67%
of remediated CSPM findings reappear within 30 days when the fix was applied only to the live resource without updating the underlying IaC template or deployment automation
4 hours
average time for a re-deployed cloud resource to reintroduce the same misconfiguration when IaC templates are not updated as part of remediation
3 root causes
explain almost all CSPM finding reappearance: IaC template drift, missing automation, and symptom-not-cause remediation that leaves the configuration source unchanged
90%
reduction in CSPM finding reappearance rate achievable with policy-as-code enforcement via OPA, AWS SCPs, or Azure Policy, preventing misconfigured resources from being deployed in the first place

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Closing a CSPM finding by changing the configuration of a running cloud resource is satisfying but temporary. The CSPM marks it resolved. The team moves on. Thirty days later, the same finding is open again. Someone asks why it came back. The answer is that cloud infrastructure is not manually configured -- it is deployed. And if the deployment template still contains the misconfiguration, the next deployment brings it back.

This is not a CSPM tool problem. It is a remediation methodology problem. Direct configuration changes to running cloud resources are overwritten by infrastructure-as-code deployments, auto-scaling events, blue/green deployment swaps, and any other process that redeploys the affected resource from its source template.

This guide covers the three root causes behind nearly all CSPM finding reappearance scenarios and how to address each one with a fix that survives the next deployment. It also covers policy-as-code enforcement as the architecture that prevents misconfigured resources from being deployed in the first place, turning CSPM from a detection-and-remediation tool into a verification tool for a compliance-by-design environment.

Root Cause 1: IaC Template Drift -- Fixing the Running Resource, Not the Source

The most common cause of CSPM finding reappearance is the simplest: the remediation was applied to the live cloud resource in the AWS console, Azure portal, or GCP console, while the Terraform, CloudFormation, CDK, or Pulumi template that deployed the resource still contains the original misconfigured value.

The next time the infrastructure pipeline runs -- whether for a deployment, a template refresh, or an auto-scaling event -- it redeploys the resource from the unchanged template and overwrites the manual fix.

The indicator that this is your root cause: the finding reappears on the same resource type every time the deployment pipeline runs, not at a random interval.

The fix requires two changes in parallel, not one: update the IaC template to remove the misconfiguration, and apply a configuration change to the currently running resource. Both steps together produce a finding that is closed in the CSPM and that remains closed after the next deployment.

For organizations using Terraform, the workflow is: identify the resource block in the Terraform configuration, change the misconfigured attribute value, run terraform plan to verify the change scope, and apply. The IaC change and the live resource change happen simultaneously through the terraform apply step -- there is no need for a separate manual console change.

For organizations where infrastructure is deployed through an automated pipeline but the IaC templates are maintained by a different team than the security team doing CSPM remediation, this root cause requires a process change: CSPM findings must be routed to the IaC-owning team with the specific template path and attribute change required, not just the CSPM finding description.

Root Cause 2: Missing Automation -- Manual Fixes That Cannot Survive Redeployment

The second root cause is related to IaC drift but distinct: the affected resource was not deployed from an IaC template at all. It was manually provisioned in the cloud console, perhaps before the organization adopted IaC practices, and there is no template to update.

In this scenario, there is no automated process overwriting the fix. But there is also no automated process protecting it. The finding reappears because someone else (or the same person, months later) recreates the resource without the security configuration, or because a misconfigured copy of the resource is created by cloning the original.

The fix here is not just remediating the finding but also formalizing the resource as managed IaC. This means: importing the existing resource into the IaC state (terraform import for Terraform), codifying the correct configuration in the template, and ensuring future deployments and modifications go through the IaC pipeline rather than the console.

This is more work than patching the running resource, which is why it is often deferred. But without it, the organization has a class of cloud resources with no formal configuration management -- which means no repeatable security configuration, no audit trail for configuration changes, and no way to enforce consistent security posture across multiple instances of the same resource type.

The operational signal for this root cause: the finding is on a resource that shows no IaC state association in your Terraform or CloudFormation stack inventory.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Root Cause 3: Symptom-Not-Cause Remediation

The third root cause is the most difficult to diagnose: the fix was applied correctly to both the running resource and the IaC template, but the finding reappears because neither the resource nor the template was the actual source of the problem.

This happens when a misconfiguration originates from a module, a shared configuration baseline, or an organizational default that overrides resource-level settings. Common examples:

Terraform modules with misconfigured defaults. A security group module that defaults to 0.0.0.0/0 ingress rules creates the same finding every time any team uses the module, even if the calling team's resource-level configuration is correct. Fixing the calling configuration leaves the module unchanged, so the next resource deployed from the module has the same finding.

AWS Organizations default settings. An S3 account-level public access block setting that is disabled allows all buckets to be created without the block enabled. Enabling it on individual buckets fixes the finding on those buckets but leaves the account default unchanged, so any new bucket created in the account has the finding immediately.

