Policy as Code

Definition

Practice of defining organizational policies, compliance rules, and governance as executable code that can be automatically enforced.

Use Cases

Provider Equivalents

Frequently Asked Questions

What's the difference between Policy as Code and Infrastructure as Code (IaC)?
Infrastructure as Code defines what you want to build (networks, servers, buckets) using code. Policy as Code defines the rules those builds must follow (for example, “buckets must not be public” or “encryption is required”). IaC creates resources; Policy as Code evaluates and enforces constraints on those resources—often during CI/CD, at deployment time, or continuously after deployment.
When should I use Policy as Code?
Use it when you need consistent, automated enforcement of security, compliance, or cost rules across many teams or accounts/subscriptions/projects. It’s especially useful if you have frequent deployments, multiple environments, regulated requirements (like encryption and logging), or recurring misconfigurations. Start with a small set of high-impact rules (public access, encryption, identity permissions) and expand as you mature.
How much does Policy as Code cost?
Costs depend on the enforcement method. Native cloud policy services may be included or priced as part of related services (for example, AWS Config has per-rule/per-resource evaluation costs; Azure Policy is generally included for many scenarios but can incur costs when paired with logging/monitoring; GCP policy constraints are part of organization governance but auditing/logging can add cost). Third-party tools (OPA is open source; Sentinel is part of Terraform Cloud/Enterprise) add licensing or platform costs. Also budget for engineering time to write, test, and maintain policies and for CI/CD compute to run checks.

Category: emerging

Difficulty: advanced

Related Terms

See Also