Skip to content

Multi-Cloud Governance

One PolicyMesh deployment. AWS, GCP, Azure, and Kubernetes all evaluated against the same CEL rules at the same time.


Prerequisites

  • CloudSlash installed and initialized
  • Credentials configured for each provider you want to govern
  • Provider plugins installed:
cs plugin install aws
cs plugin install gcp
cs plugin install azure

Write Governance Policies

Create a policy file at ~/.cloudslash/policies/governance/rules.yaml:

rules:
  - id: require-env-tag
    condition: "!('env' in tags)"
    action: warn
    message: "Missing 'env' tag: SOC2 compliance requires environment tagging"
    enforcement_mode: shadow
    target_kinds:
      - "ec2:instance"
      - "compute:instance"
      - "compute:vm"

  - id: require-owner-tag
    condition: "!('owner' in tags)"
    action: warn
    message: "Missing 'owner' tag: no cost attribution possible"
    enforcement_mode: shadow

  - id: block-expensive-resources
    condition: "cost > 500.0"
    action: block
    message: "Resources over $500/mo require VP approval before remediation"
    enforcement_mode: enforcing

  - id: ban-gp2-volumes
    condition: "kind == 'ebs:volume' && resource.VolumeType == 'gp2'"
    action: warn
    message: "gp3 is 20% cheaper with decoupled IOPS: migrate immediately"
    enforcement_mode: enforcing

  - id: block-public-endpoints
    condition: "kind == 's3:bucket' && resource.public_access == true"
    action: block
    message: "Public S3 bucket detected: data exposure risk"
    enforcement_mode: enforcing

Validate Before Deploying

# Check YAML syntax and CEL compilation
cs policy validate rules.yaml

# Lint for common mistakes
cs policy lint rules.yaml

# Dry-run against the last scan snapshot
cs policy test rules.yaml

The test command evaluates every rule against all resources from the latest scan. It shows how many nodes would be blocked, warned, or passed.

Multi-Cloud Scan

Run a Unified

cs scan --rules ~/.cloudslash/policies/governance/rules.yaml

CloudSlash scans all configured providers in a single pipeline. The output includes policy violations grouped by provider:

Policy Violations:
  AWS (us-east-1): 12 violations (3 block, 9 warn)
  GCP (us-central1): 4 violations (1 block, 3 warn)
  Azure (eastus): 7 violations (2 block, 5 warn)

Web Dashboard

Visualize in the

cs daemon --rules ~/.cloudslash/policies/governance/rules.yaml

Navigate to the PolicyMesh tab to see:

  • All loaded rules with their trigger counts
  • Which resources matched each rule
  • Enforcement mode indicators (shadow vs enforcing)
  • One-click toggle between shadow and enforcing

Enforcing

Graduate from Shadow to

Start with all rules in shadow mode to observe their impact without blocking anything. Once you verify a rule is correct:

  • Web UI: Click the toggle switch next to the rule in PolicyMesh
  • API: curl -X POST http://localhost:8080/api/v1/policies/toggle -d '{"rule_id": "require-env-tag"}'
  • Config: Change enforcement_mode: enforcing in the YAML file (hot-reloaded automatically)

Generate Compliance Reports

cs report --format=html --output=governance-report.html

The report includes policy compliance summaries, violation counts per provider, and trend data showing compliance improvement over time.


Hot-Reload

Policy files in ~/.cloudslash/policies/ are watched with fsnotify. When you edit a YAML file, the daemon automatically recompiles all rules without restart. Invalid syntax is rejected without corrupting the running ruleset.


What's Next