Remediate policy violations in existing infrastructure

Creating your first Campaign

PreviousTerraform policies integrated into CI NextTemplates for generating Terraform

Last updated 8 days ago

Remediate policy violations in existing infrastructure

Creating your first Campaign

This assumes you are using the Resourcely Campaigns scaffolding repo.

Campaigns allow security teams to define and identify cloud resources that need updated configuration, and developers to create and deploy the new configuration quickly.

Choose or define policies (Guardrails) you want to enforce
Choose the policies and repositories to scan for vulnerabilities
Guide users through remediation, without causing Terraform drift

Choose policies to enforce

With Campaigns, security teams (or anyone) can choose the policies they want to scan existing resources with.

Configure a Campaign, name it, and select your forked scaffolding repo.

Click Select Guardrails and choose those that you'd like to scan for:

After creating the Campaign, you will see a summary of findings and status.

The scaffolding repository includes a Terraform state that already has (dummy) resources with purposeful misconfigurations, for demonstration purposes. To scan your own state file, customize your Campaign Agent.

You can also view findings by config root or by guardrail and have the ability to trigger a scan by config root:

Now that your Campaign is created, the findings will be exposed in the Remediation tab in order to be fixed.

Remediating Resources

Resourcely exposes a guided remediation experience, that shows policy violations and the exact line(s) of code that cause them. This gives security teams or developers the ability to remediate misconfigurations quickly.

Fix a configuration

Navigate to the Remediation tab, and select the relevant repo with findings. When you select the repo, a remediation screen is exposed that makes fixing findings easy.

Try clicking through each Guardrail Violation at the bottom. This will bring you to the relevant line of code, and expose the Guardrail the code violates.

Also try tab complete when entering values, to see valid configuration options.

Request an exception

Not all violations are actually bad - consider an EC2 instance with IMDSv1 that has not yet been migrated to IMDSv2 (session-based authentication).

Users can request an exception instead of changing code by clicking "Request exception" under the Guardrail Violation.

Submitting changes

Resourcely integrates natively with your version control, so that all remediations happen through your existing CI pipeline. This eliminates Terraform drift caused by traditional auto-remediation tools.

After you have remediated all findings, click Evaluate Changes and Evaluate your code. This checks to see if your remediations are successfully fixing the violation.

Once that is done, you can submit a PR to fully execute the remediations.

For more information and advanced Campaigns usage against your own Terraform enviroinment, see Creating Campaigns.

PreviousTerraform policies integrated into CI NextTemplates for generating Terraform

Last updated 8 days ago

This assumes you are using the Resourcely Campaigns scaffolding repo.

Campaigns allow security teams to define and identify cloud resources that need updated configuration, and developers to create and deploy the new configuration quickly.

Choose or define policies (Guardrails) you want to enforce
Choose the policies and repositories to scan for vulnerabilities
Guide users through remediation, without causing Terraform drift

Choose policies to enforce

With Campaigns, security teams (or anyone) can choose the policies they want to scan existing resources with.

Configure a Campaign, name it, and select your forked scaffolding repo.

Click Select Guardrails and choose those that you'd like to scan for:

After creating the Campaign, you will see a summary of findings and status.

You can also view findings by config root or by guardrail and have the ability to trigger a scan by config root:

Now that your Campaign is created, the findings will be exposed in the Remediation tab in order to be fixed.

Remediating Resources

Fix a configuration

Navigate to the Remediation tab, and select the relevant repo with findings. When you select the repo, a remediation screen is exposed that makes fixing findings easy.

Try clicking through each Guardrail Violation at the bottom. This will bring you to the relevant line of code, and expose the Guardrail the code violates.

Also try tab complete when entering values, to see valid configuration options.

Request an exception

Not all violations are actually bad - consider an EC2 instance with IMDSv1 that has not yet been migrated to IMDSv2 (session-based authentication).

Users can request an exception instead of changing code by clicking "Request exception" under the Guardrail Violation.

Submitting changes

After you have remediated all findings, click Evaluate Changes and Evaluate your code. This checks to see if your remediations are successfully fixing the violation.

Once that is done, you can submit a PR to fully execute the remediations.

For more information and advanced Campaigns usage against your own Terraform enviroinment, see Creating Campaigns.