Policy as Code
What is Policy as Code?
Policy as CodeThe practice of defining security, compliance, and governance rules in machine-readable code so they can be versioned, tested, reviewed, and automatically enforced.
Policy as Code (PaC) treats organizational policies — what configurations are allowed, who can do what, which regions data can land in — as source code stored in a Git repository, tested in CI, reviewed via pull requests, and enforced by automated engines. Common implementations include OPA with Rego, Kyverno for Kubernetes, HashiCorp Sentinel for Terraform, AWS Config Rules and Azure Policy. PaC removes ambiguity from PDFs and wikis: a deny on privileged containers becomes a concrete failing test, and compliance reports can be generated from the same rules. The approach scales governance across many teams and clouds, integrates with DevSecOps pipelines, and produces auditable evidence of enforcement.
● Examples
- 01
An OPA Rego rule that denies any Kubernetes Pod missing readinessProbe in production.
- 02
A Sentinel policy that blocks Terraform plans creating S3 buckets without encryption.
● Frequently asked questions
What is Policy as Code?
The practice of defining security, compliance, and governance rules in machine-readable code so they can be versioned, tested, reviewed, and automatically enforced. It belongs to the Cloud Security category of cybersecurity.
What does Policy as Code mean?
The practice of defining security, compliance, and governance rules in machine-readable code so they can be versioned, tested, reviewed, and automatically enforced.
How does Policy as Code work?
Policy as Code (PaC) treats organizational policies — what configurations are allowed, who can do what, which regions data can land in — as source code stored in a Git repository, tested in CI, reviewed via pull requests, and enforced by automated engines. Common implementations include OPA with Rego, Kyverno for Kubernetes, HashiCorp Sentinel for Terraform, AWS Config Rules and Azure Policy. PaC removes ambiguity from PDFs and wikis: a deny on privileged containers becomes a concrete failing test, and compliance reports can be generated from the same rules. The approach scales governance across many teams and clouds, integrates with DevSecOps pipelines, and produces auditable evidence of enforcement.
How do you defend against Policy as Code?
Defences for Policy as Code typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Policy as Code?
Common alternative names include: PaC.
● Related terms
- cloud-security№ 756
OPA (Open Policy Agent)
A CNCF-graduated, general-purpose policy engine that decouples authorization decisions from applications and Kubernetes admission control using the Rego language.
- cloud-security№ 991
Security as Code
The practice of expressing security controls, tests, and infrastructure in source code so they are versioned, peer-reviewed, automated, and continuously delivered alongside applications.
- compliance№ 204
Compliance
The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- cloud-security№ 1014
Service Mesh Security
The set of identity, encryption, and authorization controls a service mesh provides to secure service-to-service traffic in a cloud-native environment.
- network-security№ 1262
Zero Trust Network
A network architecture that never trusts users, devices, or services by default and enforces continuous, identity-aware verification of every connection.