SEC04-BP04: Initiate remediation for non-compliant resources

Implement automated remediation for non-compliant resources to reduce the time to resolution and improve your security posture. For example, automatically remediate an S3 bucket that has been configured with public read access by removing the public access configuration.

Implementation guidance

Automated remediation of non-compliant resources is essential for maintaining a strong security posture at scale. By implementing automated responses to security violations and misconfigurations, you can reduce the window of exposure, minimize manual intervention, and ensure consistent application of security policies across your environment.

Key steps for implementing this best practice:

1. Identify remediable security violations:
   • Define security policies and compliance requirements
   • Identify common misconfigurations that can be automatically remediated
   • Categorize violations by risk level and remediation complexity
   • Document approved remediation actions for each violation type
   • Establish criteria for automatic vs. manual remediation
2. Implement detection mechanisms:
   • Use AWS Config Rules to detect configuration violations
   • Configure AWS Security Hub for centralized finding management
   • Set up Amazon GuardDuty for threat detection
   • Implement custom detection logic for organization-specific requirements
   • Enable real-time monitoring for critical security configurations
3. Design remediation workflows:
   • Create automated remediation scripts and functions
   • Implement approval workflows for high-risk remediations
   • Design rollback mechanisms for failed remediations
   • Establish notification and logging for all remediation actions
   • Implement rate limiting to prevent cascading effects
4. Implement automated remediation:
   • Use AWS Config Remediation Configurations for standard violations
   • Deploy AWS Lambda functions for custom remediation logic
   • Implement AWS Systems Manager Automation documents
   • Use AWS Security Hub Custom Actions for manual remediation triggers
   • Configure Amazon EventBridge for event-driven remediation
5. Establish governance and oversight:
   • Implement approval processes for sensitive remediations
   • Create audit trails for all remediation activities
   • Set up monitoring and alerting for remediation failures
   • Establish escalation procedures for complex violations
   • Implement regular review of remediation effectiveness
6. Test and validate remediation:
   • Test remediation scripts in non-production environments
   • Validate that remediation actions don’t break functionality
   • Implement monitoring to verify successful remediation
   • Create rollback procedures for problematic remediations
   • Regularly review and update remediation logic

Implementation examples

Example 1: AWS Config automatic remediation for S3 public access

Code snippet hidden for website display

Example 2: Custom Lambda function for security group remediation

Code snippet hidden for website display

Example 3: Systems Manager Automation for EC2 instance remediation

Code snippet hidden for website display

Example 4: EventBridge-driven remediation orchestration

Code snippet hidden for website display

AWS services to consider

AWS Config

Enables you to assess, audit, and evaluate the configurations of your AWS resources. Provides built-in remediation configurations for common security violations.

AWS Systems Manager

Gives you visibility and control of your infrastructure on AWS. Use Automation documents to implement complex remediation workflows across multiple resources.

AWS Lambda

Lets you run code without provisioning or managing servers. Ideal for implementing custom remediation logic and orchestrating remediation workflows.

Amazon EventBridge

A serverless event bus that makes it easy to connect applications together. Essential for triggering remediation actions based on security events.

AWS Security Hub

Provides a comprehensive view of your security state in AWS. Supports custom actions for manual remediation triggers and centralized finding management.

Amazon GuardDuty

Provides intelligent threat detection for your AWS accounts and workloads. Findings can trigger automated remediation workflows for threat response.

Benefits of initiating remediation for non-compliant resources

• Reduced exposure time: Automated remediation minimizes the window of vulnerability
• Consistent security posture: Ensures uniform application of security policies across all resources
• Operational efficiency: Reduces manual intervention and speeds up incident response
• Scalable security management: Handles large-scale environments without proportional increase in staff
• Improved compliance: Maintains continuous compliance with security standards and regulations
• Cost reduction: Reduces the cost of manual security operations and potential breach impacts
• Enhanced audit readiness: Provides detailed logs of all remediation actions for compliance reporting

Related resources

Related Resources

• AWS Well-Architected Framework - Initiate remediation for non-compliant resources
• AWS Config Remediation
• AWS Systems Manager Automation
• AWS Security Hub Custom Actions
• How to set up continuous compliance with AWS Config and AWS Systems Manager
• How to remediate Amazon Inspector security findings automatically