Skip to content

Policy

Policy defines an organization's business rules and governance around areas like compliance, security, cost, and consistency. Policy can be applied to entities at different levels of granularity. It can be used either to surface non-compliance for audit purposes and/or to enforce compliance through policy gates for control purposes.

Policy as code is an approach that treats policy artifacts as source code. This is conceptually similar to Infrastructure as Code (IaC) and provides similar benefits around repeatability and version control.

Characteristics

Definitions

A policy definition is a policy artifact that at a minimum typically describes a collection of parameters, a set of compliance conditions, and the actions to take if the conditions aren't met.

Examples of policy definitions include Azure Policy Definition in the Azure Policy ecosystem and Constraint Templates in Gatekeeper ecosystem.

Assignment

A policy assignment is a policy artifact that applies an instance of a policy definition to a collection of entities through parameter values and scopes.

Examples of policy assignments include: Azure Policy Assignment and Gatekeeper Constraints.

Enforcement

A policy gate is used to enforce policy against entities being added to or modified within a system. The policy gate is typically built using a policy engine, the policy definitions, and the policy assignments.

Examples of services and tools that enforce policy include Azure Policy and Gatekeeper.

Audit

Often there is a requirement to report policy compliance through an audit across a collection of entities without taking any actions to enforce the policy. This may be due to policy updates over time and entities that no longer are compliant against updated policy. Manual intervention to correct entities may be preferred to automatic enforcement breaking the running system.

Examples of audit capability include Azure Policy Compliance States, and Gatekeeper Audit.

Examples

Enforcement

Learn More