Policies

Write policies. Enforce everywhere.

Define your team's best practices for security, cost, compliance, and operations - and get alerted when they're violated.

Read the docs

CloudQuery Policies - Enforce your cloud standards

https://cdn.cloudquery.io/website/29o10t3td/_next/static/media/reddit.4add36da.webp

https://cdn.cloudquery.io/website/29o10t3td/_next/static/media/mongodb.6590ed4c.svg

https://cdn.cloudquery.io/website/29o10t3td/_next/static/media/ridgeline.40e37703.svg

Why policies fail today

Fragmented Tooling

Policies scattered across CSPM, FinOps, and GRC tools. No single source of truth.

Rigid Engines

Most policy engines are vendor-specific or inflexible. Locked into rigid rule formats.

Limited Reach

Can't codify org-specific logic across providers, IaC, and console configurations.

Your cloud is littered with issues.

CloudQuery Policies secure and optimize your cloud.

AWS Cost Explorer

now

Monthly bill: $17k more than last month

Custom rules. Cloud-wide reach.

Write policies in SQL. Apply them everywhere.

Define detective policies using SQL

Query across all cloud accounts, providers, and tools

Evaluate live infrastructure - not just IaC or static scans

Tag, label, cost, or config-based rules

policy: untagged-expensive-ec2.sql

SELECT instance_id, instance_type, region,
       tags->>'Environment' as env,
       tags->>'CostCenter' as cost_center
FROM aws_ec2_instances
WHERE tags->>'CostCenter' IS NULL
  AND state = 'running'
  AND instance_type LIKE 'x%large'

Detect violations. Act fast.

Get notified the moment something drifts from your standards.

webhook-payload.json

Alert

{
  "policy": "untagged-expensive-ec2",
  "severity": "high",
  "violations": 12,
  "action": "notify",
  "destination": "slack:#cloud-alerts",
  "resources": [
    "i-0abc123def456",
    "i-0xyz789ghi012"
  ]
}

Violations show up instantly in a unified view

Alert via Slack, Jira, or custom Webhooks

Trigger downstream actions (Lambda, ticketing, approval workflows)

One language. Any domain.

Govern more than just security.

FinOps

Idle resources, oversized VMs, missing cost tags

Untagged EC2 instances over $100/month

EBS volumes without attachments

Security

Public buckets, unencrypted volumes, exposed ports

S3 buckets with public ACLs

Security groups with 0.0.0.0/0 ingress

Compliance

Region restrictions, tag hygiene, audit trails

Resources outside approved regions

Missing required compliance tags

Operations

Old AMIs, unsupported instance types, lifecycle policies

EC2 instances using deprecated AMIs

Lambda functions on old runtimes

Ready to enforce your cloud standards?

Define your first policy in minutes and start enforcing cloud standards at scale.