Simple OPA Rego Policy - Opa-rego Typing CST Test
Loading…
Simple OPA Rego Policy — Opa-rego Code
A simple Rego policy to deny creation of public S3 buckets in AWS.
# opa/demo/deny_public_s3.rego
package s3
default allow = true
allow {
input.resource_type != "aws_s3_bucket"
}
allow {
input.resource_type == "aws_s3_bucket"
input.acl != "public-read"
input.acl != "public-read-write"
}Opa-rego Language Guide
Open Policy Agent (OPA) is an open-source, general-purpose policy engine that allows you to define, enforce, and manage policies across cloud-native environments, applications, and infrastructure using its high-level declarative language, Rego.
Primary Use Cases
- ▸Kubernetes admission control policies (via Gatekeeper)
- ▸API authorization and access control
- ▸CI/CD pipeline enforcement
- ▸Cloud infrastructure policy compliance
- ▸Auditing and governance across distributed systems
Notable Features
- ▸Centralized policy engine for multiple services
- ▸Declarative policy language (Rego) for complex rules
- ▸REST API and SDK for real-time policy evaluation
- ▸Integration with Kubernetes via admission controllers
- ▸Supports auditing, logging, and metrics
Origin & Creator
Created by Styra Inc., OPA was developed to provide a unified policy framework for cloud-native environments and to enforce policies declaratively across services and infrastructure.
Industrial Note
OPA is particularly useful for DevSecOps, cloud governance, Kubernetes admission control, and API authorization, allowing teams to enforce policies consistently and avoid security or compliance drift.