How do you handle security findings that require Terraform changes?
I’m trying to understand how Terraform-heavy AWS teams handle security findings in practice.
Example: Security Hub / GuardDuty / Config flags an issue like public S3 access, overly broad IAM, exposed security groups, missing logging, or drift from expected controls.
How does that usually become a Terraform change?
In teams I’ve seen, the flow is often messy:
- finding appears in AWS
- someone has to decide if it matters
- ownership is unclear
- the actual fix may need Terraform, not a console change
- reviewers need to trust the diff
- compliance/audit needs evidence that it was handled
I’m exploring a workflow where findings are grouped into prioritized actions and turned into human-reviewed PR-style Terraform remediation bundles. No direct cloud changes.
Curious how others do this today:
- Do security findings usually become Terraform PRs?
- Who owns the fix: security, platform, app team, or DevOps?
- Do you allow console fixes, or force IaC-only?
- What would make an auto-generated Terraform fix untrustworthy?
- How do you track exceptions and evidence?