Remediation Workflow Example

This guide walks through a complete remediation workflow, from discovering a security finding to deploying the fix via pull request.

What You'll Learn

Identify security findings in your infrastructure
Analyze the root cause and impact
Generate automated fixes with AI
Validate fixes before deployment
Deploy through pull request workflow

Scenario

You’ve received an alert that an S3 bucket is missing encryption. Let’s walk through the complete remediation process.

Step 1: Identify the Finding

View in Dashboard

Navigate to Findings in Cloudgeni
Filter by:
- Severity: High
- Status: Open
- Type: Static Analysis

Finding Details

Finding: CKV_AWS_19
Title: Ensure all data stored in the S3 bucket is securely encrypted at rest
Severity: HIGH
Status: Open

File: infrastructure/storage/main.tf
Line: 15

Resource:
  aws_s3_bucket.data_bucket

Current Code (Non-Compliant)

# infrastructure/storage/main.tf

resource "aws_s3_bucket" "data_bucket" {
  bucket = "mycompany-data-bucket"

  tags = {
    Name        = "Data Bucket"
    Environment = "production"
  }
}

Issue: The bucket is created without server-side encryption configuration.

Step 2: Analyze the Finding

Why This Matters

Compliance: SOC 2 (CC6.7), ISO 27001 (A.8.24) require encryption
Security: Unencrypted data is vulnerable if bucket is accessed
Risk Level: High - data could be exposed in plaintext

Impact Assessment

Factor	Assessment
Data Sensitivity	Contains customer data
Exposure Risk	If accessed, data is readable
Compliance Impact	SOC 2 audit finding
Remediation Complexity	Low - configuration change

Step 3: Generate the Fix

Option A: One-Click Remediation

Click Remediate on the finding
Cloudgeni generates the fix automatically
Review the proposed changes

Option B: AI DevOps Agent

For more control:

Open AI DevOps session
Request: “Fix the S3 encryption finding for data_bucket”
Agent generates comprehensive fix with explanation

Generated Fix

Cloudgeni generates the following Terraform code:

# Add server-side encryption configuration
resource "aws_s3_bucket_server_side_encryption_configuration" "data_bucket" {
  bucket = aws_s3_bucket.data_bucket.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.s3.arn
    }
    bucket_key_enabled = true
  }
}

# KMS key for encryption (if not exists)
resource "aws_kms_key" "s3" {
  description             = "KMS key for S3 bucket encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true

  tags = {
    Name = "s3-encryption-key"
  }
}

resource "aws_kms_alias" "s3" {
  name          = "alias/s3-encryption"
  target_key_id = aws_kms_key.s3.key_id
}

Step 4: Review the Fix

Code Review Checklist

Before applying, verify:

Encryption algorithm is appropriate (AES256 or aws:kms)
KMS key has rotation enabled
No breaking changes to existing resources
Variables and naming follow conventions
Dependencies are correctly referenced

Diff View

  resource "aws_s3_bucket" "data_bucket" {
    bucket = "mycompany-data-bucket"

    tags = {
      Name        = "Data Bucket"
      Environment = "production"
    }
  }

+ resource "aws_s3_bucket_server_side_encryption_configuration" "data_bucket" {
+   bucket = aws_s3_bucket.data_bucket.id
+
+   rule {
+     apply_server_side_encryption_by_default {
+       sse_algorithm     = "aws:kms"
+       kms_master_key_id = aws_kms_key.s3.arn
+     }
+     bucket_key_enabled = true
+   }
+ }
+
+ resource "aws_kms_key" "s3" {
+   description             = "KMS key for S3 bucket encryption"
+   deletion_window_in_days = 30
+   enable_key_rotation     = true
+
+   tags = {
+     Name = "s3-encryption-key"
+   }
+ }

Step 5: Validate the Fix

Cloudgeni Validation

Click Validate to run automated checks:

Syntax Validation
```
✅ Terraform syntax valid
```

Policy Check

✅ CKV_AWS_19: S3 encryption enabled
✅ CKV_AWS_7: KMS key rotation enabled

Plan Preview

Plan: 3 to add, 0 to change, 0 to destroy

+ aws_s3_bucket_server_side_encryption_configuration.data_bucket
+ aws_kms_key.s3
+ aws_kms_alias.s3

