Cloud Governance
Product News
Introducing CloudQuery Platform Policies
TL;DR: CloudQuery Policies lets platform teams write detective controls in SQL that evaluate all cloud infrastructure - regardless of provider, account, or how it was provisioned. Beyond flagging violations, Policies connects you to related resources across your entire cloud for deeper context. One language, full coverage, real answers.
Today we're launching CloudQuery Policies. If you manage a complex cloud environment, you can now get alerted when resources violate the exact standards you want to enforce - and get the context you need to actually do something about it.
The Day 2 Problem #
There is a major implementation gap with cloud infrastructure policies, driven by messy clouds spread across many providers. Finding existing infrastructure that doesn't meet the standards you care about is hard.
You can implement rules in a specific tool like AWS Config, but that only covers some of your environments. You can use CSPMs or FinOps tools, but those policies are domain specific and hard to customize. You can use blocking policies that evaluate IaC, but that ignores the reality of today and the possibility of console clicking in the future.
Regardless, the reality of your existing infrastructure means that you have security, cost, and overall governance misconfigurations in your cloud. Even when you can identify those issues, all of your findings are siloed and require manual investigation when they've been triggered.
Stitching it all together into a coherent governance posture is a full-time job for governance, platform, and cloud infra teams.
We built CloudQuery Policies to fix this.
What Are CloudQuery Policies? #
Policies are SQL-based detective controls built into the CloudQuery Platform. You define criteria for your cloud infrastructure, and CloudQuery continuously evaluates whether your existing resources meet that criteria.
Unlike IaC scanners that catch misconfigurations at deployment time, CloudQuery Policies operate at runtime - detecting issues in resources that already exist, including the ones created through the console, by third-party tools, or by IaC that's since drifted.
Policies in SQL #
You shouldn't need to learn Rego, OPA, or a vendor's proprietary policy language to express "find me untagged EC2 instances running expensive instance types." CloudQuery Policies are ClickHouse SQL queries against CloudQuery's normalized tables - the same tables that cover EC2 instances, RDS databases, EBS volumes, and everything else you've synced.
Here's a policy that flags running instances missing a cost center tag:
SELECT instance_id, instance_type, region,
JSONExtractString(tags, 'Environment') AS env,
JSONExtractString(tags, 'CostCenter') AS cost_center
FROM aws_ec2_instances
WHERE JSONExtractString(tags, 'CostCenter') = ''
AND JSONExtractString(state, 'Name') = 'running'
AND instance_type LIKE '%xlarge'
With CloudQuery Policies, you can identify security issues, like unencrypted RDS databases:
SELECT db_instance_identifier, engine, region,
db_instance_status, JSONExtractString(tags, 'Team') AS team
FROM aws_rds_instances
WHERE storage_encrypted = false
AND db_instance_status = 'available'
Or find wasteful unattached EBS volumes still accruing charges:
SELECT volume_id, volume_type, size, region,
create_time, JSONExtractString(tags, 'CostCenter') AS cost_center
FROM aws_ec2_ebs_volumes
WHERE length(attachments) = 0
Take Action #
CloudQuery Policies support notifications to any webhook or Slack natively, so that you can notify the relevant team to react and respond. Create a Jira ticket, add an issue in Linear, or draft an email.
The real unlock for Policies comes from CloudQuery's broad support for cloud infrastructure sources. When a resource is flagged for violating a policy, CloudQuery surfaces insights about that resource: for example, which resources are related? Who is the owner of those resources? How much do they cost?
Why CloudQuery Policies #
Most policy tools make you choose: learn a new language, lock into one cloud, or settle for alerts that tell you something's wrong without telling you enough to fix it. CloudQuery Policies give you runtime detection across every provider you use, written in SQL you already know, with the full infrastructure context to act the moment a violation surfaces.
See It in Action #
Watch how to create a new CloudQuery Policy from scratch - from writing the SQL query to configuring alerts and reviewing violations:
CloudQuery Policies are available now in the CloudQuery Platform. To get started, start a trial today.
