Automating fixes in runtime

Similar to what we did with pull request fixes in the previous module, Bridgecrew allows for immediate remediation of issues in runtime by reconfiguring your objects via the AWS APIs.

Implementing automated remediations does require extra permissions than previously granted with the default AWS Read Only integration. When you attempt a runtime remediation without the correct permissions, you’ll be prompted to configure the AWS Remediation Stack:

AWS Bridgecrew Integration, Remediate

Adding the AWS Remediation stack follows the same workflow as the previous read-only AWS integration. Go to the Integrations page and select “AWS”:

AWS Bridgecrew remediation integration

Select AWS Remediation Stack as the type. Then click Next and Launch Stack. AWS Bridgecrew remediation integration

Fixing an unencrypted S3 bucket

Continuing with the example of the unencrypted S3 bucket from the previous page, the Fix button will now allow runtime changes to the S3 configuration:

AWS Bridgecrew remediating s3 unencrypted bucket

For the sake of this workshop, we can use the AWS Console to confirm the selected bucket is currently unencrypted:

AWS Bridgecrew remediating s3 unencrypted bucket

Back in Bridgecrew, review the remediation, and select Fix a final time.

AWS Bridgecrew remediating s3 unencrypted bucket

Bridgecrew will now use AWS API’s to ensure encryption is turned on for the selected resource:

AWS Bridgecrew remediating s3 unencrypted bucket

Checking the resource once more in the AWS Console, you will see that encryption is now enabled:

AWS Bridgecrew remediating s3 unencrypted bucket

The violation will also have been marked resolved in the Bridgecrew Incidents page.


You’ve integrated runtime security alerting and remediation into your DevSecOps automation!