Documentation

Enterprise Policy as Code with PolicyCortex for Cloud Governance

Define, version, and manage your governance policies using code for consistency, repeatability, and enterprise-scale automation.

PolicyCortex Quick Start: Installation, Setup & Requirements

Overview

Policy as Code (PaC) is a methodology that treats policy definitions as code artifacts, enabling DevOps practices for governance and compliance. PolicyCortex implements this approach to provide enterprise-grade policy management with version control, testing, and automated deployment capabilities.

Version Control

Track policy changes with Git integration

Testing

Validate policies before deployment

Automation

CI/CD pipeline integration

Policy Structure

PolicyCortex policies are defined in JSON format with a hierarchical structure that supports complex governance scenarios.

Basic Policy Structurejson
{
  "metadata": {
    "name": "enforce-encryption-at-rest",
    "version": "2.1.0",
    "description": "Ensure all storage resources have encryption enabled",
    "author": "security-team@company.com",
    "created": "2024-01-15T10:00:00Z",
    "updated": "2024-03-20T14:30:00Z",
    "tags": ["security", "encryption", "compliance"],
    "category": "security"
  },
  "target": {
    "cloud_providers": ["aws", "azure", "gcp"],
    "resource_types": ["storage", "database"],
    "accounts": ["prod-*", "staging-*"],
    "regions": ["us-east-1", "us-west-2", "eu-west-1"],
    "tags": {
      "environment": ["production", "staging"],
      "data_classification": ["confidential", "restricted"]
    },
    "exclude": {
      "accounts": ["dev-sandbox"],
      "tags": {
        "encryption_exempt": ["true"]
      }
    }
  },
  "rules": [
    {
      "id": "storage-encryption",
      "name": "Storage Encryption Check",
      "description": "Verify encryption is enabled on storage resources",
      "severity": "high",
      "condition": {
        "operator": "and",
        "conditions": [
          {
            "property": "encryption.enabled",
            "operator": "equals",
            "value": false
          },
          {
            "property": "public_access",
            "operator": "equals", 
            "value": true
          }
        ]
      },
      "action": {
        "type": "enforce",
        "notify": true,
        "auto_remediate": true,
        "escalation": {
          "level": "critical",
          "notify_security_team": true
        }
      }
    }
  ],
  "compliance": {
    "frameworks": ["soc2", "iso27001", "hipaa", "pci-dss"],
    "controls": ["CC6.1", "A.10.1.1", "164.312(a)(1)", "3.4"],
    "evidence_collection": true
  },
  "remediation": {
    "manual_steps": [
      "Navigate to resource configuration in cloud console",
      "Enable encryption settings with appropriate key management",
      "Verify encryption status and document changes",
      "Update resource tags to reflect encryption status"
    ],
    "automation": {
      "enabled": true,
      "script": "scripts/remediation/enable-encryption.py",
      "approval_required": false,
      "rollback_enabled": true,
      "dry_run_first": true
    }
  },
  "monitoring": {
    "frequency": "real-time",
    "alerting": {
      "channels": ["slack", "email", "webhook"],
      "threshold": 1,
      "suppress_duration": "1h"
    },
    "metrics": {
      "compliance_score_impact": 15,
      "risk_reduction": 85
    }
  }
}

Best Practices

1. Policy Naming and Organization

  • • Use descriptive, action-oriented names (e.g., "enforce-s3-encryption")
  • • Follow consistent naming conventions across your organization
  • • Group related policies into logical categories
  • • Use semantic versioning for policy versions

2. Version Control Integration

Policy Repository Structurebash
company-policies/
├── policies/
│   ├── security/
│   │   ├── encryption/
│   │   │   ├── s3-encryption.json
│   │   │   ├── ebs-encryption.json
│   │   │   └── rds-encryption.json
│   │   ├── access/
│   │   └── network/
│   ├── cost/
│   └── compliance/
├── tests/
│   ├── unit/
│   └── integration/
├── scripts/
│   ├── remediation/
│   └── validation/
├── .policycortex.yml
├── .github/
│   └── workflows/
│       └── policy-ci.yml
└── docs/README.md

3. Testing Strategy

Implement comprehensive testing for policy validation:

Policy Test Exampleyaml
test_suite:
  name: "S3 Encryption Policy Tests"
  policy: "policies/security/encryption/s3-encryption.json"
  
test_cases:
  - name: "Unencrypted public bucket should fail"
    resource:
      type: "aws_s3_bucket"
      properties:
        name: "public-data-bucket"
        encryption: { enabled: false }
        public_access: true
        tags: { environment: "production" }
    expected_result:
      status: "non_compliant"
      violations: 1
      severity: "high"
      
  - name: "Encrypted bucket should pass"
    resource:
      type: "aws_s3_bucket" 
      properties:
        name: "secure-data-bucket"
        encryption: { enabled: true, algorithm: "AES256" }
        public_access: false
    expected_result:
      status: "compliant"
      violations: 0