Skill Guide

Policy-as-code authoring using OPA/Rego, AWS IAM policy language, and Azure RBAC definitions

The practice of defining, managing, and enforcing security, compliance, and operational policies using human-readable, version-controlled code executed by engines like OPA, AWS IAM, and Azure RBAC.

This skill enables organizations to implement consistent, auditable, and scalable security guardrails across cloud environments, directly reducing the risk of misconfiguration breaches and accelerating compliant infrastructure deployment. It shifts security left, making it an integral part of the CI/CD pipeline rather than a final bottleneck.

1 Careers

1 Categories

9.1 Avg Demand

15% Avg AI Risk

How to Learn Policy-as-code authoring using OPA/Rego, AWS IAM policy language, and Azure RBAC definitions

1. **Understand Core Abstractions**: Learn the fundamental components of an IAM policy: Principal (who), Action (what), Resource (on what), and Condition (under what circumstances). 2. **Grasp Declarative vs. Imperative Logic**: Policy-as-code is declarative; you state the desired allowed/denied state, not the steps to enforce it. 3. **Read, Don't Write First**: Analyze existing, well-structured policies from AWS Policy Examples or Azure Built-in roles to understand syntax and common patterns.

1. **Move to OPA/Rego for Cross-Cloud Logic**: Start writing simple Rego policies to validate JSON/YAML representations of AWS IAM or Azure RBAC policies against custom rules (e.g., 'deny any policy that allows action "*"'). 2. **Implement Policy Testing**: Use tools like `conftest` or OPA's built-in test framework (`test_`) to write unit tests for your policies, treating them like any other code. 3. **Avoid Common Pitfalls**: Beware of overly permissive wildcards (`*`), complex nested conditions that create hidden backdoors, and the 'implicit deny' default behavior in both AWS and Azure.

1. **Architect a Multi-Account/Multi-Cloud Governance Framework**: Design a centralized policy repository with a pipeline that bundles, tests, and deploys policies to multiple OPA instances (e.g., via Gatekeeper for Kubernetes) and generates equivalent AWS SCPs and Azure Policy definitions. 2. **Implement Policy-as-Code in GitOps Workflows**: Integrate policy validation into the PR/MR process for IaC templates (Terraform, CloudFormation, Bicep), failing builds on violations. 3. **Master Rego for Complex Scenarios**: Write advanced Rego for dynamic policy decisions based on external data sources (e.g., pulling user group membership from a CMDB) or graph-based resource relationship checks.

Practice Projects

Beginner

Project

AWS S3 Bucket Lockdown Policy

Scenario

You need to create an IAM policy that allows a specific IAM role to perform read/write actions ONLY on a designated S3 bucket named 'company-logs-prod', while explicitly denying all other bucket access and all non-S3 services.

How to Execute

1. Create the JSON policy document with explicit `Allow` statements for `s3:GetObject`, `s3:PutObject` on `arn:aws:s3:::company-logs-prod/*`. 2. Add a `Deny` statement with `NotResource` set to `arn:aws:s3:::company-logs-prod` and `NotAction` including all S3 actions to block access elsewhere. 3. Use the AWS Policy Simulator to test the policy against various API calls. 4. Attach the policy to a test IAM role and attempt to list buckets or access a different bucket to verify the deny effect.

Intermediate

Project

OPA Gatekeeper Constraint for Kubernetes Pod Security

Scenario

Implement a policy in an OPA-enabled Kubernetes cluster that prevents any Pod from running as root or using the host network namespace, enforcing Pod Security Standards.

How to Execute

1. Write a Rego policy in a `ConstraintTemplate` resource that defines the parameters (e.g., `allowedRunAsUser: [0]`) and logic to deny violations. 2. Create a `Constraint` resource that applies the template to all namespaces except `kube-system`. 3. Test the policy by attempting to apply a Deployment YAML that violates the rule (e.g., `runAsUser: 0`). 4. Integrate the template/constraint into your GitOps repo (e.g., with Flux/ArgoCD) and observe the admission webhook blocking the deployment.

Advanced

Project

Centralized Cross-Cloud Policy Pipeline

Scenario

Design and implement a single source of truth for organizational security policies (e.g., 'all storage must be encrypted') that automatically generates and deploys enforcement rules to AWS (via SCPs), Azure (via Azure Policy), and Kubernetes (via OPA Gatekeeper).

How to Execute

1. Author core policy logic in OPA/Rego, structured as a library of reusable rules. 2. Create a CI/CD pipeline (e.g., GitHub Actions, GitLab CI) that uses tooling like `conftest` to test policies against sample IaC. 3. In the same pipeline, use a policy generator (e.g., `regula`, custom scripts, or AWS/Azure SDKs) to translate the Rego rules into AWS SCP JSON and Azure Policy JSON. 4. Deploy the generated SCPs to AWS Organizations using Terraform or AWS CloudFormation and the Azure Policies using Terraform's `azurerm_policy_definition`. 5. Enforce the same Rego policy in Kubernetes clusters via Gatekeeper.

Tools & Frameworks

Policy Engines & Languages

Open Policy Agent (OPA)Rego LanguageAWS Identity and Access Management (IAM) & Organizations SCPsAzure Role-Based Access Control (RBAC) & Azure Policy

OPA is the general-purpose engine; Rego is its query language. AWS IAM/SCP and Azure RBAC/Policy are native cloud-specific implementations. Use OPA for cross-cutting, abstract policy logic, and native tools for cloud-specific enforcement points.

Development & Testing Tools

conftestOPA PlaygroundAWS Policy SimulatorAzure Policy Evaluation Results

`conftest` tests policy against structured config files. OPA Playground is for rapid Rego prototyping. The AWS/Azure simulators are essential for verifying policy effects in their respective environments before deployment.

Integration & Deployment Frameworks

OPA Gatekeeper (Kubernetes)AWS Lambda AuthorizersTerraform (aws_iam_policy, azurerm_policy_definition)

Gatekeeper integrates OPA as a Kubernetes admission webhook. Lambda Authorizers use OPA/Rego for custom API Gateway authorization. Terraform is used to deploy the generated policy artifacts across clouds as infrastructure.

Interview Questions

Answer Strategy

The answer must demonstrate knowledge of AWS Organizations and Service Control Policies (SCPs). The candidate should explain creating an SCP that denies the `s3:PutBucketAcl` and `s3:PutBucketPolicy` actions when the resource is an S3 bucket and the condition is for a public ACL or public policy. They must mention attaching this SCP at the OU or Root level. A strong answer will also mention supplementary controls like AWS Config rules or CloudFormation hooks for defense-in-depth.

Answer Strategy

This tests systematic problem-solving with Rego. The candidate should outline: 1) Replicating the failure in the OPA Playground or REPL with the exact input. 2) Using `print()` statements or `trace()` in Rego to inspect intermediate values. 3) Writing unit tests with `test_` functions to isolate the failing logic. 4) Checking for common pitfalls like incorrect variable binding, `default` rule overrides, or short-circuiting in boolean logic.