Creating Policy-as-Code Governance Rules
A Policy-as-Code governance rule allows you to define custom compliance and security policies that Firefly will enforce across your cloud infrastructure and IaC deployments. These rules help ensure your cloud resources adhere to your organization's standards, security requirements, and best practices. Once created, Firefly will continuously evaluate your infrastructure against these policies and flag any violations, helping you maintain governance at scale. These policies are also applied during IaC deployments to prevent non-compliant resources from being created in the first place.
How to add a Policy-as-Code governance rule:
Open Governance page: In the Firefly app, go to Governance page. This page allows you to manage all your governance policies.
Add a new policy: Click on + Custom Policy. This will open the Create Custom Policy form.
Configure policy details: Fill in the Policy Details section:
Name: Give the policy a clear name (e.g., Ensure all S3 buckets are encrypted).
Category: Select or create a category to organize your policies (e.g., Observability, Security, Compliance).
Severity: Choose the severity level (LOW, MEDIUM, HIGH, CRITICAL) for violations.
Data Source: Select the cloud provider (e.g., AWS, Azure, GCP) or specific cloud accounts.
Asset Type: Choose the specific resource type to evaluate (e.g., AWS S3 Bucket, EC2 Instance). Can be multiple resource types and even all resource types.
Add policy description: In the Policy description field, provide details about what the policy checks and why it's important. This helps team members understand the policy's purpose.
Define the policy logic: In the Rego Playground section, you have two options for creating your policy logic: Option A: AI-Generated Code (Recommended)
Click "Generate with Thinkerbell AI" to automatically generate Rego code based on your policy details.
Ensure you've provided a clear, descriptive policy description in step 4 for best AI results.
The AI will analyze your requirements and generate appropriate Rego code.
Review and modify the generated code as needed.
Option B: Manual Code Writing
Write the policy logic manually using the Rego policy language (the language used by Open Policy Agent).
The playground provides:
A code editor with syntax highlighting.
An asset selector to choose a sample of resource data for viewing the input schema.
Input schema display showing the structure of data your policy will receive.
Real-time validation of your Rego code.
Test the policy:
Click Evaluate to test your Rego code.
Check the MATCHING RESULTS to see which resources would be affected.
Save the policy: Once your policy is working correctly (showing "Success" message), click Create to create the policy. The policy will be activated and Firefly will begin evaluating your infrastructure against it. The policy will also be enforced during IaC deployments to prevent non-compliant resources from being created.
After creating a policy, you can view violations in the Governance dashboard. Each violation will show which resource violated the policy and why, allowing you to take corrective action. If needed, you can always disable or delete the policy later via the Governance page.
Example: S3 Bucket Encryption Policy
Here's a practical example of a Rego policy that ensures all AWS S3 buckets have server-side encryption enabled by default:
firefly {
match
}
match {
not input.rule.apply_server_side_encryption_by_default
}How this policy works:
firefly: This is the main rule that Firefly evaluates. When this rule is true, it means the resource violates the policy.match: This is a helper rule that contains the actual policy logic.not input.rule.apply_server_side_encryption_by_default: This condition checks if the S3 bucket configuration does NOT have server-side encryption enabled by default.
Policy behavior:
If an S3 bucket has
apply_server_side_encryption_by_defaultset totrue, thematchrule will be false, and the policy passes.If an S3 bucket has
apply_server_side_encryption_by_defaultset tofalseor is missing this setting, thematchrule will be true, flagging it as a violation.
When to use this policy: This policy is essential for organizations that need to ensure all S3 buckets are encrypted at rest to meet security and compliance requirements. It helps prevent accidental creation of unencrypted buckets and identifies existing buckets that need encryption enabled.
Setting up this policy:
Set Asset Type to "AWS S3 Bucket" when creating the policy.
Set Data Source to your AWS accounts.
Choose appropriate Severity (typically HIGH or CRITICAL for encryption policies).
Use the Rego code above in the policy logic section.
When to create custom Policy-as-Code rules:
Creating custom governance policies is valuable in several scenarios:
Industry-specific compliance: If your organization must adhere to specific regulations (like HIPAA, PCI-DSS, or GDPR), you can create policies that enforce those requirements across your cloud infrastructure.
Internal security standards: Enforce your organization's security best practices, such as requiring MFA for all IAM users, preventing public access to sensitive resources, or ensuring proper encryption settings.
Cost optimization: Create policies that identify wasteful resources, such as oversized instances, unused volumes, or resources without proper lifecycle management.
Tagging and organization: Ensure all resources follow your tagging strategy by creating policies that check for required tags or naming conventions.
Architecture standards: Enforce architectural best practices, such as requiring multi-AZ deployments for production databases or preventing the use of deprecated services.
Note: Firefly comes with built-in policies for all of these cases. You can add custom policies to fit your needs.
By implementing Policy-as-Code governance rules, you can automate compliance checking, reduce manual auditing efforts, and catch potential issues before they become problems. This proactive approach to governance helps maintain security and compliance at scale while still allowing teams to move quickly.
Last updated
Was this helpful?