Ensure there are no workloads with exploitable vulnerabilities

This workload currently has {{vulnerabilities.exploitableCount}} exploitable vulnerabilities.

Remediate by updating the vulnerable package, base image, or deployed artifact, then redeploy the workload so it no longer runs the affected version.

Kubernetes / generic container workloads

Update the running workload to a patched image:

kubectl set image deployment/{{asset.name}} <container-name>=<patched-image> --namespace <namespace>

Google Cloud Run

Redeploy the service or revision from a patched image:

gcloud run deploy {{asset.name}} --image <patched-image> --region {{asset.region}}

AWS Lambda container images

If the function is image-based, redeploy it with a patched image:

aws lambda update-function-code --function-name {{asset.name}} --image-uri <patched-image-uri>

Virtual machines and compute instances

Patch the operating system and application packages using your image pipeline or instance patching workflow, then verify the vulnerable package versions are no longer installed.

Validation

• Re-scan the workload after redeployment.
• Verify that exploitable vulnerability findings are cleared.
• If a fix cannot be applied immediately, isolate the workload and document a time-bound exception.

References

• Kubernetes kubectl set image: https://kubernetes.io/docs/reference/kubectl/generated/kubectl_set/kubectl_set_image/
• Google Cloud Run deploy: https://docs.cloud.google.com/run/docs/deploying
• AWS Lambda update-function-code: https://docs.aws.amazon.com/cli/latest/reference/lambda/update-function-code.html

Multiple Remediation Paths

AWS

SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.

PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.

Google Cloud

SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.

gcloud org-policies set-policy policy.yaml

ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.

PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.

References for Service-Wide Patterns

• AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
• AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
• GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
• GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
• gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• AWS: deploy/adjust organization conformance packs and policy guardrails.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

• Google Cloud: apply organization policy constraints at org/folder scope.

gcloud org-policies set-policy policy.yaml

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.