Policy & Governance

The Governance page in Firefly enables you to define, manage, and enforce compliance policies across your cloud and SaaS infrastructure and Infrastructure-as-Code (IaC) deployments. Using policy-as-code principles, Firefly helps you automate governance, ensure security compliance, and maintain best practices at scale.

Firefly's governance engine is built on the Open Policy Agent (OPA) framework and includes comprehensive built-in policies plus the ability to create custom rules tailored to your organization's needs.

Key Features

Built-in Policies

Firefly provides dozens of pre-configured policies covering:

  • Security: Encryption, access controls, network security.

  • Compliance: Industry standards (CIS, SOC2, PCI, etc.).

  • Cost Optimization: Unused resources, rightsizing recommendations.

  • Best Practices: Tagging, backup configurations, resource management, etc.

These policies are continuously updated by the Firefly team.

Custom Policy Creation

Create organization-specific policies using:

  • AI-powered generation: Describe your requirements in plain English.

  • Rego code editor: Write custom Open Policy Agent rules.

  • Testing playground: Validate policies against real assets before deployment.

Continuous Monitoring

  • Real-time evaluation: Policies run continuously against your infrastructure.

  • Compliance scoring: Track compliance percentages for each policy.

  • Violation tracking: Monitor policy violations with detailed remediation guidance.

Automated Remediation

  • IaC patches: Generate pull requests to fix violations in your Infrastructure-as-Code.

  • Cloud patches: Provide CLI commands for direct cloud resource fixes.

  • Integration workflows: Create tickets in Jira.

Understanding the Governance Dashboard

When you navigate to the Governance page, you'll see a comprehensive view of your policy landscape:

Policy Overview Table

Each policy displays:

  • Name and Category: Clear identification and organization.

  • Severity Level: Impact classification (Info, Low, Medium, High, Critical).

  • Compliance Percentage: How many assets pass the policy check.

  • Violating Assets: Count of resources that fail the policy with a link to the Inventory page, filtered to show only the assets that violate the policy.

  • Data Source & Asset Type: Which cloud or SaaS providers and asset types the policy is applied to.

  • Remediation: Available remediation options and recommendations.

Policy Actions

For each policy, you can perform several key actions:

  • Remediate: Remediate the policy violation by either generating a pull request to fix the violation in your Infrastructure-as-Code or by providing CLI commands for direct cloud resource fixes. For more information, see Remediating Policy Violations.

  • View All Assets: Click on the violating assets count to see a detailed list of all resources affected by the policy in the Inventory page. This opens a filtered view showing exactly which assets are violating the policy.

  • Create Notification Rules: Set up automated alerts for policy violations by configuring notification rules. You can choose your preferred destination (Slack, Microsoft Teams, email, webhook, etc.) to receive real-time alerts when new violations occur.

  • Create Jira Issues: Directly create Jira tickets for policy violations to track remediation efforts. This integration allows you to automatically generate issues with relevant context about the policy violation, ensuring governance issues are properly tracked and resolved.

Filtering and Organization

Use the filter options to focus on specific areas:

  • Frameworks: Filter by compliance standards (CIS, HIPAA, PCI, etc.).

  • Categories: Focus on security, cost, encryption, etc.

  • Providers: View policies for specific cloud or SaaS providers.

  • Data Sources: View policies for specific cloud or SaaS providers.

  • Scopes: View policies for specific asset types.

  • Severity: Prioritize critical or high-severity violations.

  • Available Providers: Show only policies that are available for the selected data source integrated on your Firefly account.

  • Production: Show only violations that are in production data sources.

  • Violating Assets: Show only policies that have violating assets.

  • Notifications: Show only policies that have notifications configured.

  • Enabled: Show only policies that are enabled.

Working with Policies

Creating New Policies

For detailed instructions on creating custom policies, see Creating Policy-as-Code Rules.

Key steps include:

  1. Define policy scope: Select data sources and asset types.

  2. Set policy details: Name, category, severity, and description.

  3. Write policy logic: Use AI generation or manual Rego code.

  4. Test and validate: Ensure the policy works as expected.

  5. Deploy and monitor: Activate the policy for continuous evaluation.

Managing Policy Violations

When violations occur, you have several remediation options. For complete guidance, see Remediating Policy Violations.

IaC Remediation (Recommended):

  • Generate pull requests to fix violations in your Infrastructure-as-Code.

  • Ensure fixes are version-controlled and properly reviewed.

  • Maintain infrastructure drift prevention.

Direct Cloud Remediation:

  • Apply fixes directly to cloud resources using provided CLI commands.

  • Suitable for unmanaged resources or emergency fixes.

  • Immediate compliance restoration.

Integration with Development Workflows

Firefly integrates policy enforcement into your development lifecycle:

  • Pre-deployment scanning: Prevent non-compliant resources from being deployed. For more information, see Workflows & Guardrails.

  • Git integration: Track policy violations back to specific code changes.

  • Notification systems: Alert teams when new violations are detected.

Best Practices for Implementation

Getting Started

  1. Review built-in policies: Disable non-relevant pre-configured rules.

  2. Start with high-severity items: Focus on critical security and compliance issues.

  3. Establish baselines: Understand your current compliance posture.

  4. Set up notifications: Configure alerts for new violations.

Scaling Governance

  1. Create custom policies: Create custom policies to fit your needs. For more information, see Creating Policy-as-Code Rules.

  2. Implement gradual rollouts: Phase in new policies across environments.

  3. Train development teams: Ensure understanding of governance requirements.

  4. Regular policy reviews: Keep rules current with changing requirements.

  5. Enforce policies: Ensure policies are enforced on the deployment level. For more information, see Workflows & Guardrails.

Summary

Firefly's Policy & Governance capabilities provide comprehensive infrastructure governance through:

  • Automated policy enforcement across multi-cloud and SaaS environments.

  • Continuous compliance monitoring with real-time violation detection.

  • Intelligent remediation through AI-powered fix generation.

  • Seamless integration on IaC deployments and cloud resources.

By implementing policy-as-code practices with Firefly, you can maintain security, compliance, and operational excellence while enabling development teams to move quickly and confidently.

For specific implementation guidance, refer to:

PreviousCreating Exclude-Drift RulesNextCreating Policy-as-Code Governance Rules

Last updated

Was this helpful?