Compliance Ready Policies

Pulumi Compliance Ready Policies, with a comprehensive coverage of AWS, Azure, Google, and Kubernetes, provide an enhanced level of control and governance over your cloud resources. Although Compliance Ready Policies are currently available in JavaScript and TypeScript, they can be used with Pulumi stacks written in any language. Pulumi Compliance Ready Policies empower you to enforce best practices, security standards, cost control and compliance requirements seamlessly within your infrastructure-as-code workflows.

If you’re not yet familiar with Policy as Code, read more about it here.

Installation

Pulumi Compliance Ready Policies are already integrated with the Pulumi CLI. When you run pulumi policy new, you are presented with a series of Compliance Ready Policies flavored Policy Packs such as aws-compliance-policies-typescript, aws-iso27001-compliance-policies-typescript and azure-iso27001-compliance-policies-typescript along with many others.

Upon selecting one of those pre-built Policy Packs, the Pulumi CLI takes care of downloading and installing the required dependencies in your local environment.

Alternatively, a step-by-step wizard is available in the Pulumi Cloud Console with all the required instructions for you to follow.

When your Policy Pack is ready, you may evaluate it locally, or publish it to your Pulumi Organization. See below for more details.

If you’re starting from an existing Policy Pack, you need to install the necessary Compliance Ready Policies packages. Note that @pulumi/policy-manager is always required and should be explicitly present in your package.json.

Here is an example on how to install the Policy Manager and the Compliance Ready Policies for AWS.

npm install @pulumi/compliance-policy-manager @pulumi/aws-compliance-policies --save

Supported Compliance Ready Policy packages are:

• @pulumi/compliance-policy-manager (Required) Policy Manager is used to manage Compliance Ready Policies.
• @pulumi/aws-compliance-policies Set of Compliance Ready Policies for Amazon Web Services, for both AWS Native and AWS Classic providers.
• @pulumi/azure-compliance-policies Set of Compliance Ready Policies for Microsoft Azure, for both Azure Native and Azure Classic providers.
• @pulumi/google-compliance-policies Set of Compliance Ready Policies for Google Cloud Platform, for both Google Native and GCP providers.
• @pulumi/kubernetes-compliance-policies Set of Compliance Ready Policies for Kubernetes.

Policy packages upgrade

Pulumi regularly publishes new policies, enhancements and bug fixes to its Compliance Ready Policies packages and framework.

You should regularly update to the latest versions as you already do with the Pulumi providers and other SDKs.

To check for newer versions, run npm outdated. If some packages are outdated, they will be listed as shown below.

Package                 Current  Wanted  Latest  Location
@pulumi/aws-compliance-policies      0.0.8   0.0.8  0.0.15  node_modules/@pulumi/aws-policies
@pulumi/compliance-policy-manager    0.0.3   0.0.3   0.0.6  node_modules/@pulumi/policy-manager

Then install the latest versions

npm install @pulumi/aws-compliance-policies@0.0.15 @pulumi/compliance-policy-manager@0.0.6 --save

Once your Policy Pack contains the latest versions, test it locally and finally publish a new version of your Policy Pack into your Pulumi organization.

Authoring a Policy Pack with Pulumi Compliance Ready Policies

Pulumi Compliance Ready Policies come with a Policy Manager to help you quickly build policy packs by selecting policies of interest or changing the enforcement level of your chosen policies.

There are 2 main ways to author a new Policy Pack. The methods described below can be used side-by-side with each other if you desire so.

Policy selection

Pulumi Compliance Ready Policies have been enriched with additional metadata allowing authors to quickly select and use policies based on areas of focus.

Policies have 5 metadata fields:

• The vendor field holds the vendor’s name to which the policy belongs to. For example aws is for Amazon Web Services. If a vendor has more than one Pulumi provider (ie, AWS Classic and AWS Native), then policies are grouped under the same vendor name. This is done so organizations have a complete control over resource creation regardless of the Pulumi provider used.

• The services field holds the service name to which the policy belongs to. For example s3 is for Amazon Web Services Simple Storage Service (S3), or containerservice is for Azure Container Service.

• The severity field describes the policy severity across 4 severity levels: low, medium, high, and critical. As some policies address more sensitive issues, this field highlights the security risks associated.

• The topics field contains a set of keywords pertaining to the policy, such as encryption, cost, backup, or availability. It allows organizations to select policies based on area of focus.

