Policy as Code
Definition
Practice of defining organizational policies, compliance rules, and governance as executable code that can be automatically enforced.
Use Cases
- Netflix: Preventing insecure cloud configurations (for example, overly permissive security groups or unintended public exposure) across a large AWS footprint — Netflix has publicly discussed using automated security and compliance tooling that continuously evaluates AWS resources and flags or remediates risky configurations. This approach aligns with policy-as-code principles by encoding rules and running them automatically rather than relying on manual reviews. (Faster detection of misconfigurations and more consistent enforcement of security standards at scale, reducing the likelihood of exposure caused by human error.)
- HashiCorp (Terraform Cloud/Enterprise customers): Blocking infrastructure changes that violate governance requirements before they are applied (for example, disallowing public object storage or requiring encryption) — Organizations implement policy checks using HashiCorp Sentinel with Terraform Cloud/Enterprise. Policies are stored in version control, evaluated during plan/apply, and can hard-fail runs that violate rules. (Reduced risk from non-compliant deployments, standardized controls across teams, and fewer manual approval bottlenecks because compliant changes can proceed automatically.)
- Kubernetes adopters using Open Policy Agent (OPA)/Gatekeeper: Enforcing cluster governance such as requiring resource limits, restricting privileged containers, and controlling allowed container registries — Teams deploy Gatekeeper (OPA) as an admission controller and write Rego policies in Git. Policies are tested in CI and enforced at admission time so non-compliant manifests are rejected automatically. (Improved cluster security posture and reliability by preventing risky workloads from ever being scheduled, with auditable, repeatable controls.)
Provider Equivalents
- AWS: AWS Organizations Service Control Policies (SCPs) and AWS Config Rules
- Azure: Azure Policy
- GCP: Organization Policy Service
- OCI: OCI Cloud Guard (Detector/Responder recipes) and IAM Policies
Frequently Asked Questions
- What's the difference between Policy as Code and Infrastructure as Code (IaC)?
- Infrastructure as Code defines what you want to build (networks, servers, buckets) using code. Policy as Code defines the rules those builds must follow (for example, “buckets must not be public” or “encryption is required”). IaC creates resources; Policy as Code evaluates and enforces constraints on those resources—often during CI/CD, at deployment time, or continuously after deployment.
- When should I use Policy as Code?
- Use it when you need consistent, automated enforcement of security, compliance, or cost rules across many teams or accounts/subscriptions/projects. It’s especially useful if you have frequent deployments, multiple environments, regulated requirements (like encryption and logging), or recurring misconfigurations. Start with a small set of high-impact rules (public access, encryption, identity permissions) and expand as you mature.
- How much does Policy as Code cost?
- Costs depend on the enforcement method. Native cloud policy services may be included or priced as part of related services (for example, AWS Config has per-rule/per-resource evaluation costs; Azure Policy is generally included for many scenarios but can incur costs when paired with logging/monitoring; GCP policy constraints are part of organization governance but auditing/logging can add cost). Third-party tools (OPA is open source; Sentinel is part of Terraform Cloud/Enterprise) add licensing or platform costs. Also budget for engineering time to write, test, and maintain policies and for CI/CD compute to run checks.
Category: emerging
Difficulty: advanced
Related Terms
See Also