Cloud Workload Policies and Rules help organizations maintain security compliance, prevent misconfigurations, and reduce risks across cloud environments.
Cloud Workload Policies define organizational security objectives by combining detection logic with preventive actions across selected asset scopes. Policies can generate issues and proactively block misconfigurations before they reach runtime, ensuring workloads remain compliant with security requirements throughout the Software Development Life Cycle (SDLC). They leverage identified security risks and enforce controls at the right stages of development and operations, such as during CI pipelines or in runtime environments.
Cloud Workload Rules define the detection logic for misconfigurations and their applicable asset types, specifying the criteria and conditions used to identify security risks. These rules can be selected and enforced through Misconfiguration Policies within the designated policy asset scope.
Together, Policies define which risks must be addressed and what actions to take, while Rules specify how those risks are detected through precise logic and conditions.
Prerequisite
Users need View/Edit RBAC permissions (under → ) or the Instance Administrator role to view, edit, and modify Cloud Workload Policies policies.
Important
Users with SBAC granular scoping (in addition to the RBAC permissions required for Cloud Workload Policies) can only view Cloud Workload Policies, when their access is scoped to any of the available options: All assets, No assets, or Select asset groups. For more information on granular scoping, see Manage user scope. When no SBAC restriction is applied, the user’s access is determined solely by their RBAC permissions.