🗂️ Navigation
📁 Infrastructure as Code
📋 Pulumi Crossguard
🔧 Pulumi AWS Guard

Pulumi AWS Guard

A policy pack of rules to enforce AWS best practices for security, reliability, cost, and more.

Visit Website →

Overview

Pulumi AWS Guard is a configurable library that you can use to enforce AWS best practices for your own Pulumi stacks or organization. It is part of Pulumi's Policy as Code offering, CrossGuard, and can be used to check for common issues like public S3 buckets, unencrypted resources, and overly permissive IAM policies. Policies can be set to 'advisory' to warn developers or 'mandatory' to block deployments.

✨ Key Features

  • Enforce AWS security best practices
  • Check for cost optimization opportunities
  • Ensure operational reliability
  • Configurable enforcement levels (advisory, mandatory, disabled)
  • Integrates directly into `pulumi up` and `pulumi preview`

🎯 Key Differentiators

  • Policy written in general-purpose languages (TypeScript)
  • Integrated into the Pulumi deployment lifecycle
  • Prevents misconfigurations before deployment ('shift-left')

Unique Value: Enforce AWS best practices using familiar programming languages, catching and preventing issues before they are deployed.

🎯 Use Cases (4)

Preventing public S3 buckets Ensuring EC2 instances don't have public IPs Enforcing encryption on EBS volumes and RDS instances Requiring logging for services like ELB and S3

✅ Best For

  • Enforcing security policies in CI/CD pipelines before deployment to AWS.

💡 Check With Vendor

Verify these considerations match your specific requirements:

  • Runtime security monitoring (it's a pre-deployment tool)
  • Policy enforcement for non-AWS clouds

🏆 Alternatives

Checkov Terrascan AWS Config

Unlike runtime tools like AWS Config, AWS Guard prevents misconfigurations from ever being deployed. Compared to other IaC scanners, it's natively integrated with the Pulumi workflow.

💻 Platforms

API

✅ Offline Mode Available

🔌 Integrations

Pulumi CLI Pulumi Cloud

💰 Pricing

Contact for pricing
Free Tier Available

Free tier: The policy pack itself is open-source and free. Enforcement across an organization via Pulumi Cloud may require a paid tier.

Visit Pulumi AWS Guard Website →

🔄 Similar Tools in Pulumi Crossguard

Pulumi Azure Compliance Policies

Enforces common security and compliance policies (PCI DSS, ISO 27001, CIS) for Azure....

Contact

Pulumi Open Policy Agent (OPA) Integration

Enforce security, compliance, and best practices using the Rego language....

Contact

Pulumi Snyk Integration

Integrates Snyk's container scanning capabilities directly into the Pulumi workflow....

Contact

Pulumi Vault Provider

Manage Vault resources like policies, secrets, and auth methods using Pulumi....

Contact

Pulumi Best Practices Pack

A pre-built policy pack from Pulumi that enforces foundational security and governance....

Contact

Pulumi HITRUST CSF Policy Pack

A pre-built policy pack to help enforce HITRUST compliance for AWS, Azure, and GCP....

Contact