Cloud Policy¶
Cloud policies define security requirements for applications running in cloud environments like AWS, GCP, and Azure. These policies ensure proper IAM configuration and restrict access to authorized accounts, regions, and identities.
Overview¶
Cloud policies are evaluated when Environment.IsCloud() returns true (EKS, GKE, AKS, Lambda, Cloud Run, Azure Functions).
type CloudPolicy struct {
RequireIAM bool // Require cloud IAM to be configured
AWS *AWSPolicy // AWS-specific requirements
GCP *GCPPolicy // GCP-specific requirements
Azure *AzurePolicy // Azure-specific requirements
}
Common Field: RequireIAM¶
Requires cloud-native IAM to be configured before allowing credential access:
This ensures workloads are using:
- AWS: IRSA (IAM Roles for Service Accounts) or instance roles
- GCP: Workload Identity or service account keys
- Azure: Workload Identity or managed identity
Tip
Always set require_iam: true in production. Environment variable credentials are a security risk in cloud environments.
AWS Policy¶
Fields¶
type AWSPolicy struct {
RequireIRSA bool // Require IRSA specifically
AllowedRoleARNs []string // Whitelist of IAM role ARNs
AllowedAccountIDs []string // Whitelist of AWS account IDs
AllowedRegions []string // Whitelist of AWS regions
RequireIMDSv2 bool // Require IMDSv2 for EC2
}
RequireIRSA¶
Requires IAM Roles for Service Accounts (IRSA) in EKS:
IRSA provides:
- Pod-level IAM permissions (not node-level)
- No long-lived credentials
- Automatic credential rotation
AllowedRoleARNs¶
Restricts to specific IAM roles. Supports wildcards:
{
"cloud": {
"aws": {
"allowed_role_arns": [
"arn:aws:iam::123456789012:role/my-app-prod",
"arn:aws:iam::123456789012:role/my-app-*"
]
}
}
}
AllowedAccountIDs¶
Restricts to specific AWS accounts:
AllowedRegions¶
Restricts to specific AWS regions:
RequireIMDSv2¶
Requires IMDSv2 (Instance Metadata Service v2) on EC2:
IMDSv2 protects against SSRF attacks that could steal instance credentials.
Complete AWS Example¶
{
"cloud": {
"require_iam": true,
"aws": {
"require_irsa": true,
"require_imdsv2": true,
"allowed_account_ids": ["123456789012"],
"allowed_role_arns": [
"arn:aws:iam::123456789012:role/production-*"
],
"allowed_regions": ["us-east-1", "us-west-2"]
}
}
}
GCP Policy¶
Fields¶
type GCPPolicy struct {
RequireWorkloadIdentity bool // Require GKE Workload Identity
AllowedServiceAccounts []string // Whitelist of service accounts
AllowedProjects []string // Whitelist of GCP projects
AllowedRegions []string // Whitelist of GCP regions
}
RequireWorkloadIdentity¶
Requires Workload Identity in GKE:
Workload Identity provides:
- Kubernetes service account to GCP service account mapping
- No service account key files
- Automatic credential management
AllowedServiceAccounts¶
Restricts to specific GCP service accounts:
{
"cloud": {
"gcp": {
"allowed_service_accounts": [
"my-app@my-project.iam.gserviceaccount.com",
"other-app@my-project.iam.gserviceaccount.com"
]
}
}
}
AllowedProjects¶
Restricts to specific GCP projects:
AllowedRegions¶
Restricts to specific GCP regions:
Complete GCP Example¶
{
"cloud": {
"require_iam": true,
"gcp": {
"require_workload_identity": true,
"allowed_projects": ["my-prod-project"],
"allowed_service_accounts": [
"my-app@my-prod-project.iam.gserviceaccount.com"
],
"allowed_regions": ["us-central1", "us-east1"]
}
}
}
Azure Policy¶
Fields¶
type AzurePolicy struct {
RequireWorkloadIdentity bool // Require AKS Workload Identity
AllowedClientIDs []string // Whitelist of Azure AD client IDs
AllowedTenantIDs []string // Whitelist of Azure AD tenant IDs
AllowedSubscriptions []string // Whitelist of Azure subscriptions
AllowedRegions []string // Whitelist of Azure regions
}
RequireWorkloadIdentity¶
Requires Workload Identity in AKS:
AllowedClientIDs¶
Restricts to specific Azure AD application client IDs:
AllowedTenantIDs¶
Restricts to specific Azure AD tenants:
AllowedSubscriptions¶
Restricts to specific Azure subscriptions:
AllowedRegions¶
Restricts to specific Azure regions:
Complete Azure Example¶
{
"cloud": {
"require_iam": true,
"azure": {
"require_workload_identity": true,
"allowed_tenant_ids": ["87654321-4321-4321-4321-210987654321"],
"allowed_subscriptions": ["aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"],
"allowed_regions": ["eastus", "westus2"]
}
}
}
Multi-Cloud Policy¶
You can define requirements for all cloud providers in a single policy:
{
"cloud": {
"require_iam": true,
"aws": {
"require_irsa": true,
"allowed_account_ids": ["123456789012"]
},
"gcp": {
"require_workload_identity": true,
"allowed_projects": ["my-prod-project"]
},
"azure": {
"require_workload_identity": true,
"allowed_tenant_ids": ["87654321-4321-4321-4321-210987654321"]
}
}
}
VaultGuard applies the appropriate section based on the detected environment.
Default Providers¶
| Environment | Default Provider |
|---|---|
| EKS | AWS Secrets Manager (aws-sm) |
| Lambda | AWS Secrets Manager (aws-sm) |
| GKE | GCP Secret Manager (gcp-sm) |
| Cloud Run | GCP Secret Manager (gcp-sm) |
| AKS | Azure Key Vault (azure-kv) |
Override with provider_map:
Next Steps¶
- Kubernetes Policy - Additional K8s requirements
- Enterprise Policies - Lock cloud settings organization-wide
- Example Configs - Ready-to-use policy files