Tutorials DevOps & Cloud Architect Mastery

Compliance as Code: Policy engines (OPA) and Audit logs

On this page

Compliance as Code

In an enterprise, you can't just trust that developers will secure things. You must enforce it. Compliance as Code means policies are written in code and enforced automatically by the platform.

1. Open Policy Agent (OPA)

OPA allows you to write policies in a language called **Rego**. For example: "No one can create a public S3 bucket" or "All VMS must have a 'Cost-Center' tag." If a developer tries to break these rules via Terraform, the CI/CD pipeline blocks the deployment automatically.

2. Audit Logs & Forensic Evidence

Cloud providers log every single API call (e.g., Azure Activity Log, AWS CloudTrail). If a resource is deleted, these logs show exactly who did it, from what IP, and at what time. This is mandatory for SOC2 and HIPAA compliance.

4. Interview Mastery

Q: "What is the difference between 'Audit' and 'Enforce' policy modes?"

Architect Answer: "**Audit** mode allows the resource to be created but flags it as 'Non-compliant' in a report. This is good for existing projects. **Enforce** (or Deny) mode actually blocks the creation of the resource. A mature organization starts with Audit to find existing holes, fixes them, and then switches to Enforce to prevent new holes from being created."

Questions on this lesson 0

Sign in to ask a question or upvote helpful answers.

No questions yet — be the first to ask!

DevOps & Cloud Architect Mastery
Course syllabus
1. Containerization with Docker
2. Orchestration with Kubernetes (K8s)
3. CI/CD Pipelines
4. Infrastructure as Code (IaC)
5. Cloud Platforms Deep Dive (Azure/AWS)
6. Serverless & Scaling
7. Security & Reliability (DevSecOps)
8. FAANG Cloud Architect Interview
Toolliyo Assistant
Ask about tutorials, ebooks, training, pricing, mentor services, and support. I use public site content only—not admin or internal tools.

care@toolliyo.com

Need callback? Share your details