Any Policy
Use off-the-shelf rules or define your own, for security, cost, compliance, reliability best practices — just about anything. Use package managers to share and reuse rules.
Any Cloud
Govern application and infrastructure resources on any cloud, including AWS, Azure, Google Cloud, Kubernetes, or over three dozen more infrastructure providers.
Familiar and Powerful
Define custom policies using familiar languages like JavaScript and Python. Use great editors, test frameworks, libraries, and tools for productivity and correctness.
Flexible Enforcement
Apply policies using coarse- or fine-grained controls. Target individual projects, manage organization-wide policies, or group projects for differences in environments and regions.
Configurable
Define policies that can be configured at the point of application, including enforcement level, letting you vary behavior based on project needs.
Automate and Integrate
Automate governance using programmable libraries and REST APIs, easily integrating with external services such as web services, asset tracking databases, pricing lists, and more.
Policy as Code Scenarios
Accelerate your organization's delivery while still staying compliant
Security
Maintain security across all cloud infrastructure assets.
Example: Prohibit network access from the Internet.
new PolicyPack("acmecorp-security", {
policies: [{
name: "prohibited-public-internet",
description: "Reject public internet access.",
enforcementLevel: "mandatory",
validateResource: validateResourceOfType(
aws.ec2.SecurityGroup, (sg, args, reportViolation) => {
const hasInternetAccess = sg.ingress.find(
rule => rule.cidrBlocks.includes("0.0.0.0/0"));
if (hasInternetAccess) {
reportViolation("Illegal internet access");
}
}
),
}],
);
Compliance
Meet, and stay meeting, compliance standards.
Example: Disallow storage outside of specific regions.
new PolicyPack("acmecorp-compliance", {
policies: [{
name: "required-storage-region",
description: "Data must be stored in the US.",
enforcementLevel: "mandatory",
validateResource: validateResourceOfType(
aws.s3.Bucket, (bucket, args, reportViolation) => {
if (!bucket.region.startsWith("us-")) {
reportViolation("Non-US bucket detected");
}
}
),
}],
);
Cost Controls
Ensure cost conscious deployments.
Example: Require specific cost allocation tags.
new PolicyPack("acmecorp-cost", {
policies: [{
name: "required-cost-tags",
description: "Cost tags are required.",
enforcementLevel: "mandatory",
validateResource: (args, reportViolation) => {
if (isTaggable(args.type) &&
!args.resource["tags"]["Cost Center"]) {
reportViolation("Resource missing tags");
}
),
}],
);
Continuous Delivery
Catch policy violations before they escape using CI/CD.
Example: Live dashboard of organizational violations in Pulumi Enterprise.

Pulumi supercharged our whole organization by letting us create reusable building blocks that developers can leverage to provision new resources and enforce organizational policies for logging, permissions, resource tagging and security. This has empowered our developer teams to self-provision resources and ship new capabilities faster without having to wait for the infrastructure team to deploy new resources on their behalf.
With Pulumi CrossGuard we can provide reusable infrastructure components to our application teams and ensure that their implementations adhere to company standards.
Webinar
Getting Started with Policy as Code for Any Cloud