04 INTERMEDIATE

Policy-as-Code engine (OPA)

Open Policy Agent ruleset enforcing AWS security compliance via custom Rego policies mapped to NIST controls.

Overview

Custom OPA policy bundle enforcing compliance across AWS infrastructure at plan time and runtime. Every Rego rule traces directly to one or more NIST 800-53 controls, creating an auditable, version-controlled policy layer.

Implementation

Coverage includes encryption enforcement (SC-28), least-privilege access controls (AC-6), mandatory resource tagging (CM-8), network segmentation (SC-7), and MFA enforcement (IA-5). Each violation outputs a structured finding with control ID, resource ARN, severity, and remediation guidance.

Terminal output

policy-as-code-engine-opa.py

$ opa eval -d policies/ -i aws_state.json "data.compliance" DENY s3-prod-data control: SC-28 reason: Server-side encryption not enabled resource: arn:aws:s3:::prod-data remediation: Enable AES-256 or aws:kms encryption PASS iam-readonly-policy [AC-6] PASS vpc-flow-logs-enabled [SC-7] PASS mfa-enforced [IA-5] Result: 1 DENY, 3 PASS

Stack

OPA/RegoAWS APINIST 800-53Python

Source code

Full implementation, tests, and documentation available on GitHub.

View on GitHub ↗