Auto Remediation in Prancer
The Auto Remediation feature in Prancer simplifies the process of correcting policy violations in both cloud resources and Infrastructure as Code (IaC) template files.
1. Remediation on Cloud Resources
- Direct Updates: Prancer connects directly to the relevant cloud environment (e.g., Azure, AWS, GCP) using credentials from the defined connector.
- Permissions Required: The connector must have appropriate permissions to modify the resource configuration.
- Automatic Fixes: Once connected, Prancer updates the affected cloud resources to address any identified issues.
2. Remediation in IaC Template Files
- Branch Creation: Prancer creates a new branch from the source branch.
- Commit & Pull Request: It then commits the required fixes to this new branch and generates a pull request for the original (source) branch.
- Collaborative Approval: Team members can review the changes and merge them into the main branch once approved.
3. Using Auto Remediation
- Locate Findings: Go to the Infra Findings screen and identify a failed test case.
- Select Remediate: Either click on the blue circle in the Remediate column or open the details of the failed test case and click on Remediate.
- Apply Fixes: Prancer automatically applies the remediation, whether on the cloud resource or in the template file.
IaC Remediation Workflow
-
Review Findings and Severity:
- Start by reviewing all identified issues and their severity levels in the list of findings.
- Start by reviewing all identified issues and their severity levels in the list of findings.
-
Select Findings:
- Click on an individual finding to view more details. Additionally, you can remediate issues in bulk—for example, all resources of a particular type in a single action.
-
Initiate Remediation:
- Choose the Remediation button. This triggers Prancer’s tested and validated remediation feature, which includes AI integration for added context and guidance.
- Choose the Remediation button. This triggers Prancer’s tested and validated remediation feature, which includes AI integration for added context and guidance.
-
Automated Code Updates:
- The system automatically checks out the relevant IaC code, applies the necessary fixes, commits the changes, and submits a pull request.
- The system automatically checks out the relevant IaC code, applies the necessary fixes, commits the changes, and submits a pull request.
-
View Detailed Changes:
- The platform provides clear visibility into which sections of the code were modified.
- The platform provides clear visibility into which sections of the code were modified.
-
Approval and Merge:
- Once a team member approves the pull request, the changes are merged into the main branch, ensuring that the updated configuration is properly integrated.
CSP Remediation Workflow
-
Review Findings and Severity:
- Start by reviewing all identified issues and their severity levels in the list of findings.
- Start by reviewing all identified issues and their severity levels in the list of findings.
-
Select Findings:
- Click on an individual finding to view more details. Additionally, you can remediate issues in bulk—for example, all resources of a particular type in a single action.
- Click on an individual finding to view more details. Additionally, you can remediate issues in bulk—for example, all resources of a particular type in a single action.
-
Initiate Remediation:
- Choose the Remediation button. This triggers Prancer’s tested and validated remediation feature, which includes AI integration for added context and guidance.
IaC Remediation Supported Resources
Below are three tables—one for each major cloud provider (AWS, Azure, and GCP)—listing the supported resources and a brief description of each resource.
AWS Resources
| Resource | Description |
|---|---|
| acm | AWS Certificate Manager for provisioning and managing SSL/TLS certificates. |
| amplify | AWS Amplify for developing and hosting full-stack web and mobile applications. |
| api_gateway | Amazon API Gateway for creating, deploying, and managing APIs. |
| cloudfront | Amazon CloudFront for content delivery (CDN) and caching. |
| cloudtrail | AWS CloudTrail for governance, compliance, and auditing of AWS account activity. |
| code | AWS Code Services (e.g., CodeCommit, CodeBuild, CodeDeploy) for CI/CD pipelines. |
| database | AWS Database services (e.g., Amazon RDS, DynamoDB) for relational and NoSQL storage. |
| ec2 | Amazon Elastic Compute Cloud (EC2) for virtual servers. |
| ec2networkacl | EC2 Network Access Control List for controlling inbound/outbound subnet-level traffic. |
| ecr | Amazon Elastic Container Registry for storing and managing Docker images. |
| ecs | Amazon Elastic Container Service for container orchestration. |
| eks | Amazon Elastic Kubernetes Service for running Kubernetes at scale. |
| elasticsearch | Amazon OpenSearch Service (formerly Elasticsearch) for search and analytics workloads. |
| elb | Elastic Load Balancing for automatically distributing incoming traffic across multiple targets. |
| emr | Amazon EMR for big data processing using Apache Hadoop, Spark, and other frameworks. |
| iam | AWS Identity and Access Management for securing access to AWS services and resources. |
| kms | AWS Key Management Service for creating and controlling encryption keys. |
| lambda | AWS Lambda for running code without provisioning or managing servers. |
| msk | Amazon Managed Streaming for Apache Kafka for real-time data streaming. |
| redshift | Amazon Redshift data warehouse for large-scale analytics. |
| sagemaker | Amazon SageMaker for building, training, and deploying machine learning models. |
| securitygroup | EC2 Security Groups for instance-level inbound and outbound traffic control. |
| sns | Amazon Simple Notification Service for pub/sub messaging. |
| sqs | Amazon Simple Queue Service for reliable, scalable message queuing. |
| vpc | Amazon Virtual Private Cloud for provisioning a logically isolated section of AWS. |
Azure Resources
| Resource | Description |
|---|---|
| KeyVault | Securely store and control access to keys, secrets, and certificates. |
| Redis | Azure Cache for Redis for high-performance data caching. |
