Hi @ramyfrahman You can run the RQL to find all "Internet exposed instances" where talking with Suspicious IPs. NETWORK WHERE src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' ) The problem is that Auto-remediation is not supported for Network and audit policies only for config policies. But maybe you can do something like this. RQL config where cloud.type = 'aws' AND api.name='aws-ec2-describe-images' AND json.rule='image.public is true' Remediation: aws ec2 --region ${region} modify-image-attribute --image-id ${resourceId} --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}" I hope i could help you a bit with that Regards, Torsten
... View more