Skip to main content

Policy Templates

Library Overview

A Policy template (IAC policy) is a set of rules that govern the configuration and provisioning of infrastructure through code. With StackGuardian, you can implement custom logic within these policies to ensure your infrastructure aligns with organizational standards and best practices.

For instance, an IAC policy might enforce security standards by restricting access levels or ensuring all deployed resources are tagged correctly.

Create Policy Template​

Creating Policy template (IAC policy) in StackGuardian is a straightforward process. This guide will walk you through setting up a policy to ensure that the IAM root user does not have access keys.


To begin, navigate to the StackGuardian Marketplace and select the option to create an IAC policy template.

Template Details​

  • Template Type: This specifies the kind of template you are creating, in this case, a policy template. For example IAC_POLICY
  • Template Name: A unique name for your template within the organization.For example No_Root_Access_Key_Policy
  • Owner Org: The organization within StackGuardian that will own and manage this template. For example demo-org

Template Description​

  • Short Description: A brief explanation of what the template does or is used for. For example Ensures AWS root account's keyless security.

Tags and Documentation​

  • Add Tag: Tags for categorizing and searching templates within the marketplace. For example aws, root, noaccesskeys
  • Documentation: Provide any additional information or instructions in markdown format.

Configuration Settings​

  • Source Config Kind: The policy framework or tool you are using to write the policy. For example Open Policy Agent (OPA)

  • Source Config Dest Kind: The destination type where the policy configuration is hosted, such as GitHub, Gitlab, BitBucket and so on. For example GITHUB.COM

  • Repository URL: The URL where the IAC policy configuration is stored. For example https://github.com/your-org-name/template-aws-root-access-policy

  • Reference: he branch or tag in the repository that should be used. For example main

  • Working Dir: The directory within the repository where the policy configuration is located. For example policy/app1/aws/ec2

  • Git Sparse Checkout Config: Select paths to include or exclude when checking out the repository, similar to .gitignore rules.

  • Enable git core.autocrlf: If checked, Git will automatically convert line endings to maintain consistency across different operating systems.

  • Authentication Method: If using a private repository, specify the authentication method that should be used.

  • OPA Deciding Query: The OPA rule that will decide the final policy result. For example, <opa-package-path>.<rule-name-returning-boolean>

  • Template Inputs: Define the input for your policy in JSON format. Here is an example that specifies the denial of access key creation for the IAM root user:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "iam:CreateAccessKey",
      "Resource": "arn:aws:iam::*:user/root",
      "Condition": { "Bool": { "aws:ViaAWSService": "false" } }
    }
  ]
}

Create and Manage Template Revisions​

All template types in StackGuardian support versioned revisions for controlled deployment and collaboration. You can select, clone, publish, deprecate versions and more. Visit the Manage Template Revision guide.