Policies

Policies are SQL-based detective controls built into CloudQuery Platform. You define criteria for your cloud infrastructure, and CloudQuery continuously evaluates whether your existing resources meet that criteria.

Unlike IaC scanners that catch misconfigurations at deployment time, CloudQuery Policies operate at runtime. They detect issues in resources that already exist, including ones created through the console, by third-party tools, or by IaC that has since drifted.

Policies Dashboard

The Policies page displays a summary of your policy health:

Total active violations across all enabled policies
High severity violations from policies marked high or critical
Violations this week from evaluations in the last 7 days
Violations by domain chart showing the distribution across your policy domains
Violations over time chart tracking trends across evaluation periods

CloudQuery Platform Policies dashboard showing policy groups and violation counts

Creating a Policy

Policy creation is a 3-step wizard: details, rule logic, and alerting.

Step 1: Details

Go to Policies in the sidebar and click Create Policy.
Enter a Policy name.
Select a Domain. This categorizes the policy’s purpose:
- Compliance
- FinOps
- Governance
- Operations
- Security
Select a Severity: critical, high, medium, or low.
Optionally add a Description to explain what this policy checks and why.
Optionally assign the policy to one or more Policy Groups for organizing related policies together.

Step 2: Rule Logic {#step-2-rule-logic}

Define the SQL query that the policy evaluates. You can either:

Use a saved query: select from previously saved queries, searchable by name, SQL content, or tags
Write a new query: opens the SQL Console where you write and test your query. The platform validates the query with a dry run before allowing you to proceed.

The SQL editor provides table and column autocomplete. Each row returned by the query is one violation.

Step 3: Alerting

Optionally select one or more notification destinations (Slack, webhooks) to receive alerts when violations are detected. You can also create a new notification destination directly from this step.

Click Save new policy to create the policy.

Writing Policies in SQL

Policy rules are ClickHouse SQL queries against CloudQuery’s normalized tables. These are the same tables that cover EC2 instances, RDS databases, EBS volumes, and everything else you have synced. You don’t need to learn Rego, OPA, or a vendor-specific policy language.

Example: Find Untagged Expensive EC2 Instances


SELECT instance_id, instance_type, region,
       JSONExtractString(tags, 'Environment') AS env,
       JSONExtractString(tags, 'CostCenter') AS cost_center
FROM aws_ec2_instances
WHERE JSONExtractString(tags, 'CostCenter') = ''
  AND JSONExtractString(state, 'Name') = 'running'
  AND instance_type LIKE '%xlarge'

Example: Find Unencrypted RDS Instances


SELECT db_instance_identifier, engine, region,
       db_instance_status, JSONExtractString(tags, 'Team') AS team
FROM aws_rds_instances
WHERE storage_encrypted = false
  AND db_instance_status = 'available'

Example: Find Unattached EBS Volumes


SELECT volume_id, volume_type, size, region,
       create_time, JSONExtractString(tags, 'CostCenter') AS cost_center
FROM aws_ec2_ebs_volumes
WHERE length(attachments) = 0

Managing Policies

Editing a Policy

Open a policy from the policies list and click Edit. You can update the name, domain, severity, description, query, policy groups, and notification destinations. In edit mode, you can jump directly to any step in the wizard. Changes take effect on the next evaluation cycle.

Pausing and Resuming

Policies can be set to active or paused. A paused policy stops evaluating resources until you resume it. Use the action menu on the policy detail page to change status.

Deleting a Policy

Use the action menu on the policy detail page to delete a policy. This removes the policy and its violation history.

Policy Groups

Bundle related policies into Policy Groups to organize by compliance standard (CIS, SOC 2, HIPAA) or by team responsibility. Each group has a name and description, and policies can belong to multiple groups. Policy groups provide an aggregate view of violation counts by severity across all policies in the group.

To create a group, go to the Policies page and click Create policy group. You can also assign policies to groups during policy creation.

Policy groups can also be managed programmatically via the Platform API Reference (policies section).

Notifications and Actions

When a policy violation is detected, you can notify your team and trigger downstream actions:

Send alerts to Slack (native integration) or any HTTP endpoint via webhook notification destinations
Use webhooks to trigger downstream systems like Jira, PagerDuty, Lambda (via API Gateway), or custom workflows
View all violations in a unified dashboard

CloudQuery Platform policy alerting configuration with Slack and webhook options

Tracking Violations over Time

The policy detail page includes a violations-over-time chart. Use it to measure the impact of new policies, track remediation progress, and catch regressions. The dashboard also shows trends across evaluation periods, broken down by domain.

Policy violations also appear as findings in Insights, where you can triage them by severity, filter by resource type or account, and track remediation.

Use Cases

FinOps: idle resources, oversize VMs, missing cost tags
Security: public buckets, unencrypted volumes, exposed ports
Compliance: region restrictions, tag hygiene, audit trails
Governance: naming conventions, tagging standards, organizational policies
Operations: old AMIs, unsupported instance types, lifecycle policies

Video Walkthrough

Watch how to create a CloudQuery Policy from scratch, from writing the SQL query to configuring alerts and reviewing violations.

SQL Console: write and test the SQL queries that power your policies
Notification Destinations: configure Slack and webhook endpoints for policy alerts
Asset Inventory: browse the resources your policies evaluate
Reports: build dashboards that visualize policy compliance trends
Historical Snapshots: combine with policies to track compliance drift over time

Programmatic access

Policies and policy groups can be managed via the Platform API. See the Platform API Reference (policies section) for endpoint details.

Next Steps

Alerts - Get notified when policies detect violations
Reports - Generate compliance reports from policy results
Asset Inventory - Browse resources affected by policy violations
Query Examples - Security and compliance query examples