The Dry run is a way of simulating the remediation allowing users and DevOps personnel to preview the fix results. The dry-run procedure does not make any changes and takes no actions but undergoes all the steps of making a fix and displays the expected changes.
TABLE OF CONTENTS
This article assumes that you have connected to the cloud account and enabled remediations. To learn how to connect to the cloud account and trigger remediation, visit Configuring Aqua CSPM Remediations for Your Cloud Account.
You can receive notifications of dry run results through desired channels. To set up remediations alerts, which also notify when dry-run remediation occurs, please visit Remediations Alerts.
Enabling Dry Run Mode
To enable dry run mode, do the following:
- Navigate to https://cloud.aquasec.com/remediations.
- Select Policies from Remediations.
- When the remediations are activated for a cloud account, the default mode is Execution (E). To change the mode to dry run, click three dots (…) at the corner of the desired cloud account policy and select Edit Policy.
- In Settings, enable the Dry run mode.
- Select Save Policy.
Remediation Reports in Dry Run Mode
- Select Reports from Remediations menu.
- View the overall status of Fixed, Failed, and Dry run remediations under Top Remediated Accounts and Top Remediated Plugins. Note: In the screenshot below, the section highlighted in grey shows cloud accounts remediated in Dry run mode.
- To view the report of a particular cloud account remediated in Dry run mode, click View Report. Note: In the screenshot below, you can see that the Fixed count is 0 for the AWS account tested in dry run mode D in grey represents that this cloud account was remediated in Dry run mode.
- In the Report Summary, you can see that no remediation was performed as the system was running in dry run mode. Also, No Action was taken on the impacted resource.
Remediations Best Practices
It is a good practice to verify remediations using dry runs before executing real remediations on resources that have cross dependencies with others. In dry run mode, configurations that violate the security policys are not fixed, only logged. Dry run mode is used to test cloud configurations and to monitor a remediation without preventing access to resources. Major benefits of dry run mode include:
- Determining the impact that changes to existing cloud account configurations will have after a remediation occurs
- Preview the impact of remediation process
- Identifying and mitigating any issues that are caused by misconfigurations before pushing the changes to a production environment