Documentation
Policy Examples & Templates
Real-world policy examples and templates for common governance scenarios
Production ReadyMulti-CloudBest PracticesCopy & Paste
Security Policies
Essential security controls and best practices
Enforce Encryption at Rest
Ensure all storage resources have encryption enabled
YAML Policy Definition
name: "Enforce S3 Encryption"
description: "All S3 buckets must have encryption enabled"
version: "1.0"
rules:
- name: s3_encryption_check
resource: "aws.s3.bucket"
condition: |
resource.encryption.sse_algorithm == null or
resource.encryption.sse_algorithm == ""
action: "fail"
severity: "high"
message: "S3 bucket must have server-side encryption enabled"
- name: ebs_encryption_check
resource: "aws.ec2.volume"
condition: |
resource.encrypted == false
action: "fail"
severity: "high"
message: "EBS volumes must be encrypted"Network Security Groups
Restrict overly permissive security group rules
YAML Policy Definition
name: "Secure Security Groups"
description: "Prevent overly permissive security group rules"
version: "1.0"
rules:
- name: no_ssh_from_internet
resource: "aws.ec2.security_group"
condition: |
any(resource.ingress_rules, rule ->
rule.from_port <= 22 and rule.to_port >= 22 and
any(rule.cidr_blocks, cidr -> cidr == "0.0.0.0/0")
)
action: "fail"
severity: "critical"
message: "SSH access should not be allowed from 0.0.0.0/0"
- name: no_rdp_from_internet
resource: "aws.ec2.security_group"
condition: |
any(resource.ingress_rules, rule ->
rule.from_port <= 3389 and rule.to_port >= 3389 and
any(rule.cidr_blocks, cidr -> cidr == "0.0.0.0/0")
)
action: "fail"
severity: "critical"
message: "RDP access should not be allowed from 0.0.0.0/0"Compliance Policies
Regulatory compliance and industry standards
PCI DSS Data Protection
Payment card industry data security requirements
YAML Policy Definition
name: "PCI DSS Data Protection"
description: "Ensure payment data protection compliance"
version: "1.0"
rules:
- name: database_encryption
resource: ["aws.rds.instance", "azure.sql.database", "gcp.sql.instance"]
condition: |
resource.encrypted == false
action: "fail"
severity: "critical"
message: "Databases containing payment data must be encrypted"
- name: access_logging
resource: ["aws.s3.bucket", "azure.storage.account", "gcp.storage.bucket"]
condition: |
resource.logging_enabled == false
action: "fail"
severity: "high"
message: "Access logging must be enabled for payment data storage"
- name: network_segmentation
resource: "aws.ec2.instance"
condition: |
resource.vpc_id == null or
not(starts_with(resource.subnet_id, "subnet-secure-"))
action: "warn"
severity: "medium"
message: "Payment processing systems should be in segmented networks"GDPR Data Privacy
European data protection regulation compliance
YAML Policy Definition
name: "GDPR Data Privacy Controls"
description: "Ensure GDPR compliance for personal data processing"
version: "1.0"
rules:
- name: data_retention_policy
resource: "azure.storage.account"
condition: |
resource.lifecycle_policy == null or
resource.lifecycle_policy.delete_after_days > 2555 # 7 years
action: "fail"
severity: "high"
message: "Data retention must not exceed GDPR limits"
- name: data_location_eu
resource: ["azure.storage.account", "azure.sql.database"]
condition: |
not(contains(["westeurope", "northeurope", "francecentral"], resource.location))
action: "fail"
severity: "critical"
message: "Personal data must be stored within EU boundaries"
- name: backup_encryption
resource: "azure.backup.vault"
condition: |
resource.encryption_enabled == false
action: "fail"
severity: "high"
message: "Backup data containing personal information must be encrypted"Cost Optimization
Policies to control and optimize cloud spending
Right-Size EC2 Instances
Identify oversized instances for cost savings
YAML Policy Definition
