FE Interview Hub
categories.infrastructure-as-code Advanced

What is Policy as Code? How do you implement compliance controls in an IaC workflow?

AI Practice

Policy as Code

Defining security and compliance rules as code, then automatically enforcing them in CI/CD or deployment pipelines to ensure infrastructure changes meet organizational policies.

The Problem It Solves

Manual review of Terraform plans doesn't scale:

  • Human reviewers easily miss security issues
  • No way to enforce standards (e.g., all S3 buckets must be encrypted)
  • Difficult to ensure consistency across teams

Open Policy Agent (OPA) + Conftest General-purpose policy engine using the Rego language:

deny[msg] { input.resource.aws_s3_bucket[name].acl == "public-read" msg := sprintf("S3 bucket %v must not be public", [name]) }

Terraform Sentinel (Terraform Cloud/Enterprise) HashiCorp's official policy framework, deeply integrated with the Terraform lifecycle.

Checkov Static analysis tool designed for IaC, supports Terraform, CloudFormation, Kubernetes YAML.

Typical Policy Examples

  • All resources must have specific tags (cost-center, owner)
  • Prohibit using outdated AMI versions
  • Databases must not have public access endpoints
  • Production resources cannot be destroyed (prevent_destroy)
  • Encryption must be enabled (EBS, S3, RDS)

Position in CI/CD

Git Push → Terraform Plan → Policy Check → Manual Review → Terraform Apply

Policy checks should run after plan but before apply — fast failures save time.

✦ AI Mock Interview

Type your answer and get instant AI feedback

Sign in to use AI scoring

← Previous

What is a Terraform Module? How do you design reusable modules?

Next →

What are the key stages of a CI/CD pipeline? What is the difference between CI and CD?

Copyright © 2026 Wood All Rights Reserved · FE Interview Hub

GitHubAdmin