• Finally, frameworks holds information about the policy and the compliance frameworks it belongs to — for example, pcidss for the PCI-DSS framework. It enables organizations to quickly select policies based on a compliance framework they wish to adhere.

The example below shows how to select policies for AWS that are related to the EC2 and S3 service and for which the policy severity is rated either medium, high or critical, and where the policies are related to encryption and to the PCI-DSS framework.

import { PolicyPack } from "@pulumi/policy";
import { policyManager } from "@pulumi/compliance-policy-manager";

new PolicyPack("aws-compliance-ready-policies-typescript", {
    policies:[
        ...policyManager.selectPolicies({
            vendors: ["aws"],
            services: ["ec2", "s3"],
            severities: ["medium", "high", "critical"],
            topics: ["encryption"],
            frameworks: ["pcidss"],
        }, "mandatory" ),
    ],
});

policyManager.displaySelectionStats({
    displayGeneralStats: true,
    displayModuleInformation: true,
    displaySelectedPolicyNames: true,
});

To assist in policy selection visibility and traceability, Policy Manager has the ability to display selection statistics when calling policyManager.displaySelectionStats(). Each time your policies are evaluated as part of a stack preview or stack update, statistics will also be displayed and recorded in Pulumi Cloud as part of your Pulumi app output.

Policy cherry-picking

When using Pulumi Compliance Ready Policies it’s also possible to create finely-tuned Policy Packs by manually selecting individual policies.

To allow Compliance Ready Policy cherry-picking, you need to import the policy package in your Policy Pack code.

It is recommended to use policyManager.selectPolicies() when cherry-picking Compliance Ready Policies so duplicated policies are removed and your Policy Pack statistics are accurate. Not doing so may lead to duplicate policy selection, the inability to publish your Policy Pack in your Pulumi organization, or inaccurate Policy Pack statistics.

In this example, first the user is manually selecting policies for disabling HTTP traffic on CloudFront distributions and ensuring encrypted volumes for EBS using the mandatory enforcement level. In the second statement, the user is selecting policies to ensure modern TLS encryption is used on CloudFront distributions but with an enforcement level of advisory.

It’s worth noting in the example below that policies need to be individually selected for both classic and native providers.

import { PolicyPack } from "@pulumi/policy";
import { policyManager } from "@pulumi/compliance-policy-manager";
import * as awsPolicies from "@pulumi/aws-compliance-policies";

new PolicyPack("aws-compliance-ready-policies-typescript", {
    policies:[
        ...policyManager.selectPolicies([
            awsPolicies.aws.cloudfront.Distribution.disallowUnencryptedTraffic,
            awsPolicies.awsnative.cloudfront.Distribution.disallowUnencryptedTraffic
            awsPolicies.awsnative.ec2.Volume.disallowUnencryptedVolume,
            awsPolicies.aws.ebs.Volume.disallowUnencryptedVolume,
        ], "mandatory"),
        ...policyManager.selectPolicies([
            awsPolicies.aws.cloudfront.Distribution.configureSecureTls,
            awsPolicies.awsnative.cloudfront.Distribution.configureSecureTls,
        ], "advisory"),
    ],
});

policyManager.displaySelectionStats({
    displayGeneralStats: true,
    displayModuleInformation: true,
    displaySelectedPolicyNames: true,
});

Mixed authoring

Compliance Ready Policy selection and cherry picking methods can be combined.

import { PolicyPack } from "@pulumi/policy";
import { policyManager } from "@pulumi/compliance-policy-manager";
import * as awsPolicies from "@pulumi/aws-compliance-policies";
import * as k8sPolicies from "@pulumi/kubernetes-compliance-policies";

new PolicyPack("aws-compliance-ready-policies-typescript", {
    policies:[
        ...policyManager.selectPolicies({
            vendors: ["aws"],
            services: ["ec2", "s3"],
            severities: ["medium", "high", "critical"],
        }, "mandatory" ),
        ...policyManager.selectPolicies({
            vendors: ["kubernetes"],
            severities: ["high", "critical"],
        }, "mandatory"),
        ...policyManager.selectPolicies([
            awsPolicies.aws.alb.LoadBalancer.configureAccessLogging,
            awsPolicies.aws.alb.LoadBalancer.enableAccessLogging,
        ], "advisory"),
    ],
});
policyManager.displaySelectionStats({
    displayGeneralStats: true,
    displayModuleInformation: true,
    displaySelectedPolicyNames: true,
});

Policy Pack Statistics

To assist in policy selection visibility and traceability, Policy Manager has the ability to display selection statistics when calling policyManager.displaySelectionStats(). When your policies are evaluated as part of a stack preview or stack update, statistics will also be displayed and recorded in Pulumi Cloud as part of your Pulumi app output.