| activitylogalerts | Monitor and trigger actions based on Azure Activity Log events. |
| aks | Azure Kubernetes Service for deploying and managing containerized applications. |
| applicationgateways | Azure Application Gateway for load balancing and web application firewall (WAF). |
| azure_firewallso | Azure Firewall for network protection with built-in high availability and auto-scaling. |
| cdn | Azure Content Delivery Network for fast content distribution. |
| container_instance | Azure Container Instances for running containers without managing servers. |
| cosmosdb | Globally distributed, multi-model database service. |
| databricks | Azure Databricks for big data analytics and AI workloads. |
| dbadministrators | Configuration of database administrator roles for Azure databases. |
| dbauditingsettings | Auditing settings for Azure databases to track events and changes. |
| dbdataencryption | Encryption configurations for Azure database data-at-rest. |
| dbfirewallrules | Firewall rules to control inbound/outbound traffic for Azure databases. |
| dbforMariaDB | Azure Database for MariaDB configuration and management. |
| dbforMySQL | Azure Database for MySQL configuration and management. |
| dbforMySQL_firewallrules | Firewall rules for Azure Database for MySQL. |
| dbsecurityalertpolicies | Security alert policies for Azure databases. |
| dbvulnerabilityassessments | Vulnerability assessments for Azure databases. |
| diagnosticsettings | Diagnostic settings for collecting resource logs and metrics. |
| disks | Managed disks for Azure virtual machines. |
| eventgrid | Azure Event Grid for event-based, serverless architectures. |
| eventhub | Azure Event Hubs for big data streaming and event ingestion. |
| frontdoors | Azure Front Door for global, scalable web applications and content delivery. |
| functionapp | Azure Functions (serverless compute) hosted as an Azure Function App. |
| keyvaultkeys | Management of cryptographic keys in Azure Key Vault. |
| keyvaultsecrets | Management of secrets within Azure Key Vault. |
| locks | Resource locks to prevent accidental deletions or modifications. |
| ms_defender_for_cloud | Microsoft Defender for Cloud for advanced threat protection and compliance. |
| networkwatchersflowlogs | Flow logs from Network Watcher for traffic analysis. |
| nsg | Network Security Groups to filter network traffic at the subnet or NIC level. |
| postgreSQL | Azure Database for PostgreSQL configuration and management. |
| pricing | Pricing tier configurations for select Azure services. |
| recoveryservices_vaults | Recovery Services Vaults for backup and site recovery scenarios. |
| registrieswebhooks | Webhook management for Azure Container Registry. |
| registry | Azure Container Registry for storing Docker images. |
| secrets | Storage and management of sensitive information (e.g., Key Vault secrets). |
| securitycontacts | Security contact information for Azure Security Center/Defender. |
| sql_alert_policy | Alert policies for Azure SQL Database events and metrics. |
| sql_database | Azure SQL Database for relational data storage and management. |
| sql_managedinstance | Azure SQL Managed Instance for near 100% compatibility with SQL Server. |
| sql_servers | Azure SQL Servers hosting single or pooled databases. |
| sql_servers_auditing | Auditing configuration for Azure SQL Servers. |
| sql_servers_encryption | Transparent data encryption for Azure SQL servers. |
| sql_vulnerabilityassessments | Vulnerability assessments for Azure SQL Databases and Managed Instances. |
| storageaccounts | Azure Storage Accounts (Blobs, Files, Queues, Tables). |
| vm | Azure Virtual Machines running Windows or Linux. |
| vm_scale_sets | Azure VM Scale Sets for auto-scaling virtual machine resources. |
| vmextensions | Extensions to run scripts and tasks on Azure VMs. |
| vnetpeerings | Virtual network peering between two Azure VNets. |
| vnetsubnets | Subnets within an Azure Virtual Network. |
| vpngateways | VPN gateways for secure site-to-site, point-to-site, or VNet-to-VNet connections. |
| web | Azure Web Apps for hosting web applications and APIs. |
GCP Resources
| Resource | Description |
|---|---|
| cloudfunction | Google Cloud Functions for serverless event-driven compute. |
| compute | Google Compute Engine for deploying and managing virtual machines. |
| container | Google Kubernetes Engine for container orchestration. |
| database | Google Cloud SQL or other GCP database services for relational storage. |
| dns | Google Cloud DNS for scalable, reliable domain name system hosting. |
| iam | Identity and Access Management for controlling user and service access. |
| kms | Cloud Key Management Service for creating and managing cryptographic keys. |
| logging | Cloud Logging (Stackdriver) for logs ingestion and analysis. |
| sqladmin | Cloud SQL Admin for managing MySQL, PostgreSQL, or SQL Server instances. |
| storage | Google Cloud Storage for object storage at scale. |
These tables provide a high-level overview of the resources Prancer currently supports for Infrastructure as Code (IaC) scanning and auto remediation.
CSP Remediation Supported Resources
Below is a concise table summarizing the CSP remediation resources available for direct remediation on each cloud provider, along with a brief description of each resource:
| Cloud Provider | Resource | Description |
|---|---|---|
| Azure | NSG (Network Security Group) | Used to filter inbound and outbound network traffic at the subnet or NIC level. |
| Azure | Storage Account | Provides secure, scalable storage for blobs, files, queues, and tables within Azure. |
| AWS | IAM (Human & Non-Human) | Manages identity and access to AWS services and resources for users, groups, and roles. |
| AWS | Security Group | Acts as a virtual firewall controlling inbound/outbound traffic to AWS EC2 instances and resources. |
| GCP | Security Group | Functions similarly to a virtual firewall (via VPC firewall rules) for controlling resource traffic. |
These resources can be remediated directly within their respective cloud environments (Azure, AWS, and GCP) using Prancer’s CSP remediation capabilities.