* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Computing](https://www2.paloaltonetworks.com/blog/category/cloud-computing-2/)
* Automate Your Cloud Remed...

# Automate Your Cloud Remediation Using Serverless Functions

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fautomate-cloud-remediation-serverless-functions%2F)  
[](https://twitter.com/share?text=Automate+Your+Cloud+Remediation+Using+Serverless+Functions&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fautomate-cloud-remediation-serverless-functions%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fautomate-cloud-remediation-serverless-functions%2F&title=Automate+Your+Cloud+Remediation+Using+Serverless+Functions&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/automate-cloud-remediation-serverless-functions/&ts=markdown)  
\[\](mailto:?subject=Automate Your Cloud Remediation Using Serverless Functions)  
Link copied  
By [Young Lee](https://www.paloaltonetworks.com/blog/author/young-lee/?ts=markdown "Posts by Young Lee")  
Jan 11, 2021  
5 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)  
[AWS Lambda](https://www.paloaltonetworks.com/blog/tag/aws-lambda/?ts=markdown)  
[Remediation](https://www.paloaltonetworks.com/blog/tag/remediation/?ts=markdown)  
[Serverless Security](https://www.paloaltonetworks.com/blog/tag/serverless-security/?ts=markdown)

Gaining visibility into your cloud environment is a critical step in assessing your overall cybersecurity posture; however, the value in visibility is realized when you actually utilize those insights and take action. In other words, you must define a cloud *remediation* process: now that you know what's going wrong, what will you do to fix it?

Today, Prisma Cloud helps minimize the average "time-to-resolution" for cloud SOC teams by offering command line interface (CLI) based auto-remediation, where common misconfigurations can be resolved in just one click -- or better yet, automatically whenever they are detected.

## Why Auto-Remediation is Important

Many cybersecurity vendors fail to provide a comprehensive solution with regards to cloud remediation. These solutions may show all of your misconfigurations and vulnerabilities through a single pane of glass, but no simple way to go about resolving all of them.

To make matters worse, in a world where resources and data are created, deployed and modified so quickly, it is basically impossible for cloud SOC teams to address security issues quickly and effectively. In other words, manual remediation is not enough: the *only* way to address cloud vulnerabilities at scale is with *automation* .

However, since every company is unique in its internal remediation processes, it is sometimes difficult to come up with a one-size-fits-all solution. For example, what if you have an approval process in place to double-check whenever production resources are modified? What if you want to [send a notification to Slack or Jira](https://www.paloaltonetworks.com/blog/2020/03/cloud-threat-intelligence-bot/) whenever a misconfiguration is automatically resolved? A CLI simply does not have such capabilities (or at the very least, the capabilities to do it at scale, automatically). This means the average time-to-resolution will still be relatively high due to the fact that there are still many manual steps involved to resolve a security issue.

Another problem lies with permissions: any sort of remediation solution that a security vendor offers will involve granting that vendor additional permissions (typically write/execute permissions) to go into your cloud environment and change resources. This creates issues, especially for users in industries with strict privacy and security compliance requirements -- such as HIPAA in the healthcare industry -- and makes external remediation solutions less feasible.

This is why we're launching Prisma Cloud Enhanced Remediation: a free, flexible way to create custom auto-remediation solutions using serverless functions, all within your own cloud environment.

## What are Serverless Functions?

[Serverless computing](https://www.paloaltonetworks.com/blog/2020/03/cloud-securing-serverless/) is a service offered by cloud service providers (CSPs) such as Amazon Web Services (AWS) that abstracts away all underlying infrastructure that your code runs on. This effectively lets you run code without worrying about provisioning or managing servers, while only paying for the execution time and resources these functions take to run.

## Why Remediate Using Serverless?

The ability to quickly deploy and execute code makes serverless the perfect platform for remediation "runbooks" -- short remediation plans of action -- which involve doing quick, one-off tasks to resolve misconfigurations, vulnerabilities and other issues within your own environment. This also means you can focus more on the remediation plan itself, rather than worrying about how to deploy and manage the system within your cloud environment.

## How Serverless Remediation Works

At a high level, Prisma Cloud generates an alert and sends it to be processed by a serverless function we help you deploy. This function then parses the alert, figures out which runbook to execute and remediates accordingly.

