Policy Types & Categories

Policy Types

A Policy Type defines a specific policy that may be configured for resources. For example, AWS > S3 > Bucket > Approved.

Each policy type targets a set of Resource Types.

The policy type AWS > S3 > Bucket > Approved targets a resource type of AWS > S3 > Bucket, thus every instance of AWS > S3 > Bucket will have an AWS > S3 > Bucket > Approved policy. Each of these instances may have its own policy setting, and will have its own policy value.

Valid values for a policy type are defined through it's JSON schema.

The policy type AWS > S3 > Bucket > Approved has a specific enumerated list of valid values: `Skip`, `Check: Approved`, `Enforce: Delete unapproved if new & empty`.

Policy types are defined in a type hierarchy.

The Approved policy type is actually a child of the AWS > S3 > Bucket resource type and has child policies such as Regions with a full path of AWS > S3 > Bucket > Approved > Regions.

Policy types are defined in Mods.

Policy Categories

Guardrails may include hundreds or thousands of policy types covering similar concepts (e.g. Approved, Data Protection) across various services (e.g. AWS, Azure). The policy type hierarchy provides grouping of policies, but in a structured service oriented manner. Policy Categories provide an alternate, vendor agnostic, categorization of policy types.

The policy category Turbot > Approved includes many Approved style policies including AWS > S3 > Bucket > Approved.

Policy categories are typically used for reporting, providing useful aggregation and filtering of data.

Example - Policy Types and Categories