External Validation (Optional)

If configured, Cloudgeni triggers your CI/CD pipeline:

# Validation pipeline results
✅ terraform fmt -check
✅ terraform validate
✅ terraform plan (no errors)
✅ checkov scan (0 failures)
✅ cost estimate ($2.50/month for KMS)

Step 6: Create Pull Request

PR Creation

Click Create Pull Request
Configure:
- Branch name: fix/s3-encryption-ckv-aws-19
- Target branch: main
Review auto-generated description
Click Create

Generated PR

## Fix: Enable S3 bucket encryption (CKV_AWS_19)

### Summary
Enables server-side encryption for `aws_s3_bucket.data_bucket` using
AWS KMS with automatic key rotation.

### Finding
- **Check:** CKV_AWS_19
- **Severity:** High
- **File:** infrastructure/storage/main.tf

### Changes
- Add `aws_s3_bucket_server_side_encryption_configuration` resource
- Create KMS key with automatic rotation
- Create KMS alias for key management

### Validation
✅ Terraform syntax valid
✅ Security policies pass
✅ No breaking changes

### Testing
- [ ] Review terraform plan output
- [ ] Verify in staging environment
- [ ] Confirm encryption is active after apply

---
Generated by Cloudgeni

Step 7: Review and Merge

Code Review

Your team reviews the PR:

Verify encryption configuration is correct
Check KMS key settings
Confirm no unintended changes
Approve the PR

Merge

Merge the pull request
CI/CD pipeline applies changes
Cloudgeni detects the merge

Step 8: Verify Resolution

Automatic Re-scan

After merge, Cloudgeni automatically:

Detects changes to repository
Runs new security scan
Updates finding status

Verification

Finding: CKV_AWS_19
Title: Ensure all data stored in the S3 bucket is securely encrypted at rest
Severity: HIGH
Status: ✅ Resolved

Resolution:
- Fixed in PR #142
- Merged: 2024-01-15 10:30:00
- Verified: 2024-01-15 10:35:00

Updated Compliance Score

Before: 87%
After:  89%
Change: +2%

Timeline Summary

Step	Action	Time
1	Finding identified	T+0
2	Analysis complete	T+5min
3	Fix generated	T+6min
4	Review complete	T+10min
5	Validation passed	T+12min
6	PR created	T+13min
7	PR merged	T+30min
8	Resolution verified	T+35min

Total time from finding to fix: ~35 minutes

Best Practices

Before Remediation

Understand the finding’s impact
Check if compensating controls exist
Coordinate with affected teams

During Remediation

Review all generated code
Test in non-production first
Document any manual steps

After Remediation

Verify fix with new scan
Update related documentation
Share learnings with team

Remediation Overview

How remediation works

AI DevOps

AI-powered fixes

Understanding Findings

Finding types and severity

PR Reviews

Automated PR reviews

Getting Started

Features

Integrations

CLI

Scanning & Findings

Remediation

Compliance

Examples

Troubleshooting

Support

​Remediation Workflow Example

What You'll Learn

​Scenario

​Step 1: Identify the Finding

​View in Dashboard

​Finding Details

​Current Code (Non-Compliant)

​Step 2: Analyze the Finding

​Why This Matters

​Impact Assessment

​Step 3: Generate the Fix

​Option A: One-Click Remediation

​Option B: AI DevOps Agent

​Generated Fix

​Step 4: Review the Fix

​Code Review Checklist

​Diff View

​Step 5: Validate the Fix

​Cloudgeni Validation

​External Validation (Optional)

​Step 6: Create Pull Request

​PR Creation

​Generated PR

​Step 7: Review and Merge

​Code Review

​Merge

​Step 8: Verify Resolution

​Automatic Re-scan

​Verification

​Updated Compliance Score

​Timeline Summary

​Best Practices

​Before Remediation

​During Remediation

​After Remediation

​Related Documentation