Shared pipeline defaults. A CI/CD pipeline that deploys cloud resources with default security group rules, default IAM permissions, or default encryption settings propagates those defaults to every resource it deploys, regardless of what individual resource configurations specify.

The diagnostic question for this root cause: is the same finding appearing on multiple resources of the same type across different teams? If yes, the source is a shared module, account default, or pipeline default -- not individual resource configurations.

Policy-as-Code: From Detection to Prevention

The long-term architectural fix for CSPM finding reappearance is shifting from detection-and-remediation to prevention. Policy-as-code tools enforce security requirements at the deployment stage, preventing misconfigured resources from being deployed in the first place, rather than detecting and reporting them after they are running.

Three enforcement mechanisms, in order of where they act in the deployment pipeline:

IaC-level enforcement with OPA (Open Policy Agent) + Conftest. Conftest runs OPA policies against Terraform plans, CloudFormation templates, and Kubernetes manifests before deployment. A policy that rejects any Terraform plan containing an S3 bucket without server-side encryption enabled prevents the bucket from being deployed with that misconfiguration, rather than detecting it afterward. This enforcement runs in the CI/CD pipeline and fails the pipeline when a policy violation is found.

Cloud-level enforcement with AWS Service Control Policies (SCPs) or Azure Policy. SCPs are organization-level controls that prevent IAM principals from taking specific actions across all accounts in an AWS Organization, regardless of what IAM policies say. An SCP denying s3:PutBucketPublicAccessBlock with a "s3:PublicAccessBlockConfiguration": "false" condition prevents any principal from disabling the public access block, even if they have IAM permissions to do so. Azure Policy equivalents enforce the same controls at the Azure Management Group or subscription level.

Admission control with OPA Gatekeeper (Kubernetes). For containerized workloads, Gatekeeper enforces pod security policies at the admission stage, rejecting deployments that violate defined security constraints before the pod is created.

Building a Verification Cycle Into Your Remediation Workflow

Even with policy-as-code enforcement in place, CSPM tools remain valuable for detecting drift from resources that existed before enforcement was deployed, resources in accounts or regions not yet covered by enforcement, and configuration changes made outside of automated pipelines.

The verification cycle that closes the loop between CSPM detection and confirmed permanent remediation:

Step 1: CSPM finding identified. Record the finding, the affected resource ARN or ID, the specific misconfigured attribute, and the CSPM finding ID.

Step 2: Root cause identified. Is this IaC template drift, a manually provisioned resource, or a shared module or account default issue? The root cause determines the correct fix path.

Step 3: Fix applied at the correct source. IaC template, Terraform module, shared pipeline configuration, or account-level policy, as appropriate. Do not apply a console fix without a corresponding source fix.

Step 4: Deployment completed. Run the IaC pipeline to redeploy the fixed configuration. Verify the resource configuration matches the fixed template.

Step 5: CSPM re-scan confirmed. Trigger a CSPM rescan of the affected resource. Confirm the finding is closed.

Step 6: Policy enforcement added (if not already present). Create or verify that a policy-as-code check covers this finding class, so future resources in this category are blocked from deploying with the same misconfiguration.

Step 6 is the step that most remediation workflows skip. Without it, the process is purely reactive: CSPM finds a problem, team fixes it, CSPM finds it again on a new resource, team fixes it again. Policy-as-code at Step 6 converts each remediation into a preventive control.

Prioritizing Which Findings Are Worth the Policy-as-Code Investment

Not every CSPM finding class warrants a policy-as-code enforcement rule. The investment in writing, testing, and maintaining a Conftest policy or AWS SCP is only justified when the finding class is high-severity, appears frequently enough to be a pattern rather than an isolated misconfiguration, and maps to a control that is meaningful for your threat model.

Prioritization criteria for policy-as-code investment:

High reappearance rate. If the same finding class has appeared more than three times across different resources in a 90-day period, a policy rule pays for itself almost immediately.

High severity in your environment. S3 bucket public access, encryption at rest for databases containing regulated data, and overly permissive security groups on publicly accessible resources are examples where the business impact of a missed finding justifies the enforcement investment.

Low implementation risk. Some policy enforcement rules are higher risk than others. An SCP that denies disabling encryption is low risk -- the only thing it prevents is a misconfiguration. An SCP that denies modifications to security groups requires more careful scoping to avoid blocking legitimate operational changes.

Maps to a recurring audit or compliance finding. If the same finding class appears repeatedly in your SOC 2 or ISO 27001 assessments, automated enforcement demonstrates to auditors that you have a preventive control, not just a detection-and-remediation workflow -- which is a materially better audit posture.

Start with two or three high-priority finding classes. Implement the policy rules, validate them in a non-production environment, and deploy them. The feedback loop from seeing those finding classes stop appearing in your CSPM tool provides the organizational confidence to expand enforcement coverage.