This feature allows your organization to track the policies evaluated during a stack update or a preview, as well as the total number of policies selected, and the Pulumi Compliance Ready Policies packages versions used in your Policy Pack.

To display statistics about your Policy Packs and the Compliance Ready Policies in use, add the following statement at the bottom of your Policy Pack.

policyManager.displaySelectionStats({
    displayGeneralStats: true,
    displaySelectedPolicyNames: true,
    displayModuleInformation: true,
});

Setting displayGeneralStats to true will display general statistics about the number of available policies across all installed policy packages, how many were selected by your Policy Pack and the remaining number of (unselected) policies.

Setting displaySelectedPolicyNames to true will dump all the policy names that were selected by your Policy Pack. This will help you track policy usage over time and when performing any audit.

Finally, setting displayModuleInformation to true will display the names and versions of your installed policy packages.

Additional Compliance Ready Policy Packages

Pulumi Compliance Ready Policies are published in per-vendor NPM packages. Each Compliance Ready Policy package contains policies for both classic and native providers when they exist, as those providers are compatible with one another.

Adding a new Compliance Ready Policy package is done like any other NPM packages.

npm install --save @pulumi/aws-compliance-policies

The list of policies contained in each NPM policy package can be found below:

• AWS Classic
• AWS Native
• Azure Classic
• Azure Native
• GCP
• Google Native
• Kubernetes

Policy Pack enforcement

Like standard Pulumi policy packs, Compliance Ready Policy Packs may be run locally or enforced across your Pulumi Organization.

If a Policy Pack needs to be installed at a time of a preview or an update, the Pulumi CLI will transparently take care of those steps on behalf of the user.

Before enforcing your Policy Pack, you may evaluate it locally using pulumi preview --policy-pack <path-to-policy-pack-directory>. For additional details, please refer to our documentation.

When your Policy Pack is ready, you should publish it in your Pulumi Organization with the aim to enforce it. To publish your Policy Pack, run pulumi policy publish <org-name>.

Obtaining policy metadata from policy plugin
Compressing policy pack
Uploading policy pack to Pulumi service
Publishing "my-policy-pack" - version 1.0.0 to "myorg"
Published as version 1.0.0

Additional details are available in our documentation.

Performance

Pulumi Compliance Ready Policies have been designed from the ground up to be efficient from the start. However, like any software, we recommend Policy Pack Authors to be mindful of how they implement their Policy Packs.

Pulumi recommends avoiding installing policy packages for vendors you don’t use. Doing so will reduce memory usage and will make the execution of your Pulumi app faster.

Pulumi recommends loading Compliance Ready Policies only for services and resources you intend to use. This will result in faster Pulumi app execution.

Consider using multiple policy packs (one for each vendor) as this will result in faster installation but at the expense of a slightly slower execution and larger memory footprint.

Pulumi also recommends upgrading your Pulumi Compliance Ready Policy packages regularly. Many Policies are added and updated on a regular basis giving you better Infrastructure as Code guardrails.

Troubleshooting and support

Policy Pack is empty

At times, your Policy Pack may appear to be empty (ie, no policy is evaluated). There are 2 main reasons for this to happen.

First, an incomplete upgrade was performed and some Compliance Ready Policies packages aren’t on the latest version.

To address this issue, upgrade both the Policy Manager and the Compliance Ready Policies packages to their latest versions as described in the Policy package upgrade documentation above.

Second, at times the node_modules may reference NPM packages incorrectly. Remove the node_modules directory and reinstall all your NPM packages.

Support & feature requests

Additional support is available through our usual channels.

We encourage you to contact us via your dedicated Slack channel and ask questions directly there where possible.

If you wish to report a bug or request a new feature (like a new policy), open a new public issue at https://github.com/pulumi/compliance-policies/issues/new/choose

You may also open a new support ticket using our support center portal available at https://support.pulumi.com/hc/en-us.