IaC and Policy as Code

Purpose: keep this page as the compact decision guide for where policy should run, how strict it should be, and which deeper page to open next.

What belongs in policy as code

Policy as code is most useful for controls that are:

• objective enough to evaluate automatically;
• repeated across many repositories or teams;
• painful to review manually every time;
• important enough to block, warn, or create evidence.

Good examples include public exposure, encryption expectations, required labels, runner isolation, image trust, or missing approvals.

Control layers

1. Author-time - pre-commit or IDE checks for obvious mistakes.
2. CI-time - Terraform / Kubernetes / manifest policy checks before merge or deploy.
3. Admission-time - cluster or platform policy that prevents unsafe deployment.
4. Audit-time - continuous drift and posture checks for already-deployed resources.

Open these pages next

• Security as Policy for Terraform and Infrastructure as Code
• Terraform Security Scanning and Checkov
• OPA and Policy Enforcement
• Kyverno Deep Pages