Policies
You can create resource-based policies on the DoiT platform that you can use with other DoiT features such as CloudFlows.
Currently, policies can only be used in CloudFlows.
A policy is a set of rules designed to verify compliance on a specific type of resource (for example, a virtual machine or a storage bucket). It can be a simple standalone rule, (storage buckets must be encrypted) or it can be a collection of multiple rules (storage buckets must be encrypted and have a specific tag). The policy is written in Rego. A single policy can be reused across multiple DoiT features, simplifying management and ensuring that a change to one policy automatically applies in every DoiT feature where it is being used.
Rego
Policies are created using Rego. For security and operational integrity, our platform does not support all the features of the standard Rego language.
Unsupported features
import
statements are not supported. All policy logic must be self-contained within the policy code block. This ensures that the policy remains a single, auditable unit, and prevents external dependencies.
Unsupported built-in functions
The following built-in functions are not supported.
-
Network access
-
http.send
: This function is disabled to prevent unauthorized HTTP requests from policies, mitigating the risk of data exfiltration. -
net.lookup_ip_addr
: This function is disabled to prevent DNS lookups, which could be used for information leakage.
-
-
Runtime Information Access
opa.runtime
: This function is disabled to prevent access to the Open Policy Agent (OPA) runtime configuration and environment variables, which could contain sensitive data.
-
Debugging
-
print
: This function is disabled to prevent sensitive data from being leaked to the console output. -
trace
: This function is disabled to prevent potential information leakage.
-
-
External Data Access
external_data
: This function is disabled to prevent policies from querying external data providers, ensuring that policies only operate on the data explicitly provided to them.
Required permissions
-
To create a policy, you must have the CloudFlow Editor or CloudFlow Manager permissions.
-
To edit or delete a policy, you must either:
-
have the CloudFlow Manager permission which gives you access to all policies.
-
be the owner of the policy or be assigned as a collaborator. In this case, you must have the CloudFlow Editor permission.
-
Create a policy
You must create your policies before you begin using them with any DoiT features.
-
Sign in to the DoiT console, select Operate from the top navigation bar, and then select Policies.
-
Select Create policy. The Create a new policy window is displayed.
-
In Policy name, enter a name that fits the policy's usage, for example, S3 Multipart Upload Cleanup Policy.
-
(Optional) In Description, enter a description for the policy.
-
(Optional) In Collaborators, select the email addresses of the users with whom you want to share this policy.
-
In Create your policy using the Rego language, enter the Rego code to define the rules for your policy. The policy code is compiled when the policy is created. If any errors are found, the policy is not saved.
-
Select Create.
Add a policy
Once you have created a policy, you can begin using the policy with your DoiT features.
Add a policy to a CloudFlow
You can add a policy as a node inside your CloudFlow to automatically check resources against that policy. For example, you could have a CloudFlow that runs on a regular schedule to ensure all S3 buckets have the necessary lifecycle policy for cleaning up incomplete multipart uploads. For each bucket, the flow applies the policy to check that the S3 buckets match the rule, and takes action if not.
Edit policies
You can edit your policies at any time. The latest version of the policy is automatically used everywhere it is referenced within the DoiT platform.
-
Sign in to the DoiT console, select Operate from the top navigation bar, and then select Policies.
-
Select the policy you want to edit. The Edit policy window is displayed.
-
Update the policy and save your changes.
Delete policies
You can delete a policy if you are the owner of the policy or you have the CloudFlow Manager permission.
Prerequisites
A policy cannot be deleted if it is currently in use by any feature on the platform. You must remove the policy you want to delete from all features that are referencing it.
Delete a policy
Once you have verified the policy is no longer in use:
-
Sign in to the DoiT console, select Operate from the top navigation bar, and then select Policies.
-
Select the kebab menu (⋮) at the rightmost end of the policy you want to edit and select Delete.