Runbooks are what we call the out-of-the-box Python scripts that we provide as example auto-remediation solutions. Today, we ship [47 runbooks for AWS](https://github.com/PaloAltoNetworks/Prisma-Enhanced-Remediation/blob/master/AWS/lambda_package/README.md), most of which map one-to-one with Prisma Cloud's out-of-the-box policies.
![Diagram showing the architecture for Prisma Cloud Enhanced Remediation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/serverless-remediation.png)
Prisma Cloud Enhanced Remediation architecture.

Using built-in integrations to CSPs (e.g. AWS Simple Queue Service, or SQS), Prisma Cloud can help quickly and easily remediate misconfigurations in your cloud environment with the flexibility of a full-fledged coding environment.

Deployment is quick and easy: following our [step-by-step setup guide](https://github.com/PaloAltoNetworks/Prisma-Enhanced-Remediation/blob/master/AWS/docs/setup.md), deploy the AWS Lambda and SQS using our CloudFormation template. This installs all of our out-of-the-box runbooks and connects the SQS to the Lambda function. Then, connect the SQS queue to Prisma Cloud using our built-in integration. That's it! You are now ready to auto-remediate alerts.

Prisma Cloud Enhanced Remediation also supports multi-account setups. This means you only deploy a single Lambda function that can then remediate *multiple* AWS accounts (i.e., all accounts in your AWS organization). All you have to do is deploy an additional CloudFormation template that grants the necessary permissions to the "parent" account's Lambda function. This greatly simplifies the workflow as you now only need to add, remove or modify the Lambda's runbooks and permissions in one place.

Note that this is all happening *within* your cloud environment -- no external write permissions required. Furthermore, everything you deploy is under your control: if you don't want to grant this Lambda [access to your Amazon Simple Storage Service (S3) buckets](https://www.paloaltonetworks.com/blog/prisma-cloud/guide-protect-aws-s3/), for example, you can simply modify its [identity access management (IAM) policy](https://www.paloaltonetworks.com/blog/prisma-cloud/iam-security-controls/) accordingly. This is also covered in our setup guide above.

## Start Using Prisma Cloud Enhanced Remediation Today

With Prisma Cloud Enhanced Remediation, you can now resolve alerts automatically *within minutes* , while adhering to any and all custom processes you may have in place. This gives you more time to focus on the most important and involved tasks, improving your overall security posture and minimizing alert fatigue.

Finally, combined with our other auto-remediation offerings -- basic remediation via CLI and advanced remediation via [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/xsoar) -- Prisma Cloud truly unlocks the power of automation while giving you just the right amount of flexibility all in one, integrated platform.

This feature is currently available for AWS environments, with support for other major CSPs currently under development. For more information on how to get started, check out our [open-source GitHub repository](https://github.com/PaloAltoNetworks/Prisma-Enhanced-Remediation). Within this repo, you can find relevant documentation and resources such as the [AWS step-by-step setup guide](https://github.com/PaloAltoNetworks/Prisma-Enhanced-Remediation/blob/master/AWS/docs/setup.md), [runbooks we support out-of-the-box](https://github.com/PaloAltoNetworks/Prisma-Enhanced-Remediation/blob/master/AWS/lambda_package/README.md), and the [custom runbook development guide](https://github.com/PaloAltoNetworks/Prisma-Enhanced-Remediation/blob/master/AWS/docs/custom_runbooks_guide.md).

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Securing AWS Lambda Layers with Prisma Cloud](https://www2.paloaltonetworks.com/blog/cloud-security/securing-aws-lambda-layers/)

### [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### Prisma Cloud Expands Runtime Protection to Azure Serverless Functions](https://www2.paloaltonetworks.com/blog/cloud-security/azure-serverless/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Prisma Cloud Supports the Latest Amazon Inspector for Enhanced Security](https://www2.paloaltonetworks.com/blog/cloud-security/amazon-inspector-for-enhanced-security/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### The Journey to Coursera with Google Cloud and Prisma Cloud](https://www2.paloaltonetworks.com/blog/cloud-security/google-qwiklabs/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)

[#### JSON Preview Helps Build Custom Policies in RQL Faster Than Ever](https://www2.paloaltonetworks.com/blog/cloud-security/json-preview/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown)

[#### New Capabilities Scan for Sensitive and Publicly Exposed Data](https://www2.paloaltonetworks.com/blog/cloud-security/scan-sensitive-and-publicly-exposed-data/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language