Skip to content

env0/policy-catalog

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

110 Commits
alb-secure-tls
alb-secure-tls
 
 
all-containers-must-have-resource-limits
all-containers-must-have-resource-limits
 
 
deny-public-s3-buckets
deny-public-s3-buckets
 
 
disallow-unrestricted-ssh-ingress
disallow-unrestricted-ssh-ingress
 
 
ebs-volumes-must-be-encrypted
ebs-volumes-must-be-encrypted
 
 
efs-encryption-required
efs-encryption-required
 
 
iam-password-policy-complexity
iam-password-policy-complexity
 
 
iam-policies-must-not-contain-wildcard-actions
iam-policies-must-not-contain-wildcard-actions
 
 
monthly-cost-estimation
monthly-cost-estimation
 
 
prohibit-default-vpc
prohibit-default-vpc
 
 
rds-instances-must-not-be-publicly-accessible
rds-instances-must-not-be-publicly-accessible
 
 
restrict-container-images-to-specific-registry
restrict-container-images-to-specific-registry
 
 
restrict-creation-of-expensive-instance-types
restrict-creation-of-expensive-instance-types
 
 
s3-server-side-encryption
s3-server-side-encryption
 
 
README.md
README.md
 
 

Repository files navigation

env0 Policy Catalog

This repository contains a catalog of reusable OPA/Rego policies for use with env0.
Each policy is defined in its own folder and includes the policy logic, metadata, and configuration schema.

The goal is to provide real-world, ready-to-use examples for cost, security, compliance, and other categories, while keeping the structure consistent and easy to extend.

Repository Structure

Each folder in this repository represents a single policy template.
A policy folder must include the following files:

1. policy.rego

The OPA/Rego policy implementation.
This file contains the actual rules that enforce the desired behavior.

2. metadata.yml

A YAML file that contains metadata and optional configuration for the policy.

Fields:

  • name: Friendly name of the policy template.
  • description: Explanation of what the policy does.
  • explanation: User-friendly benefit description explaining the value proposition and what users gain by using this policy.
  • categories (optional): Category of the policy. Supported categories: Security, Networking, IAM, Compliance, Cost, Performance.
  • tags (optional): Cloud resources or concepts targeted by the policy.
  • cloudProvider (optional): Relevant cloud provider (aws, gcp, azure, oci). Leave blank for multi-cloud.
  • configurationSchema (optional): Schema describing configuration arguments for the policy.

Example:

name: "Deny Public S3 Buckets"
description: "Ensures that S3 buckets are not publicly accessible."
explanation: "Prevent accidental data leaks by blocking public access to storage buckets. Keeps your sensitive data private by default."
categories:
  - "security"
tags:
  - "aws"
  - "s3"
  - "public-access"
cloudProvider: "aws"

3. configurationSchema.json

A JSON Schema that describes optional or required parameters to customize the policy.
This allows policies to be flexible and accept input arguments.

Schema Fields:

  • $schema: JSON Schema version.
  • title: Human-readable name of the schema.
  • type: Root object type (usually object).
  • properties: Key-value map of supported parameters.
  • additionalProperties: Defines whether extra fields are allowed (true/false).

Example:

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "S3 Bucket Public Access Configuration",
  "type": "object",
  "properties": {
    "allowExceptions": {
      "type": "array",
      "items": {
        "type": "string"
      },
      "description": "List of bucket names exempted from the policy."
    }
  },
  "additionalProperties": false
}

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages