Policy as Code: Automate Cloud Security Governance with Sentinel

Make policies perform like an application with version control and automated tests with a Policy as Code framework.

Rhonda O'Connor
November 5, 2020

Confidential Client



Many enterprise companies perform regulatory compliance assessments manually by one-to-many assessors. This client aimed to streamline the entire process and more quickly understand where and how the organization needed to focus by decreasing the preparation, collection, and management of this data, as well as assessing and understanding this data through automation. An embeddable Policy as Code framework would also remove the burden of proof on the project and product teams and allow them accelerate delivery across the enterprise.


The client and Trility team identified the NIST 800-53 technical controls for automation, monitoring, and management using HashiCorp Sentinel as the Policy as Code solution for the AWS cloud security frameworks. 

Due to limitations with Terraform Enterprise,  the centralized data store to house all implementation and execution events was not feasible. Trility recommended and implemented a process to capture and log events after each test into the existing auditing tool for developers to query using a Terraform Enterprise API.

Infrastructure as Code automates the four main components of infrastructure — provision, secure, connect, and run – and empowers more users to create and manage infrastructure. This increases risk as less experienced users could make significant mistakes that impact business operations. Sentinel’s Policy as Code limits that exposure by codifying business and regulatory policies to ensure infrastructure changes are safe. When used together, Infrastructure as Code and Policy as Code enables users to safely and quickly provision, secure, connect, and run any infrastructure for any application.


Using HashiCorp Sentinel, Trility created and mapped a library of policies to the NIST controls and also developed three tiers of compliance using Terraform Enterprise.

Policies were organized for each tier and each tier has its own automated test, delivery pipeline, and test harness for the corresponding Terraform Enterprise workspace, which provides immediate pass/fail results.

Policy as Code compliance controls are baked into the software-defined cloud infrastructure as the default behavior for all implementations and allows for rapid test and verification.


  • Teams can rapidly test and verify against controls with this Policy as Code solution
  • Compliance controls are baked into the software-defined cloud infrastructure as the default behavior for all implementations
  • Reduced cost of acquisition, cost of ownership, and technical debt
  • Seamless handoff with training and documentation, which included videos and READMEs
  • Met schedule and budget requirements
  • Increased scalability and security with reusable patterns and code snippets for creating additional policies

Validate Cloud Security from the Start

Trility helps clients securely leverage the benefits of moving business to the cloud with agnostic solutions that save time and validate compliance through reusable patterns. A Policy as Code solution enables your teams to move fast yet still keep your information secure. If you are interested in learning more, Trility can help.