name: "EC2 Right-Sizing"
description: "Identify oversized EC2 instances"
version: "1.0"
rules:
- name: high_cpu_low_utilization
resource: "aws.ec2.instance"
condition: |
resource.instance_type.startsWith("c5.") and
resource.cpu_utilization_avg_7d < 20
action: "warn"
severity: "medium"
message: "Compute-optimized instance with low CPU utilization"
remediation: "Consider switching to general purpose instance type"
- name: memory_optimized_underused
resource: "aws.ec2.instance"
condition: |
resource.instance_type.startsWith("r5.") and
resource.memory_utilization_avg_7d < 30
action: "warn"
severity: "medium"
message: "Memory-optimized instance with low memory utilization"
- name: oversized_general_purpose
resource: "aws.ec2.instance"
condition: |
resource.instance_type.startsWith("m5.") and
resource.cpu_utilization_avg_7d < 15 and
resource.memory_utilization_avg_7d < 25
action: "warn"
severity: "low"
message: "Instance appears oversized for current workload"Unused Resources Cleanup
Identify and flag unused cloud resources
YAML Policy Definition
name: "Unused Resources Detection"
description: "Identify unused cloud resources"
version: "1.0"
rules:
- name: unattached_ebs_volumes
resource: "aws.ec2.volume"
condition: |
resource.state == "available" and
age_days(resource.created_at) > 7
action: "warn"
severity: "low"
message: "EBS volume has been unattached for over 7 days"
- name: unused_elastic_ips
resource: "aws.ec2.elastic_ip"
condition: |
resource.instance_id == null and
resource.network_interface_id == null
action: "warn"
severity: "low"
message: "Elastic IP is not associated with any resource"
- name: idle_load_balancers
resource: "aws.elb.load_balancer"
condition: |
resource.target_count == 0 or
resource.request_count_7d < 100
action: "warn"
severity: "medium"
message: "Load balancer appears to be idle or underutilized"Operational Excellence
Best practices for reliable operations
Backup and Recovery
Ensure critical resources have proper backup strategies
YAML Policy Definition
name: "Backup and Recovery Compliance"
description: "Ensure critical resources have backup strategies"
version: "1.0"
rules:
- name: rds_backup_enabled
resource: "aws.rds.instance"
condition: |
resource.backup_retention_period == 0 or
resource.backup_retention_period < 7
action: "fail"
severity: "high"
message: "RDS instances must have backup retention of at least 7 days"
- name: s3_versioning_enabled
resource: "aws.s3.bucket"
condition: |
resource.versioning_enabled == false and
contains(resource.tags.values(), "critical")
action: "fail"
severity: "medium"
message: "Critical S3 buckets must have versioning enabled"
- name: ebs_snapshot_policy
resource: "aws.ec2.volume"
condition: |
resource.snapshot_count_30d == 0 and
resource.size_gb > 100
action: "warn"
severity: "medium"
message: "Large EBS volumes should have regular snapshots"Monitoring and Alerting
Ensure proper monitoring is configured
YAML Policy Definition
name: "Monitoring and Alerting"
description: "Ensure proper monitoring configuration"
version: "1.0"
rules:
- name: vm_monitoring_enabled
resource: "gcp.compute.instance"
condition: |
resource.monitoring_enabled == false
action: "warn"
severity: "medium"
message: "VM instances should have monitoring enabled"
- name: database_monitoring
resource: "gcp.sql.instance"
condition: |
resource.insights_config.enabled == false or
resource.insights_config.performance_insights == false
action: "fail"
severity: "high"
message: "Database instances must have performance monitoring enabled"
- name: log_retention_policy
resource: "gcp.logging.sink"
condition: |
resource.retention_days == null or
resource.retention_days < 90
action: "warn"
severity: "low"
message: "Log retention should be at least 90 days for audit purposes"More Resources
Learn more about policy development and implementation.