Skip to main content

Modify your policy

Now, imagine you decide to improve your security posture by adding a new rule about Terraform and public cloud configuration.

In the Styra DAS, navigate back to the same policy file as earlier: your system name >> policy >> aws >> ec2 >> rules.rego.

Add the following rule to your policy to prohibit overly-permissive IAM settings on AWS.

enforce[decision] {
data.global.systemtypes["terraform:1.0"].library.provider.aws.iam.restricted_policy.v1.restricted_iam_policy[message]

decision := {
"allowed": false,
"message": message
}
}

Before you publish and start enforcing your new policy, you want to know what impact it will have. The Validate button explains how many past decisions will be changed by your new policy:

When you click on the Validate button, the following results are displayed:

  • Results explaining that your policy will still reject the first sample Terraform plan.

  • Now, it will also reject the second sample Terraform plan that was previously allowed.

  • Click on the green icon, and DAS will replay that decision using your policy, show you the new result, and which rules contributed to that result.

This kind of visibility helps you predict whether your organization is operationally ready for tighter Terraform controls.