LogoLogo
  • Welcome to Firefly Documentation
  • Introduction
    • What is Firefly?
    • Who is Firefly for?
    • Why use Firefly?
    • Terminology (Glossary)
  • Key Features
    • Infrastructure-as-Code Automation
    • Cloud Asset Inventory
    • Drift Detection & Remediation
    • Policy-as-Code for Compliance & Governance
    • Cost Visibility & Optimization
    • AI Assistant
    • ChatOps Integration
  • Getting Started
    • Account Setup & Onboarding
    • Connecting Additional Integrations
    • UI Walkthrough & Navigation
    • First Steps in Firefly
  • Detailed Guides
    • Dashboard Overview
    • Cloud Asset Inventory
      • Remediating Drifts
      • Deleting Assets
      • Creating IaC-Ignore Rules
      • Creating Exclude-Drift Rules
    • Policy & Governance
      • Creating Policy-as-Code Governance Rules
      • Remediating Policy Violations
    • Workflows & Guardrails
      • Creating Workflows
      • Creating Guardrail Rules
    • Codification
    • Self-Service
    • IaC Explorer
    • Event Center
    • Backup and Disaster Recovery
    • Notifications
    • User Management
    • SSO Configuration
  • Integrations
    • Integrations Overview
    • Integrating Data Sources
      • AWS
      • Azure
      • Google Cloud
      • Kubernetes
      • Akamai
      • Datadog
      • New Relic
      • Okta
      • GitHub
      • Cloudflare
      • NS1
      • PagerDuty
      • MongoDB Atlas
      • HashiCorp Vault
    • Integrating IaC Remote State
      • Terraform Cloud
      • Google Cloud Storage
      • env0
      • HashiCorp Consul
      • Firefly States Redactor
    • Integrating Version Control
      • GitHub
      • GitLab
      • Azure DevOps
      • CodeCommit
      • Bitbucket
    • Integrating Notifications
      • Slack
      • Microsoft Teams
      • PagerDuty
      • Opsgenie
      • Torq
      • Webex
      • Google Chat
      • Webhook
    • Integrating Project Management
      • Jira
      • ServiceNow
    • Integrating Workflows with CI/CD
    • Integrating Backstage
    • Integrating MCP
  • Use Cases & Best Practices
    • Cloud Governance & Visibility
    • Cost Optimization Strategies
    • Compliance and Security Best Practices
    • Infrastructure Automation & Self-Service
    • Best Practices and Implementation Tips
  • Analytics & Reporting
    • Analytics Dashboard Overview
    • Using Analytics for Improvement
    • Exporting and Sharing Reports
    • Analytics Security and Privacy
  • Code Snippets & Examples
    • Terraform Snippet for an AWS EC2 Instance (Codified via Firefly)
    • Example Rego Policy (OPA) for a Custom Rule
    • GitHub Actions Workflow YAML for Firefly Integration
    • JSON Output Example: Exporting Inventory
  • Troubleshooting & FAQs
    • Common Issues and Solutions
    • FAQs
  • General Information
    • Firefly API
      • Authentication
      • Inventory
      • Codification
      • Workflows
      • Self-Service
      • Policy & Governance
      • IaC Explorer
      • Event Center
      • Backup & Disaster Recovery
      • Notifications
      • Integrations
      • Identity & Access Management
    • Security & Compliance
    • Pricing Tiers & Add-ons
    • Contacting Support
Powered by GitBook
On this page
  • Key capabilities of Firefly's governance and compliance features:
  • Unified Policy Engine
  • Pre-Built Compliance Rules
  • Custom Policy-as-Code
  • Continuous Compliance Monitoring
  • Violation Alerts & Remediation
  • Categorization and Reporting

Was this helpful?

  1. Key Features

Policy-as-Code for Compliance & Governance

PreviousDrift Detection & RemediationNextCost Visibility & Optimization

Last updated 8 days ago

Was this helpful?

Firefly includes a powerful Policy-as-Code engine that allows you to define and enforce governance rules across your cloud environment. Policy-as-Code means that policies (security rules, compliance requirements, cost controls, etc.) are expressed in code or configuration files, rather than in ad-hoc manual checks. This approach ensures consistent, automated enforcement of best practices and standards. In Firefly, policies can cover a wide range of checks, from requiring certain tags on every resource, to ensuring no S3 bucket is public, to enforcing cost optimization on certain resources.

Key capabilities of Firefly's governance and compliance features:

Unified Policy Engine

Firefly provides a single policy enforcement framework that works across all your clouds and IaC tools. Instead of dealing with separate policy systems for AWS, Azure, GCP, and Kubernetes, you can define policies once and apply them everywhere. Firefly integrates with cloud APIs and scanning tools to evaluate your infrastructure against these rules continuously.

Pre-Built Compliance Rules

Out of the box, Firefly comes with a library of common policies and standards. These include templates for industry compliance frameworks like PCI-DSS, SOC 2, HIPAA, and others. For example, there are pre-built rules to ensure encryption is enabled on databases, that no databases are publicly accessible, that all resources have an owner tag, etc. Using these built-in policies, you can quickly achieve baseline compliance without writing everything from scratch. Firefly keeps these updated as standards evolve.

Custom Policy-as-Code

You can also write custom policies specific to your organization. Firefly supports defining policies in code, using the Open Policy Agent's Rego language. This means you can encode any rule (no matter how specific) into Firefly's engine. For instance, you might require that all EC2 volumes are encrypted with a particular KMS key, or that certain naming conventions are followed.

Continuous Compliance Monitoring

Firefly continuously scans your asset inventory against all active policies. If a resource violates a policy, it's immediately flagged. The Governance page shows the overall compliance score (e.g., "95% of resources compliant, 5% with violations") and list out each violation. You can drill down to see which rule was broken and which resource is non-compliant. This real-time monitoring means you are always audit-ready.

Violation Alerts & Remediation

Firefly can alert you when a policy violation is detected (via email or ChatOps) thanks to . Moreover, many policy violations can be fixed with automation. Firefly's AI assistant can suggest remediation steps for policy violations. For example, if a VM is found with an open SSH port against policy, Firefly suggests a Terraform code snippet (on managed assets) to close it, or a command (on unmanaged assets) to update the security group.

Categorization and Reporting

To illustrate a custom policy, here's a simple example of a Policy-as-Code rule written in Rego (the policy language for Open Policy Agent) that could be used in Firefly. This policy ensures every EC2 instance has an "Environment" tag and flags those that do not:

firefly {
  not input.tags["Environment"]
}

In this snippet, the policy logic evaluates the condition not input.tags["Environment"]. If this condition is true (meaning the "Environment" tag is not set on the input resource), Firefly will flag the resource as violating the policy. When adding this custom policy in Firefly, you would specify the resource type it applies to (e.g., EC2 instances). Firefly's policy engine would then evaluate this rule against all resources of the configured type. Any such resource without the "Environment" tag would be listed as a violation. Similar policies can be written for a wide variety of needs (ensuring naming conventions, requiring specific configurations, etc.).

By implementing policies as code, you ensure that compliance is proactive and automated. Instead of discovering problems during a security review or after an outage, Firefly helps you enforce your rules continuously.

Firefly organizes policy checks into intuitive categories like security, cost, reliability, tagging, etc. This helps you focus efforts (maybe start with critical security fixes, then improve tagging hygiene). The platform provides compliance reports that can be exported or shared, useful for governance meetings or audits, to demonstrate adherence or track improvements over time, learn more in the .

Firefly's ChatOps integration
Analytics Page