Remediation Strategies in Prisma Cloud
Introduction
Prisma Cloud provides security policy enforcement at both build-time and run-time.
Build-time refers to scanning Infrastructure as Code (IaC) before deployment—catching issues directly in your repositories or CI/CD pipelines.
Run-time targets live cloud environments, monitoring deployed resources in AWS, GCP, and Azure for configuration drift and policy violations.
This post outlines Prisma Cloud’s supported remediation strategies across both contexts.
Supported Cloud Providers
AWS
GCP
Azure
Run-Time Remediation Strategies
Manual or Guided Remediation
When adding your cloud accounts to Prisma Cloud, you can enable or disable auto-remediation. Some organizations prefer manual remediation due to:
Strict change control processes
Security concerns with overly broad permissions
Policies requiring User Acceptance Testing (UAT) before making production changes
In these cases, remediation is best handled manually—backed by change management workflows and approvals. Prisma Cloud helps by generating the relevant CLI commands so teams can:
Validate fixes in staging environments
Rescan with Prisma Cloud
Build confidence in the remediation steps before automating them
Figure: Manual remediation command example from Prisma Cloud
Auto-Remediation
Prisma Cloud supports automated remediation for misconfigurations using pre-defined CLI commands. To enable this:
Enable Remediation permissions for Prisma Cloud’s role in your cloud accounts
Configure alert rules with Auto-Remediation turned ON
Prisma Cloud will execute remediation commands in response to alerts triggered by supported configuration policies. You can scope these to specific accounts, policies, or policy categories.
⚠️ Note: If multiple alert rules match a policy and only one has Auto-Remediation enabled, Prisma Cloud prioritizes the rule with Auto-Remediation.
🚫 Caution: IAM policies are not supported for standard Auto-Remediation. Attempting to include them in auto-remediation rules will fail. Use Enhanced Auto-Remediation instead (covered below).
Enhanced Auto-Remediation
Enhanced Auto-Remediation integrates with your cloud provider’s native automation features, such as AWS Lambda, to create serverless remediation workflows.
How it works:
Configure Prisma Cloud to send alert messages (e.g., to Amazon SQS)
Alerts trigger serverless functions
Functions call scripts or runbooks to remediate misconfigurations
While this takes effort to set up, it's ideal for managing:
High-volume, low-priority alerts
Scenarios where custom logic is needed
Cost-sensitive environments (you only pay for compute time used)
Build-Time Remediation Strategies
Prisma Cloud supports build-time scanning through integrations with IaC repositories and CI/CD systems.
Manual Remediation
For policies without full automation, there are two common manual remediation paths:
Terraform Fix Snippets
If a policy includes an enhanced fix, Prisma Cloud may provide Terraform code snippets. These can be manually applied to IaC codebases.
Inline Fix Suggestions in Repositories
When misconfigurations are found in onboarded repos, Prisma Cloud shows the necessary changes. Clicking “Manual Fix” navigates to the file needing the edit.
Auto-Remediation for Build-Time Policies
Some Out-of-the-Box (OOTB) build policies support auto-remediation via pull requests:
Navigate to:
Application Security > Projects > IaC Misconfigurations
Review and select issues with available fixes
Click Fix, add to cart, and submit
Prisma Cloud creates PRs in your repos with the remediations
To verify supported policies:
Use the Prisma Cloud API:
GET https://{{url}}/bridgecrew/api/v2/checkov/runConfiguration?module=pc
This returns mappings between Prisma IDs and Checkov policy IDs for enhanced automation.
Additional Resources
