Write policies. Enforce everywhere.
Define your team's best practices for security, cost, compliance, and operations - and get alerted when they're violated.
Why policies fail today
Fragmented Tooling
Policies scattered across CSPM, FinOps, and GRC tools. No single source of truth.
Rigid Engines
Most policy engines are vendor-specific or inflexible. Locked into rigid rule formats.
Limited Reach
Can't codify org-specific logic across providers, IaC, and console configurations.
Your cloud is littered with issues.
CloudQuery Policies secure and optimize your cloud.
AWS Cost Explorer
now
Monthly bill: $17k more than last month
Custom rules. Cloud-wide reach.
Write policies in SQL, and apply them everywhere.
Define detective policies using SQL
Query across all cloud accounts, providers, and tools
Evaluate live infrastructure - not just IaC or static scans
Tag, label, cost, or config-based rules
SELECT instance_id, instance_type, region,
tags->>'Environment' as env,
tags->>'CostCenter' as cost_center
FROM aws_ec2_instances
WHERE tags->>'CostCenter' IS NULL
AND state = 'running'
AND instance_type LIKE 'x%large'Detect violations. Act fast.
Get notified the moment something drifts from your standards.
{
"policy": "untagged-expensive-ec2",
"severity": "high",
"violations": 12,
"action": "notify",
"destination": "slack:#cloud-alerts",
"resources": [
"i-0abc123def456",
"i-0xyz789ghi012"
]
}1
Violations show up instantly in a unified view
2
Alert via Slack, Jira, or custom Webhooks
3
Trigger downstream actions (Lambda, ticketing, approval workflows)
Turn standards into reality
Bundle related policies into Policy Groups to enforce compliance standards like CIS, SOC 2, or your own organizational baselines.
CIS Benchmarks
Enforce CIS benchmarks across AWS, Azure, and GCP with a single policy group.
FinOps Standards
Combine cost tagging, idle resource detection, and rightsizing policies into one FinOps standard.
Organization Baseline
Bundle region restrictions, encryption requirements, and access controls into an org-wide baseline.
Measure your progress
Track how your violation count changes over time. See the impact of new policies, measure remediation progress, and catch regressions before they become incidents.
Violations over time
Total
Critical
87%
reduction in violations
95%
critical resolved
24
remaining violations
Policies with violations
untagged-ec2-instances
8
public-s3-buckets
3
unencrypted-ebs-volumes
5
overprivileged-iam-roles
2
unused-elastic-ips
4
missing-cloudtrail-logging
1
default-vpc-in-use
1
One language. Any domain.
Govern more than just security.
FinOps
Idle resources, oversized VMs, missing cost tags
Untagged EC2 instances over $100/month
EBS volumes without attachments
Security
Public buckets, unencrypted volumes, exposed ports
S3 buckets with public ACLs
Security groups with 0.0.0.0/0 ingress
Compliance
Region restrictions, tag hygiene, audit trails
Resources outside approved regions
Missing required compliance tags
Operations
Old AMIs, unsupported instance types, lifecycle policies
EC2 instances using deprecated AMIs
Lambda functions on old runtimes
Ready to enforce your cloud standards?
Define your first policy in minutes and start enforcing cloud standards at scale.