Remediate security findings

After assessing and prioritizing a finding, the next action is remediating the finding. There are many different actions you could take to remediate a finding. For software vulnerabilities, you might update the operating system or apply a patch. For cloud configuration findings, you might update the resource configuration. In general, the actions you take to remediate can be grouped into one of the following outcomes:

Manual remediation – You manually provide a fix to the vulnerability, such as modifying the properties of an AWS resource to enable encryption. If the finding is from one a managed check in Security Hub, then the finding includes a link to instructions for manually remediating the finding.
Reusable artifact – You update the infrastructure as code (IaC) to fix the vulnerability and know that others could benefit from a similar solution. Consider uploading the updated IaC and a brief summary of the resolution to an internal shared code repository.
Automated remediation – The vulnerability is automatically remediated through mechanisms you created.
Pipeline control – You apply a control within your continuous integration and continuous delivery (CI/CD) pipeline that prevents deployment if the vulnerability is present.
Accepted risk – You take no action or implement a compensating control, and you accept the risk that the vulnerability presents. Track the accepted risk in a dedicated location, such as a risk registry.
False positive – You take no action because you have determined the finding didn't correctly identify a vulnerability.

A complete list of the various actions you can take and tools you can use to remediate a vulnerability is out of scope for this guide. However, there are some services and tools that you can help you remediate vulnerabilities at scale that are worth noting, including:

Patch Manager, a capability of AWS Systems Manager, automates the process of patching managed nodes with both security-related updates and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications.
AWS Firewall Manager helps you centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. As new applications are created, Firewall Manager makes it easier to bring new applications and resources into compliance by enforcing a common set of security rules.
Automated Security Response on AWS is an AWS Solution that works with Security Hub and provides predefined response and remediation actions based on industry compliance standards and best practices for security threats.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Assess and prioritize findings

Examples