IaC Policy as Code (OPA, Sentinel)

Policy as code enforces guardrails on IaC. The patterns that work and the tools available.

Common rules

All EC2 must have specific tags.

S3 buckets must have encryption.

Public-facing resources require security review.

Tools

OPA / Conftest: vendor-neutral.

Terraform Sentinel: integrated with Terraform Cloud.

AWS Config: post-deploy detection.

CI integration

Policy checks in PR CI. Failed policies block merge.

Override possible for emergencies; logged.