LogoLogo
  • Welcome to Firefly Documentation
  • Introduction
    • What is Firefly?
    • Who is Firefly for?
    • Why use Firefly?
    • Terminology (Glossary)
  • Key Features
    • Infrastructure-as-Code Automation
    • Cloud Asset Inventory
    • Drift Detection & Remediation
    • Policy-as-Code for Compliance & Governance
    • Cost Visibility & Optimization
    • AI Assistant
    • ChatOps Integration
  • Getting Started
    • Account Setup & Onboarding
    • Connecting Cloud Accounts
    • UI Walkthrough & Navigation
    • First Steps in Firefly
  • Detailed Guides
    • Dashboard Overview
    • Cloud Asset Inventory
      • Remediating Drifts
      • Deleting Assets
      • Creating IaC-Ignore Rules
      • Creating Exclude-Drift Rules
    • Policy & Governance
      • Creating Policy-as-Code Governance Rules
      • Remediating Policy Violations
    • Workflows & Guardrails
      • Creating Workflows
      • Creating Guardrail Rules
    • Codification
    • Self-Service
    • IaC Explorer
    • Event Center
    • Backup and Disaster Recovery
    • Notifications
    • User Management
    • SSO Configuration
  • Integrations
    • Integrations Overview
    • Integrating Data Sources
      • AWS
      • Azure
      • Google Cloud
      • Kubernetes
      • Akamai
      • Datadog
      • New Relic
      • Okta
      • GitHub
      • Cloudflare
      • NS1
      • PagerDuty
      • MongoDB Atlas
      • HashiCorp Vault
    • Integrating IaC Remote State
      • Terraform Cloud
      • Google Cloud Storage
      • env0
      • HashiCorp Consul
      • Firefly States Redactor
    • Integrating Version Control
      • GitHub
      • GitLab
      • Azure DevOps
      • CodeCommit
      • Bitbucket
    • Integrating Notifications
      • Slack
      • Microsoft Teams
      • PagerDuty
      • Opsgenie
      • Torq
      • Webex
      • Google Chat
      • Webhook
    • Integrating Project Management
      • Jira
      • ServiceNow
    • Integrating Workflows with CI/CD
    • Integrating Backstage
    • Integrating MCP
  • Use Cases & Best Practices
    • Cloud Governance & Visibility
    • Cost Optimization Strategies
    • Compliance and Security Best Practices
    • Infrastructure Automation & Self-Service
    • Best Practices and Implementation Tips
  • Analytics & Reporting
    • Analytics Dashboard Overview
    • Using Analytics for Improvement
    • Exporting and Sharing Reports
    • Analytics Security and Privacy
  • Code Snippets & Examples
    • Terraform Snippet for an AWS EC2 Instance (Codified via Firefly)
    • Example Rego Policy (OPA) for a Custom Rule
    • GitHub Actions Workflow YAML for Firefly Integration
    • JSON Output Example: Exporting Inventory
  • Troubleshooting & FAQs
    • Common Issues and Solutions
    • FAQs
  • General Information
    • Firefly API
      • Authentication
      • Inventory
      • Codification
      • Workflows
      • Self-Service
      • Policy & Governance
      • IaC Explorer
      • Event Center
      • Backup & Disaster Recovery
      • Notifications
      • Integrations
      • Identity & Access Management
    • Security & Compliance
    • Pricing Tiers & Add-ons
    • Contacting Support
Powered by GitBook
On this page
  • How to add a Policy-as-Code governance rule:
  • When to create custom Policy-as-Code rules:

Was this helpful?

  1. Detailed Guides
  2. Policy & Governance

Creating Policy-as-Code Governance Rules

A Policy-as-Code governance rule allows you to define custom compliance and security policies that Firefly will enforce across your cloud infrastructure. These rules help ensure your cloud resources adhere to your organization's standards, security requirements, and best practices. Once created, Firefly will continuously evaluate your infrastructure against these policies and flag any violations, helping you maintain governance at scale.

How to add a Policy-as-Code governance rule:

  1. Open Policy settings: In the Firefly app, go to Settings > Policies. This section allows you to manage all your governance policies.

  2. Add a new policy: Click on "+ Add policy." This will start the wizard to create a custom governance policy.

  3. Name and describe the policy: Give the policy a clear Name and an optional Description so you and your team understand its purpose. For example, "Ensure all S3 buckets are encrypted" could be a policy name.

  4. (Optional) Label the policy: You can assign a label or category to the policy (or create a new label) to help organize multiple policies. This is useful if you have many policies and want to filter or group them by compliance framework (e.g., CIS, SOC2) or by team.

  5. Choose the scope: Click Next, then select the scope of the policy. The scope determines which resources the policy will evaluate. It could be specific cloud accounts, regions, resource types, or a combination. For example, you might scope the policy to only AWS accounts or specifically to S3 buckets.

  6. Define the policy logic: In the provided code editor, write the policy logic using the Rego policy language (the language used by Open Policy Agent). Firefly uses Rego to define custom rules. For instance, you could write a Rego expression that checks if encryption is enabled on storage resources or if specific tags are present. (Firefly will provide templates or examples in the editor to help get you started.)

  7. Preview policy evaluation: Before finalizing, you can preview which resources would violate this policy. Use the preview option to see a list of resources that currently fail to meet the policy criteria. This helps validate that your policy is correctly identifying non-compliant resources.

  8. Save the policy: Click Next and then Done to create the policy. The policy will be activated, and Firefly will begin evaluating your infrastructure against it.

After creating a policy, you can view violations in the Governance dashboard. Each violation will show which resource failed the policy check and why, allowing you to take corrective action. If needed, you can always disable or delete the policy later via the Settings > Policies page.

When to create custom Policy-as-Code rules:

Creating custom governance policies is valuable in several scenarios:

  • Industry-specific compliance: If your organization must adhere to specific regulations (like HIPAA, PCI-DSS, or GDPR), you can create policies that enforce those requirements across your cloud infrastructure.

  • Internal security standards: Enforce your organization's security best practices, such as requiring MFA for all IAM users, preventing public access to sensitive resources, or ensuring proper encryption settings.

  • Cost optimization: Create policies that identify wasteful resources, such as oversized instances, unused volumes, or resources without proper lifecycle management.

  • Tagging and organization: Ensure all resources follow your tagging strategy by creating policies that check for required tags or naming conventions.

  • Architecture standards: Enforce architectural best practices, such as requiring multi-AZ deployments for production databases or preventing the use of deprecated services.

  • Custom guardrails: Create policies that prevent specific actions or configurations that pose risks to your environment, such as opening broad security group rules or creating resources in unapproved regions.

By implementing Policy-as-Code governance rules, you can automate compliance checking, reduce manual auditing efforts, and catch potential issues before they become problems. This proactive approach to governance helps maintain security and compliance at scale while still allowing teams to move quickly.

PreviousPolicy & GovernanceNextRemediating Policy Violations

Last updated 1 month ago

Was this helpful?