Policy as code
Pulumi Policy empowers you to set guardrails to enforce compliance across your entire cloud infrastructure—whether resources are managed by Pulumi IaC, provisioned by other tools like Terraform or CloudFormation, or created manually. Using Policy as Code, you can write flexible business and security policies that protect your organization.
Policy enforcement works in two modes:
- Preventative policies: Block non-compliant resources before deployment, enforcing compliance on Pulumi stack updates
- Audit policies: Scan existing resources discovered through Insights Discovery to identify violations across all infrastructure
Organization administrators can apply policies to specific stacks and cloud accounts. When policies execute during deployments, violations can gate or block updates from proceeding. Policy remediations also allow you to automatically fix violations.
Learn more about Policy as Code core concepts.
Languages
Policies can be written in TypeScript/JavaScript (Node.js) or Python and can be applied to Pulumi stacks written in any language.
| Language | Status | |
|---|---|---|
 | TypeScript | Stable |
 | JavaScript | Stable |
 | Python | Stable |
 | Open Policy Agent (OPA) | Preview |
 | .NET | Future |
 | Go | Future |
Getting started
To get started with Pulumi Policy, download and install Pulumi, then try the Policy Get Started guide.
For a detailed guide on configuring policies for discovered resources, visit the Insights Get Started tutorial.
How to configure policies
Prerequisites
Before configuring policies, ensure:
- Appropriate permissions to configure policies
- One or more policy packs (pre-built or custom) added to the organization
- One cloud account or Pulumi Stack:
- For audit policies: Cloud accounts connected to Pulumi Cloud
- For preventative policies: One or more Pulumi stacks
Configuration steps
- Navigate to the policies tab in the left navigation bar
- Select policy packs to add to the organization (e.g.,
pulumi-best-practices) - Create a new policy group or use the default group
- Add stacks or accounts to the policy group
- Add policy packs to the policy group
- Adjust policy pack configuration settings as needed
- Save the configuration
For more details about policy configuration and enforcement modes, see Preventative vs. Audit Policies.
Policy violations
When policies are enforced, violations appear on the Policy Violations page in Pulumi Cloud, providing a centralized view across your organization. You can filter and group violations by policy pack, project, stack/account, and enforcement level.
Policy violations can also be accessed programmatically via the Pulumi API for custom workflows and integrations.
Compliance ready policy packs
Pulumi provides comprehensive predefined policies for AWS, Azure, Google Cloud, and Kubernetes through Compliance Ready Policies. These policies help you enforce security frameworks like CIS, PCI DSS, and SOC 2 with minimal configuration.
AWSGuard
AWSGuard is a configurable policy library that codifies best practices for AWS resources. You can adopt and customize AWSGuard policies in your own policy packs to enforce AWS-specific compliance requirements.
Configuring policy packs
Policy packs support configuration to make them reusable across your organization. By default, fields like enforcement level are configurable, and you can specify custom variables alongside each policy. Learn more about configurable policy packs.
Examples
Example policy packs for different cloud providers:
FAQ
Get answers to Frequently Asked Questions about Pulumi Policy.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
