Skip to main content

Your Rules, Enforced Automatically

Custom Policies let you define organization-specific rules for your IaC. Naming conventions, required tags, encryption requirements, forbidden configurations—if you can describe it, you can enforce it.

Your Rules

Define exactly what compliant infrastructure looks like

Auto-Enforced

Checked on every PR and agent session

Version Controlled

Track changes, rollback if needed

Test First

Preview mode before enforcement
Custom Policies is a Feature Preview. Enable it in Settings → Features.

Quick Example

Here’s a policy requiring encryption on all S3 buckets: 
Name: S3 Encryption Required
Description: All S3 buckets must have server-side encryption
Severity: High
Scope: All (PR Reviews + AI Agents)

Rules:
  Resource: aws_s3_bucket
  Condition: server_side_encryption_configuration must exist
When violated, it shows up in PRs: 
🔴 High: S3 Encryption Required

File: modules/storage/main.tf (line 15)
Resource "aws_s3_bucket.logs" missing encryption configuration.

Fix: Add server_side_encryption_configuration block.

Creating a Policy

Open Policy Editor

SettingsPoliciesCreate Policy

Name & Describe

Clear name + why this matters

Set Severity

Critical, High, Medium, or Low

Define Rules

Resource types + conditions

Choose Scope

Where to enforce: PRs, agents, or both

Severity Levels

LevelWhen to UseBlocks Merge?
🔴 CriticalPublic exposure, data leak riskYes (if configured)
🟠 HighMissing encryption, weak IAMRecommended
🟡 MediumMissing logging, no tagsOptional
🔵 LowNaming conventionsNo

Common Policies

# No public S3 buckets
Name: Block Public S3
Severity: Critical
Condition: acl != "public-read" AND acl != "public-read-write"

# Require encryption at rest
Name: RDS Encryption Required
Severity: High
Condition: storage_encrypted == true

# TLS 1.2 minimum
Name: Enforce TLS 1.2
Severity: High
Condition: min_tls_version IN ["TLS1_2", "TLS1_3"]

Where Policies Apply

PR Reviews

Violations appear as review comments. Can block merge on Critical.

AI Agents

Agent follows policies when generating code. Violations flagged before PR.

Per-Repository Overrides

  • Exclude specific repos from policies
  • Apply stricter rules to production repos
  • Different policies for different teams

Testing Before Enforcing

Always test new policies before turning them on!

Preview Mode

  1. Create policy with scope: Disabled
  2. Run manual scan on a repo
  3. See what would be flagged
  4. Adjust rules
  5. Enable when ready

Dry Run

  • See affected resources across all repos
  • Estimate violation count
  • Identify false positives
  • Refine before enforcement

Version Control

Every policy change is tracked:
FeatureWhat It Does
HistorySee all versions, who changed what
CompareDiff between versions
RollbackRevert to any previous version
AuditFull change log for compliance

Handling Violations

When a policy is violated, you can:
ActionWhen to Use
Fix itUpdate the resource to comply
Accept riskDocument why it’s ok (with justification)
Update policyAdd exception for this case
SuppressIgnore for specific resources

Best Practices

Start with Templates

Use built-in templates as starting points

Test First

Preview mode before enforcement

Document Why

Clear descriptions help future you

Review Quarterly

Keep policies current
Severity matters: Critical should mean “stop everything.” Don’t overuse it or people ignore it.

Troubleshooting

ProblemFix
Policy not evaluatingCheck scope isn’t “Disabled”, repo isn’t excluded
Too many false positivesAdd exceptions, narrow conditions
Changes not taking effectMake sure you saved, check for rollbacks

Next Steps

PR Reviews

See policies in action on PRs

AI DevOps

Policy-aware code generation

Compliance Frameworks

Industry-standard checks

Static Analysis

Built-in security scanning