Member-only story
Policy as Code: Automating AWS Infrastructure Governance
and the relation with the FinOps practice
Policy as Code (PaC) is an approach that allows organizations to define and enforce security, governance, and compliance policies using code. This enables automated enforcement of policies across cloud environments, ensuring consistency and reducing the risk of misconfiguration.
You can find my talk on this topic here (although it is in Spanish).
In the context of AWS, PaC is particularly useful for managing large-scale infrastructures, especially in multi-account environments.
PaC is a software automation approach, similar to infrastructure as code (IaC), that aids the assessment of an organization’s configuration and validation compliance requirements through the use of software automation constructs. Source: Amazon Official Documentation
One key tool in PaC for AWS is AWS CloudFormation Guard, which evaluates Infrastructure as Code (IaC) documents such as AWS CloudFormation templates and Terraform configuration files.
It defines validation rules in the Guard language to ensure that these documents align with best practices and organizational policies regarding the provisioning of cloud resources. For example, a rule can be written to ensure that S3…
