Autofix: CCA Rule Automations (AWS)

Overview

Autofix is a feature integrated into the CCA (PierCloud Compliance System) that allows for the execution of automatic corrections on AWS resources. It acts as a remediation engine: by identifying idle, misconfigured, or optimizable resources, Autofix automates resolutions that would otherwise require manual intervention.

Objective and Operation

Autofix transforms compliance diagnostics into immediate corrective actions. The operational workflow follows four main stages:

1. Detection: The CCA identifies an "error" or configuration deviation (based on predefined rules and triggers) in a resource within your AWS account.

2. Activation: The user enables the Autofix option for that specific rule or service in the CCA panel.

3. Execution: Once activated, the system takes command and executes the correction directly on the AWS infrastructure, without the need for manual account access by the user.

4. Monitoring: The automation results and correction details can be tracked in the Action History.

Triggers and Rules

Autofix intelligence is based on the constant evaluation of business rules. The system's behavior varies according to the affected service:

• Rule Evaluation: The system scans all connected accounts looking for non-conformities.

• Trigger Activation: If a resource meets the negative criteria of a rule, the correction trigger is fired automatically.

Execution Frequency

The system's readiness to process corrections follows these guidelines:

• Standard Processing: Issues with Autofix enabled are processed within 24 hours after the initial detection of the problem.

• Custom Configuration: Frequency may vary according to the settings defined in the CCA for each type of rule and specific account.

Benefits and Best Practices

• Operational Efficiency: Eliminates repetitive manual cloud administration tasks.

• Security and Compliance: Ensures that vulnerabilities or out-of-standard configurations are corrected quickly.

• Cost Reduction: Acts promptly on idle resources identified by the system.

• Recommendation: Before activating Autofix on a large scale, review the triggers in the CCA to ensure that automation is aligned with your organization's maintenance windows and policies.

For use and access in the Pier platform:

When accessing the side menu, you will find the CCA functionality as described below:

If the "" tool is selected in the “Accounts with Autofix” option, it will show the list of accounts from the provider. Then there will be a button to activate, as soon as it is activated, Autofix will perform the action automatically.

The rules covered by Autofix within the CCA are currently as follows:

EC2

• Stopped EC2 Instances:

  • Creates an AMI (image) of the instance before any action, preserving all its settings and tags.

  • Once the AMI is available, the instance is terminated.

  • The AMI remains available in your account for future restoration if necessary.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the instance before terminating.

EBS

• Detached EBS Volume:

  • Creates a snapshot of the volume, preserving all its tags.

  • Once the snapshot is completed, the volume is deleted.

  • The snapshot remains available in your account.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the volume before deleting.

• Old EBS Snapshot:

  • Removes the snapshot directly.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the snapshot before deleting.

• GP2 to GP3 Volume Migration:

  • Migrates the volume type from GP2 to GP3.

  • IOPS is preserved if the current value is greater than 3000.

  • There is no downtime during migration.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the volume after migration.

EIP

• Detached Elastic IP:

  • Releases the Elastic IP address that is not associated with any resource.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the EIP before releasing.

ELB

• Load Balancer without instances:

  • Removes the Load Balancer (supports Classic, ALB, and NLB).

  • Adds the Pier:Autofix:Executed tag with a timestamp to the Load Balancer before deleting.

RDS

• GP2 to GP3 Storage Migration:

  • Migrates the RDS instance storage type from GP2 to GP3.

  • Applied immediately, without the need for a maintenance window.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the instance after migration.

• Graviton Migration:

  • Creates a security snapshot of the instance before any changes.

  • Once the snapshot is available, modifies the instance class to the equivalent Graviton type.

  • The process is done in stages and may take more than one execution to complete.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the instance after migration.

• RDS Instance Deletion:

  • Creates a final snapshot of the instance with the prefix pier-{timestamp}-{name} before deleting.

  • The snapshot remains available in your account for restoration.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the instance before deleting.

• RDS Snapshot Archiving:

  • Creates an S3 bucket piercloud-autofix-{account_id}-{region} if it does not exist (without versioning).

  • Creates a KMS key with tags creator=Pier Cloud and piercloud:module=Pier Cloud Autofix if it does not exist.

  • Exports the snapshot to the S3 bucket using the KMS key for encryption.

  • Once the export is completed, the RDS snapshot is deleted.

  • The export process can take hours depending on the snapshot size.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the snapshot before deleting.

S3

• Enable Intelligent Tiering:

  • Activates the Intelligent Tiering policy on the S3 bucket.

  • Automatically moves infrequently accessed objects to cheaper storage classes.

  • Tiers and periods are configured in the CCA before activating Autofix.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the bucket after activation.

• Delete Incomplete Multipart Uploads:

  • Removes multipart uploads that were started but not completed.

  • Processes uploads created more than 1 day ago.

  • Frees up space and reduces storage costs.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the bucket after deletion.

VPC

• Idle VPC Endpoint:

  • Removes VPC endpoints that are not being used.

  • Endpoints managed by AWS itself cannot be removed and will be flagged as a failure.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the VPC endpoint before deleting.

CloudFront

• Enable Distribution Compression:

  • Activates automatic compression on all behaviors of the CloudFront distribution.

  • Reduces response sizes and improves performance.

  • Adds the Pier:Autofix:Executed tag with a timestamp to the distribution after activation.

Asynchronous Processes

Some corrections depend on AWS processes that take time to complete (AMI creation, snapshot, data export). In these cases, the system starts the process and continues monitoring in subsequent executions until completion.

• Asynchronous corrections: EC2 Delete, EBS Volume Delete, RDS Graviton Migration, RDS Snapshot Archive.

History and Audit

Each operation is recorded with:

• Affected resource and AWS account.

• Operation status (success or failure).

• State before and after the correction.

• Detailed error message, when available.

Resource Creation

Some corrections automatically create resources in your account:

• S3 Bucket: Created for archiving RDS snapshots with the name piercloud-autofix-{account_id}-{region}.

• KMS Key: Created to encrypt data exported from RDS snapshots, with identification tags.

• AMI: Created as a backup before deleting stopped EC2 instances.

• Snapshots: Created as backups before deleting EBS volumes or RDS instances.

Added Tags

All corrections add the Pier:Autofix:Executed tag with the execution timestamp to the affected resources. This tag serves for tracking and auditing the actions performed.