost), you can remediate directly in the cloud:

In the asset's violation details, click Remediation > Cloud Patch.
Firefly will provide CLI commands or a step-by-step guide to manually update the resource in your cloud provider.
Run the provided commands in your terminal or cloud console to bring the asset into compliance.

# Example: AWS CLI command to enable encryption on an S3 bucket
aws s3api put-bucket-encryption \
  --bucket <bucket-name> \
  --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
# Replace <bucket-name> with your actual S3 bucket name

Tip: Always review the proposed changes and test in a non-production environment when possible.

Summary

Policy violations indicate assets that do not comply with your governance rules.
You can remediate violations by updating your IaC code (recommended for managed assets) or by applying changes directly in the cloud (for unmanaged assets).
Firefly provides automated remediation suggestions and code/CLI snippets to help you resolve violations quickly.
After remediation, re-scan your environment in Firefly to confirm compliance.

PreviousCreating Policy-as-Code Governance Rules NextWorkflows & Guardrails

Last updated 10 days ago

Was this helpful?

Before you begin

Ensure your Version Control System (VCS) is integrated with Firefly (e.g., GitHub, GitLab) if you plan to remediate via IaC.

Confirm you have the necessary permissions to update cloud resources and/or modify your IaC repositories.

Review the policy details and recommended remediation steps in the Firefly console.

Procedure

Go to Policy Violations: In the Firefly console, navigate to Governance > Policies. Locate the policy with violations and click on the number in the Violating Assets column to view affected resources.

View Violation Details: Select a violating asset to open its details. Review the policy description, rationale, and any remediation insights provided.

Option 1: IaC Patch (Recommended)

If the asset is managed by Infrastructure as Code (IaC), you can remediate by updating your codebase:

In the asset's violation details, click Remediation > IaC Patch (this is usually recommended for managed assets).

Firefly will generate a pull request or code snippet to update your IaC source, ensuring the asset complies with the policy.

Review and merge the pull request in your VCS to apply the change.

(Optional) Run a Terraform plan/apply or equivalent command to deploy the updated configuration.

# Example: Terraform code snippet to enable encryption on an S3 bucket
resource "aws_s3_bucket" "example" {
  # ... existing configuration ...
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}
# This block enforces encryption at rest for the S3 bucket

Option 2: Cloud Patch

If the asset is not managed by IaC (unmanaged or ghost), you can remediate directly in the cloud:

In the asset's violation details, click Remediation > Cloud Patch.

Firefly will provide CLI commands or a step-by-step guide to manually update the resource in your cloud provider.

Run the provided commands in your terminal or cloud console to bring the asset into compliance.

# Example: AWS CLI command to enable encryption on an S3 bucket
aws s3api put-bucket-encryption \
  --bucket <bucket-name> \
  --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
# Replace <bucket-name> with your actual S3 bucket name

Tip: Always review the proposed changes and test in a non-production environment when possible.

Summary

Policy violations indicate assets that do not comply with your governance rules.

You can remediate violations by updating your IaC code (recommended for managed assets) or by applying changes directly in the cloud (for unmanaged assets).

Firefly provides automated remediation suggestions and code/CLI snippets to help you resolve violations quickly.

After remediation, re-scan your environment in Firefly to confirm compliance.