Get started with Pulumi in a free one hour introductory workshop. Register Now

Policy as Code for Any Cloud

Continuously enforce your organization's cloud governance — security, compliance, cost controls, and more.

Open source and available in any Pulumi edition.

Any Policy

Use off-the-shelf rules or define your own, for security, cost, compliance, reliability best practices — just about anything. Use package managers to share and reuse rules.

Any Cloud

Govern application and infrastructure resources on any cloud, including AWS, Azure, Google Cloud, Kubernetes, or over three dozen more infrastructure providers.

Familiar and Powerful

Define custom policies using familiar languages like JavaScript and Python. Use great editors, test frameworks, libraries, and tools for productivity and correctness.

Flexible Enforcement

Apply policies using coarse- or fine-grained controls. Target individual projects, manage organization-wide policies, or group projects for differences in environments and regions.

Configurable

Define policies that can be configured at the point of application, including enforcement level, letting you vary behavior based on project needs.

Automate and Integrate

Automate governance using programmable libraries and REST APIs, easily integrating with external services such as web services, asset tracking databases, pricing lists, and more.

Policy as Code Scenarios

Accelerate your organization's delivery while still staying compliant

Security

Maintain security across all cloud infrastructure assets.

Example: Prohibit network access from the Internet.

new PolicyPack("acmecorp-security", {
    policies: [{
        name: "prohibited-public-internet",
        description: "Reject public internet access.",
        enforcementLevel: "mandatory",
        validateResource: validateResourceOfType(
            aws.ec2.SecurityGroup, (sg, args, reportViolation) => {
                const hasInternetAccess = sg.ingress.find(
                    rule => rule.cidrBlocks.includes("0.0.0.0/0"));
                if (hasInternetAccess) {
                    reportViolation("Illegal internet access");
                }
            }
        ),
    }],
);

Compliance

Meet, and stay meeting, compliance standards.

Example: Disallow storage outside of specific regions.

new PolicyPack("acmecorp-compliance", {
    policies: [{
        name: "required-storage-region",
        description: "Data must be stored in the US.",
        enforcementLevel: "mandatory",
        validateResource: validateResourceOfType(
            aws.s3.Bucket, (bucket, args, reportViolation) => {
                if (!bucket.region.startsWith("us-")) {
                    reportViolation("Non-US bucket detected");
                }
            }
        ),
    }],
);

Cost Controls

Ensure cost conscious deployments.

Example: Require specific cost allocation tags.

new PolicyPack("acmecorp-cost", {
    policies: [{
        name: "required-cost-tags",
        description: "Cost tags are required.",
        enforcementLevel: "mandatory",
        validateResource: (args, reportViolation) => {
            if (isTaggable(args.type) &&
                    !args.resource["tags"]["Cost Center"]) {
                reportViolation("Resource missing tags");
            }
        ),
    }],
);

Continuous Delivery

Catch policy violations before they escape using CI/CD.

Example: Live dashboard of organizational violations in Pulumi Enterprise.

Policy as Code in CI/CD
Lemonade
Pulumi supercharged our whole organization by letting us create reusable building blocks that developers can leverage to provision new resources and enforce organizational policies for logging, permissions, resource tagging and security. This has empowered our developer teams to self-provision resources and ship new capabilities faster without having to wait for the infrastructure team to deploy new resources on their behalf.
Igor Shapiro, Principal Engineer
Lemonade
Credijusto
With Pulumi CrossGuard we can provide reusable infrastructure components to our application teams and ensure that their implementations adhere to company standards.
Fernando Carlietti, Lead DevOps Engineer
Credijusto

Webinar

Getting Started with Policy as Code for Any Cloud