Skip to main content
InfraAudit’s remediation system provides a structured, auditable path from a finding to a fix. Every remediation action goes through a defined lifecycle with optional approval gates, a pre-execution snapshot for rollback, and a complete audit trail.

Lifecycle overview

suggested

    ├── [if approval required]
    │       ↓
    │   pending_approval ──[rejected]──→ (closed)
    │       │
    │   [approved]
    │       │
    ▼       ▼
executing

    ├── completed ──[within rollback window]──→ rolled_back

    └── failed
Every created action starts in suggested state. From there, it either awaits approval (the default) or moves directly to execution.

Create a remediation action

You can create a remediation action from several places:
  • Recommendations — click Apply fix in the Recommendations section
  • Drift findings — click Apply remediation in the Drift detail panel
  • Compliance failures — click Create remediation from a failing control
infraudit remediation suggest --finding drift:<drift-id>

Review the suggested action

Every suggested action includes the following before you approve it:
  • A plain-language description of what change will be made (for example, “Enable S3 server-side encryption on bucket my-data-bucket”)
  • The affected resource and its current configuration
  • A pre-execution snapshot of the configuration — used for rollback if needed
  • An estimated risk level: Low, Medium, or High, based on the scope of the change

Approve and execute

By default, REMEDIATION_REQUIRE_APPROVAL=true moves the action to pending_approval. An authorized user must review and approve it before execution proceeds. 
# Approve a remediation action
infraudit remediation approve <action-id>

# Execute after approval
infraudit remediation execute <action-id>
When executed, InfraAudit calls the cloud provider API directly to apply the change. The action moves to executing and then to completed or failed. Examples of what execution does:
Finding typeCloud API call
S3 bucket encryption driftPutBucketEncryption
Security group over-permissionRevokeSecurityGroupIngress
IAM key rotationCreateAccessKey + DeleteAccessKey
RDS backup disabledModifyDBInstance

Roll back a completed action

Within the rollback window (default: 30 minutes after completion), you can reverse the change: 
infraudit remediation rollback <action-id>
InfraAudit uses the pre-execution snapshot to reconstruct and apply the original configuration. Not all action types support rollback — check the action detail panel before relying on this. After the rollback window closes, manual reversal in the cloud console is required.

Enable auto-execution

For teams that want fully automated remediation without manual approve-and-execute steps, disable the approval requirement: 
REMEDIATION_REQUIRE_APPROVAL=false
Individual high-risk action types can still require approval even when global approval is off. Configure per-type overrides under Settings → Remediation.
Auto-execution means InfraAudit will call cloud provider write APIs without a human review step. Enable this only for action types and resources where you’re confident in the recommendations.

Audit trail

Every state transition — suggested → pending_approval → approved → executing → completed → rolled_back — is logged with the user who performed it, a timestamp, and any comments they added. The audit log is accessible from the remediation detail panel and is included in exported compliance reports.