Policy-as-Code for Compliance & Governance

Firefly includes a powerful Policy-as-Code engine that allows you to define and enforce governance rules across your cloud environment. Policy-as-Code means that policies (security rules, compliance requirements, cost controls, etc.) are expressed in code or configuration files, rather than in ad-hoc manual checks. This approach ensures consistent, automated enforcement of best practices and standards. In Firefly, policies can cover a wide range of checks, from requiring certain tags on every resource, to ensuring no S3 bucket is public, to enforcing cost optimization on certain resources.

Key capabilities of Firefly's governance and compliance features:

Unified Policy Engine

Firefly provides a single policy enforcement framework that works across all your clouds and IaC tools. Instead of dealing with separate policy systems for AWS, Azure, GCP, and Kubernetes, you can define policies once and apply them everywhere. Firefly integrates with cloud APIs and scanning tools to evaluate your infrastructure against these rules continuously.

Pre-Built Compliance Rules

Out of the box, Firefly comes with a library of common policies and standards. These include templates for industry compliance frameworks like PCI-DSS, SOC 2, HIPAA, and others. For example, there are pre-built rules to ensure encryption is enabled on databases, that no databases are publicly accessible, that all resources have an owner tag, etc. Using these built-in policies, you can quickly achieve baseline compliance without writing everything from scratch. Firefly keeps these updated as standards evolve.

Custom Policy-as-Code

You can also write custom policies specific to your organization. Firefly supports defining policies in code, using the Open Policy Agent's Rego language. This means you can encode any rule (no matter how specific) into Firefly's engine. For instance, you might require that all EC2 volumes are encrypted with a particular KMS key, or that certain naming conventions are followed.

Continuous Compliance Monitoring

Firefly continuously scans your asset inventory against all active policies. If a resource violates a policy, it's immediately flagged. The Governance page shows the overall compliance score (e.g., "95% of resources compliant, 5% with violations") and list out each violation. You can drill down to see which rule was broken and which resource is non-compliant. This real-time monitoring means you are always audit-ready.

Violation Alerts & Remediation

Firefly can alert you when a policy violation is detected (via email or ChatOps) thanks to Firefly's ChatOps integration. Moreover, many policy violations can be fixed with automation. Firefly's AI assistant can suggest remediation steps for policy violations. For example, if a VM is found with an open SSH port against policy, Firefly suggests a Terraform code snippet (on managed assets) to close it, or a command (on unmanaged assets) to update the security group.

Categorization and Reporting

Firefly organizes policy checks into intuitive categories like security, cost, reliability, tagging, etc. This helps you focus efforts (maybe start with critical security fixes, then improve tagging hygiene). The platform provides compliance reports that can be exported or shared, useful for governance meetings or audits, to demonstrate adherence or track improvements over time, learn more in the Analytics Page.

To illustrate a custom policy, here's a simple example of a Policy-as-Code rule written in Rego (the policy language for Open Policy Agent) that could be used in Firefly. This policy ensures every EC2 instance has an "Environment" tag and flags those that do not:

firefly {
  not input.tags["Environment"]
}

In this snippet, the policy logic evaluates the condition not input.tags["Environment"]. If this condition is true (meaning the "Environment" tag is not set on the input resource), Firefly will flag the resource as violating the policy. When adding this custom policy in Firefly, you would specify the resource type it applies to (e.g., EC2 instances). Firefly's policy engine would then evaluate this rule against all resources of the configured type. Any such resource without the "Environment" tag would be listed as a violation. Similar policies can be written for a wide variety of needs (ensuring naming conventions, requiring specific configurations, etc.).

By implementing policies as code, you ensure that compliance is proactive and automated. Instead of discovering problems during a security review or after an outage, Firefly helps you enforce your rules continuously.