Documentation
Automation Workflows
Design and implement automated governance workflows for policy enforcement, compliance remediation, and incident response using PolicyCortex automation engine.
Automation Workflow Types
🚨 Incident Response
Automated response to security violations
• Immediate containment actions
• Alert escalation workflows
• Evidence collection automation
• Stakeholder notifications
🔧 Auto-Remediation
Automatic fixing of policy violations
• Configuration drift correction
• Security hardening automation
• Compliance gap resolution
• Resource optimization
📋 Compliance Reporting
Scheduled compliance assessments
• Regular compliance scans
• Automated report generation
• Control effectiveness testing
• Audit evidence collection
🔄 Approval Workflows
Multi-stage approval processes
• Policy exception requests
• Risk assessment approvals
• Change management reviews
• Privilege access requests
Creating Automation Workflows
Basic Workflow Structure
Define triggers, conditions, and actions for your automation workflows.
Workflow Configurationyaml
# Basic automation workflow structure
workflow:
name: "auto-remediate-s3-public-access"
description: "Automatically disable public access on S3 buckets"
version: "1.0"
# Trigger conditions
trigger:
event: "policy.violation.created"
conditions:
- policy_name: "s3-no-public-access"
- severity: ["HIGH", "CRITICAL"]
- resource_type: "AWS::S3::Bucket"
# Workflow steps
steps:
- name: "assess_risk"
type: "evaluation"
conditions:
- bucket_has_sensitive_data: true
- bucket_environment: "production"
- name: "disable_public_access"
type: "remediation"
action: "aws_s3_disable_public_access"
parameters:
bucket_name: "{{ violation.resource.name }}"
preserve_existing_policy: true
- name: "notify_team"
type: "notification"
action: "send_slack_message"
parameters:
channel: "#security-alerts"
message: "S3 bucket {{ violation.resource.name }} public access disabled automatically"
# Approval requirements
approval:
required_for:
- production_resources
- high_business_impact
approvers:
- security_team
- resource_ownerIncident Response Workflows
Critical Security Incident
Security Incident Response Workflowyaml
workflow:
name: "critical-security-incident-response"
description: "Automated response to critical security violations"
trigger:
event: "policy.violation.created"
conditions:
- severity: "CRITICAL"
- categories: ["security", "data_breach"]
steps:
# Immediate containment
- name: "isolate_resource"
type: "containment"
action: "isolate_compromised_resource"
timeout: 30s
parameters:
resource_id: "{{ violation.resource.id }}"
isolation_method: "security_group_lockdown"
# Create incident ticket
- name: "create_incident"
type: "ticketing"
action: "create_jira_incident"
parameters:
priority: "P1"
assignee: "security_team"
title: "Critical Security Violation: {{ violation.policy.name }}"
description: |
Resource: {{ violation.resource.name }}
Policy: {{ violation.policy.name }}
Detected: {{ violation.detected_at }}
Auto-containment: Applied
# Escalate to on-call
- name: "page_security_team"
type: "alerting"
action: "pagerduty_alert"
parameters:
service: "security-incidents"
severity: "critical"
message: "Critical policy violation detected and contained"
# Collect forensic evidence
- name: "collect_evidence"
type: "forensics"
action: "snapshot_environment"
parameters:
scope: "affected_resource_and_dependencies"
retention: "30_days"
# Notify stakeholders
- name: "notify_leadership"
type: "notification"
action: "send_email"
parameters:
recipients: ["ciso@company.com", "cto@company.com"]
template: "critical_incident_notification"
attachments: ["evidence_summary.pdf"]Data Exposure Response
Data Exposure Automationyaml
workflow:
name: "data-exposure-response"
description: "Immediate response to potential data exposure"
trigger:
event: "scan.sensitive_data_detected"
conditions:
- data_classification: ["PII", "PHI", "PCI"]
- exposure_level: "public"
steps:
# Immediately block public access
- name: "emergency_access_control"
type: "immediate_action"
action: "deny_all_public_access"
max_delay: 10s
# Classify the exposure severity
- name: "assess_exposure_severity"
type: "evaluation"
script: |
severity = "LOW"
if data_contains_ssn or data_contains_credit_card:
severity = "CRITICAL"
elif data_contains_email or data_contains_phone:
severity = "HIGH"
return severity
# Legal/compliance notification (if required)
- name: "check_breach_notification"
type: "conditional"
condition: "{{ steps.assess_exposure_severity.output }} == 'CRITICAL'"
action: "notify_legal_team"
parameters:
urgency: "immediate"
breach_type: "potential_data_exposure"Compliance Automation Workflows
Weekly Compliance Report
Automated Compliance Reportingyaml
workflow:
name: "weekly-compliance-report"
description: "Generate and distribute weekly compliance status report"
trigger:
schedule: "cron(0 9 * * MON)" # Every Monday at 9 AM
steps:
# Generate compliance scores for all frameworks
- name: "calculate_compliance_scores"
type: "assessment"
action: "run_compliance_assessment"
parameters:
frameworks: ["SOC2", "HIPAA", "PCI_DSS"]
scope: "all_accounts"
include_trends: true
# Identify top violations
- name: "analyze_top_violations"
type: "analysis"
action: "identify_recurring_violations"
parameters:
time_period: "last_7_days"
group_by: ["policy", "resource_type", "account"]
min_occurrence_count: 3
# Generate executive summary
- name: "create_executive_summary"
type: "reporting"
action: "generate_compliance_summary"
parameters:
template: "executive_dashboard"
include_charts: true
risk_trending: true
# Distribute report
- name: "distribute_report"
type: "distribution"
action: "send_report_email"
parameters:
recipients:
executives: ["ceo@company.com", "cto@company.com"]
compliance: ["compliance@company.com"]
security: ["security@company.com"]
format: ["pdf", "interactive_dashboard_link"]
subject: "Weekly Compliance Status - Week {{ current_week }}"
# Update compliance dashboard
- name: "update_dashboard"
type: "visualization"
action: "refresh_compliance_dashboard"
parameters:
dashboard_id: "compliance-overview"
cache_duration: "24h"Advanced Workflow Patterns
🔄 Multi-Step Approval
Approval Chain Exampleyaml
approval_chain:
- step: "technical_review"
approvers: ["tech_lead"]
timeout: "24h"
- step: "security_review"
approvers: ["security_team"]
condition: "risk_level >= MEDIUM"
timeout: "48h"
- step: "executive_approval"
approvers: ["cto", "ciso"]
condition: "cost_impact > 10000"
timeout: "72h"🎯 Conditional Logic
Workflow Conditionsyaml
conditions:
- name: "business_hours"
expression: "time >= '09:00' and time <= '17:00'"
- name: "production_environment"
expression: "resource.tags.Environment == 'production'"
- name: "high_risk_resource"
expression: |
resource.contains_pii or
resource.internet_facing or
resource.admin_access_enabledTesting & Monitoring Workflows
Workflow Testing
Test Workflow Executionbash
# Test workflow with sample data
policycortex workflow test \
--workflow-file security-incident-response.yaml \
--test-data sample-violation.json \
--dry-run \
--verbose
# Monitor workflow performance
policycortex workflow metrics \
--workflow security-incident-response \
--time-range last-30-days \
--include-step-timing
# View workflow execution history
policycortex workflow history \
--workflow security-incident-response \
--status failed \
--limit 10
# Enable workflow debugging
policycortex workflow debug \
--workflow security-incident-response \
--enable-detailed-logging \
--log-level debug