The bottom line

CSPM findings that reappear after remediation are telling you that the fix was applied to the wrong place. Direct cloud console fixes are overwritten by IaC deployments. Finding-level fixes do not address shared module or account-default root causes. And without a verification cycle that includes policy-as-code enforcement, the remediation process stays permanently reactive -- finding, fixing, finding, fixing the same misconfigurations on new resources. The three-step permanent closure process is: identify the correct source (IaC template, shared module, or account default), fix at the source rather than the symptom, and add a policy-as-code enforcement rule that prevents new resources of the same type from being deployed with the same misconfiguration. This converts CSPM from a detection-and-remediation loop into a verification tool for a compliance-by-design environment.

Frequently asked questions

Why do CSPM findings keep coming back after I fix them?

CSPM findings reappear when the fix is applied to the running cloud resource rather than to the source that deployed it. If a Terraform template, CloudFormation stack, or CI/CD pipeline deployed the misconfigured resource, the next deployment from that template recreates the misconfiguration and overwrites the manual fix. The finding also reappears when the misconfiguration originates from a shared Terraform module, an account-level default setting, or an organizational policy that is not updated as part of the finding remediation.

What is the correct way to permanently fix a CSPM finding?

Identify where the misconfiguration originates -- the IaC template, a Terraform module, a shared pipeline default, or an account-level setting -- and apply the fix at that source. For Terraform-managed resources, update the resource block in the template and run terraform apply so the fix is applied to both the template and the live resource simultaneously. For account-level issues, update the default setting at the account or organization level. After fixing the source, verify the CSPM rescan shows the finding closed. Then add a policy-as-code check (OPA, AWS SCP, or Azure Policy) to prevent the same misconfiguration from being deployed on future resources.

What is policy-as-code and how does it prevent CSPM findings from reappearing?

Policy-as-code is the practice of encoding security requirements as machine-readable policies that are enforced automatically during the infrastructure deployment process. Tools like Open Policy Agent with Conftest enforce policies against Terraform plans before deployment, failing the pipeline if a misconfiguration is found. AWS Service Control Policies and Azure Policy enforce requirements at the cloud organizational level, preventing misconfigured resources from being created regardless of IAM permissions. These tools shift cloud security from detection-and-remediation (find the problem after deployment) to prevention (block the misconfiguration before it is deployed).

How do I know if a CSPM finding is caused by an IaC template issue or a shared module issue?

The diagnostic question is whether the same finding appears on multiple resources of the same type across different teams or accounts. If a single finding class appears on resources owned by different teams that each maintain their own IaC configurations, the source is likely a shared Terraform module with a misconfigured default, an account-level default setting, or a shared CI/CD pipeline default. If the finding appears on a single team's resources and reappears after each deployment, the source is in that team's IaC template. Check the Terraform module registry and the account-level settings for the affected resource type before assuming the finding is a resource-level configuration issue.

What is the difference between remediating a CSPM finding in the console versus in IaC?

Console remediation changes the configuration of the running cloud resource directly. This closes the CSPM finding temporarily but does not change the IaC template that deployed the resource. The next time the infrastructure pipeline runs (for a deployment, update, or auto-scaling event), it redeploys the resource from the unchanged template and recreates the misconfiguration. IaC remediation updates the template source and redeploys, which closes the CSPM finding and ensures all future deployments of that resource use the corrected configuration.

How do I prioritize which CSPM finding classes to build policy-as-code rules for?

Prioritize finding classes that meet at least two of these criteria: the same finding has appeared more than three times on different resources within 90 days (high reappearance rate), the finding class represents high-severity misconfiguration for your specific environment (public storage buckets, unencrypted databases with regulated data, or overly permissive security groups on public endpoints), or the finding class appears repeatedly in SOC 2 or compliance audit observations. Start with two or three finding classes, validate the policy rules in a non-production environment before deploying, and expand coverage based on operational confidence and ongoing CSPM data.

What tools enforce policy-as-code for cloud infrastructure?

Three enforcement layers cover most cloud environments. At the IaC level: Open Policy Agent (OPA) with Conftest runs policy checks against Terraform plans, CloudFormation templates, and Kubernetes manifests in CI/CD pipelines, failing the pipeline when a policy violation is found. At the cloud organization level: AWS Service Control Policies (SCPs) enforce controls across all accounts in an AWS Organization, preventing misconfigured resources from being created even by principals with IAM permissions to do so. Azure Policy and GCP Organization Policies provide equivalent enforcement for Azure and GCP. At the Kubernetes level: OPA Gatekeeper enforces admission control policies, rejecting pod deployments that violate security constraints.

Sources & references

  1. Wiz: State of Cloud Security Report 2024
  2. Orca Security: State of Public Cloud Security 2024
  3. AWS Service Control Policies Documentation
  4. Open Policy Agent Documentation
  5. CIS Benchmarks for Cloud

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.