04
INTERMEDIATE
Policy-as-Code engine (OPA)
Open Policy Agent ruleset enforcing AWS security compliance via custom Rego policies mapped to NIST controls.
Overview
Custom OPA policy bundle enforcing compliance across AWS infrastructure at plan time and runtime. Every Rego rule traces directly to one or more NIST 800-53 controls, creating an auditable, version-controlled policy layer.
Implementation
Coverage includes encryption enforcement (SC-28), least-privilege access controls (AC-6), mandatory resource tagging (CM-8), network segmentation (SC-7), and MFA enforcement (IA-5). Each violation outputs a structured finding with control ID, resource ARN, severity, and remediation guidance.
Terminal output
$ opa eval -d policies/ -i aws_state.json "data.compliance"
DENY s3-prod-data
control: SC-28
reason: Server-side encryption not enabled
resource: arn:aws:s3:::prod-data
remediation: Enable AES-256 or aws:kms encryption
PASS iam-readonly-policy [AC-6]
PASS vpc-flow-logs-enabled [SC-7]
PASS mfa-enforced [IA-5]
Result: 1 DENY, 3 PASS
Stack
OPA/RegoAWS APINIST 800-53Python
Source code
Source repository in the works — check back soon.