Policy Types
Policies within the StackGuardian platform serve as a set of rules or guardrails, enforceable on workflows or cloud infrastructure. These policies facilitate a self-service model with granular control.
Custom Policy Frameworks​
For specialized policy requirements:
- Tirith (StackGuardian Policy Framework), Explore a JSON-based framework designed for IaC & workflow compliance.
- Open Policy Agent, Utilize detailed policy definitions using the Rego language.
Discover more about StackGuardian policies here.
Types of Enforceable Policies​
StackGuardian's Tirith engine supports a variety of policies for efficient and secure cloud infrastructure management:
1. Infrastructure Policies​
- Enforce Terraform best practices and configurations. Example: Enforce VPCs to use default tenancy.
2. Workflow Policies​
- Manage workflows with approval processes for security and efficiency. Example: Approval required for changes to production environments.
3. Cost Control Policies (Upcoming)​
- Implement budget limits and dynamic cost optimization. Example: Limit EC2 monthly costs to under $100
4. Security and Compliance Policies​
- Apply security measures and meet compliance standards (e.g., CIS, PCI DSS). Example: Ensure all security groups block inbound SSH from the public internet.
5. Tagging and Resource Management Policies​
- Require consistent tagging for all resources for better management. Example: Enforce 'Environment' and 'Owner' tags on all resources.
6. Drift Detection and Continuous Compliance​
- Detect and correct configuration drifts to maintain continuous compliance. Example: Alert on unapproved changes to infrastructure.
Access or subscribe to policies via the StackGuardian Marketplace, or create customized policies using the Open Policy Agent or the StackGuardian Policy Framework.
Policy Structure and Configuration​
Scope Configuration​
Under Meta tab, you can find Scope configuration, which tells StackGuardian where you want to enforce this policy. We automatically determine the type of the policy and enforce it on the workflow or infrastructure configuration as appropriate.
Tip: You can use 200+ of cloud best practice policies already available in the Marketplace or create new ones too.
Each policy comprises multiple rules that, upon evaluation, influence a workflow run. These are determined by "Action when policy passes" and "Action when policy errors" settings, with the option to bypass certain rules if needed.
Implementing Policies​
Marketplace Policy Templates​
Easily adopt Marketplace templates by subscribing to them within the StackGuardian Marketplace, allowing for a simplified policy application process.
Open Policy Agent Integration​
On StackGuardian you will find first class support for Open Policy Agent and you can source your Rego configuration from a GitHub or git based repository.
Follow these steps to configure an OPA policy inside a rule:
- Uncheck Marketplace Policy Template and choose Source Config Kind as "Open Policy Agent.
- Select version control system where you have stored your Rego policies, either "github.com or "git (other)".
- Provide Repository URL and optionally git reference and working directory, unless you want to use the defaults configured in your repo.
- If you have a private repository, you can either use a secret stored in your StackGuardian Vault by specifying "/secrets/some-vault-secret" or github_com integration by exactly specifying "/integrations/github_com" in the Authentication method*" field. In case you are using
git (other)
, StackGuardian will use the value of the specified secret to build a git URL with authentication information. For Bitbucket for example, the specified vault secret should have the secret value in the following format USERNAME:APP_PASSWORD which will result in the following git URLhttps://USERNAME:APP_PASSWORD@bitbucket.org/username/reposlug.git
that StackGuardian will use to fetch the policy configuration.
- Under Additional Config, you can optionally provide OPA Deciding Query, which StackGuardian will use to decide the final policy result. This query should return a boolean which is currently supported. It can be provided in the following format: "
<opa-package-path>.<rule-name-returning-boolean>
". OPA Deciding Query use to be a required attribute but now it is optional. We will keep on supportingOPA Deciding Query
like before. - Finally, you can optionally use the Code Editor to pass JSON that StackGuardian will pass to OPA runtime as policy data. This enables you to template your Rego policies and reuse them to build different policies.
Tirith: StackGuardian Policy Framework​
The Tirith Policy Framework by StackGuardian offers a user-friendly alternative to OPA for policy enforcement, directly integrating with code editors and planning support for git-based policy management. Designed for simplicity, Tirith facilitates the scanning of Terraform and CloudFormation configurations, making policy definition and enforcement straightforward without delving into complexities. This approach ensures easy compliance with infrastructure policies. For more details, visit the GitHub repository.
Examples​
Prevent accidental delete of VPC​
Set VPC default tenancy and safeguard EC2 instances against deletion
Using Code-Editor​
{
"evaluators": [
{
"description": "",
"condition": {
"type": "NotEquals",
"value": "delete",
"error_tolerance": 1
},
"id": "eval-id-1",
"provider_args": {
"operation_type": "action",
"terraform_resource_attribute": "",
"terraform_resource_type": "aws_vpc"
}
}
],
"meta": {
"required_provider": "stackguardian/terraform_plan",
"version": "v1"
},
"eval_expression": "eval-id-1"
}
Using No-Code​
Cost control policy (Terraform)​
EC2 instance cost is lower than 100 USD per month
Using Code-Editor​
{
"meta": {
"required_provider": "stackguardian/infracost",
"version": "v1"
},
"evaluators": [
{
"provider_args": {
"operation_type": "total_monthly_cost",
"resource_type": ["aws_ec2"]
},
"condition": {
"type": "LessThanEqualTo",
"value": 100
},
"id": "ec2_cost_below_100_per_month"
}
],
"eval_expression": "ec2_cost_below_100_per_month"
}
Using No-Code​
Scheduling Policy​
Ensure enabled cron jobs for destroy action workflows
Using Code-Editor​
{
"evaluators": [
{
"description": "Cron job exists for the workflow",
"condition": {
"type": "IsNotEmpty",
"value": "",
"error_tolerance": 0
},
"id": "eval-id-1",
"provider_args": {
"operation_type": "get_value",
"key_path": "UserSchedules.*.cron"
}
},
{
"description": "Action must be destroy",
"condition": {
"type": "ContainedIn",
"value": [
[
"destroy"
]
],
"error_tolerance": 0
},
"id": "eval-id-2",
"provider_args": {
"operation_type": "get_value",
"key_path": "UserSchedules.*.inputs.TerraformAction.action"
}
},
{
"description": "Schedule must be enabled",
"condition": {
"type": "ContainedIn",
"value": [
[
"ENABLED"
]
],
"error_tolerance": 0
},
"id": "eval-id-3",
"provider_args": {
"operation_type": "get_value",
"key_path": "UserSchedules.*.state"
}
}
],
"meta": {
"required_provider": "stackguardian/json",
"version": "v1"
},
"eval_expression": "eval-id-1 && eval-id-2 && eval-id-3"
}
Using No-Code​
Tagging Policy​
Validate 'costcenter:workshop' tag on AWS EKS node groups
Using Code-Editor​
{
"evaluators": [
{
"description": "",
"condition": {
"type": "Contains",
"value": {
"costcenter": "workshop"
},
"error_tolerance": 1
},
"id": "eval-id-1",
"provider_args": {
"operation_type": "attribute",
"terraform_resource_attribute": "tags",
"terraform_resource_type": "aws_eks_node_group"
}
}
],
"meta": {
"required_provider": "stackguardian/terraform_plan",
"version": "v1"
},
"eval_expression": "eval-id-1"
}