Multi-Cloud Governance¶
One PolicyMesh deployment. AWS, GCP, Azure, and Kubernetes all evaluated against the same CEL rules at the same time.
Prerequisites¶
- CloudSlash installed and initialized
- Credentials configured for each provider you want to govern
- Provider plugins installed:
Write Governance Policies¶
Create a policy file at ~/.cloudslash/policies/governance/rules.yaml:
rules:
- id: require-env-tag
condition: "!('env' in tags)"
action: warn
message: "Missing 'env' tag: SOC2 compliance requires environment tagging"
enforcement_mode: shadow
target_kinds:
- "ec2:instance"
- "compute:instance"
- "compute:vm"
- id: require-owner-tag
condition: "!('owner' in tags)"
action: warn
message: "Missing 'owner' tag: no cost attribution possible"
enforcement_mode: shadow
- id: block-expensive-resources
condition: "cost > 500.0"
action: block
message: "Resources over $500/mo require VP approval before remediation"
enforcement_mode: enforcing
- id: ban-gp2-volumes
condition: "kind == 'ebs:volume' && resource.VolumeType == 'gp2'"
action: warn
message: "gp3 is 20% cheaper with decoupled IOPS: migrate immediately"
enforcement_mode: enforcing
- id: block-public-endpoints
condition: "kind == 's3:bucket' && resource.public_access == true"
action: block
message: "Public S3 bucket detected: data exposure risk"
enforcement_mode: enforcing
Validate Before Deploying¶
# Check YAML syntax and CEL compilation
cs policy validate rules.yaml
# Lint for common mistakes
cs policy lint rules.yaml
# Dry-run against the last scan snapshot
cs policy test rules.yaml
The test command evaluates every rule against all resources from the latest scan. It shows how many nodes would be blocked, warned, or passed.
Multi-Cloud Scan¶
Run a Unified
CloudSlash scans all configured providers in a single pipeline. The output includes policy violations grouped by provider:
Policy Violations:
AWS (us-east-1): 12 violations (3 block, 9 warn)
GCP (us-central1): 4 violations (1 block, 3 warn)
Azure (eastus): 7 violations (2 block, 5 warn)
Web Dashboard¶
Visualize in the
Navigate to the PolicyMesh tab to see:
- All loaded rules with their trigger counts
- Which resources matched each rule
- Enforcement mode indicators (shadow vs enforcing)
- One-click toggle between shadow and enforcing
Enforcing¶
Graduate from Shadow to
Start with all rules in shadow mode to observe their impact without blocking anything. Once you verify a rule is correct:
- Web UI: Click the toggle switch next to the rule in PolicyMesh
- API:
curl -X POST http://localhost:8080/api/v1/policies/toggle -d '{"rule_id": "require-env-tag"}' - Config: Change
enforcement_mode: enforcingin the YAML file (hot-reloaded automatically)
Generate Compliance Reports¶
The report includes policy compliance summaries, violation counts per provider, and trend data showing compliance improvement over time.
Hot-Reload¶
Policy files in ~/.cloudslash/policies/ are watched with fsnotify. When you edit a YAML file, the daemon automatically recompiles all rules without restart. Invalid syntax is rejected without corrupting the running ruleset.
What's Next¶
- CI/CD Integration: Enforce policies in pull request pipelines
- Compliance & Audit: Generate SOC2/CIS evidence
- CEL Policy Reference: Full CEL variable reference and advanced patterns