
Watch an Introduction to Sentinel with Armon Dadgar
Sentinel
Policy as code framework for HashiCorp Enterprise Products.
What is Sentinel
Sentinel is an embeddable policy as code framework to enable fine-grained, logic-based policy decisions that can be extended to source external information to make decisions.
Policy as code
Treat policy like an application — version control, pull review, and automate tests. Use real programming constructs to determine policy decisions beyond the limited constraints of typical ACL systems.
Fine-grained, condition-based policy
Reject actions on any available input rather than coarse-grained read, write, and admin policies. Make policy decisions based on the condition of other values.
Embedded
Sentinel is embedded to enable policy enforcement in the data path to actively reject violating behavior instead of passively detecting.
Multiple enforcement levels
Advisory, soft-mandatory, and hard-mandatory levels allow policy writers to warn on or reject offending behavior
External information
Source external information to make holistic policy decisions. For example, Terraform cannot execute while Consul health checks are failing.
Multi-cloud compatible
Ensure infrastructure changes are within business and regulatory policy on every infrastructure provider.
Sentinel across our Product Suite
How Sentinel integrates into HashiCorp Enterprise Products
Policy as Code in Terraform Enterprise
- Policies are enforced in Terraform Enterprise between the plan and apply.
- Policies validate information in the Terraform plan, state, and configuration.
- Do not allow resources to be provisioned without tags
- Only provision staging resources in us-west and production resources in us-east
- Do not allow AWS security groups to have egress set to 0.0.0.0
Policy as Code in Vault Enterprise
- Policies are enforced in front of all Vault APIs.
- Policies extend Vault's ACL system with fine-grained logic.
- Ensure that modification of critical data can only be performed by authorized sysops with valid MFA
- Require LDAP logins to come from internal IP space and successfully pass a Ping MFA check
- Applied to all endpoints in response to a breach, ensure that any token generated more than four hours ago cannot be used
Policy as Code in Nomad Enterprise
- Policies are enforced before accepting new jobs or updating existing jobs.
- Policies extend Nomad's ACL system with fine-grained logic.
- Policies can enforce only trusted artifacts or applications are allowed to run.
- Only allow Docker workloads
- Limit jobs to only 5 GB of memory resources
Policy as Code in Consul Enterprise
- Policies are enforced in front Consul's K/V and services APIs.
- Policies extend Consul's ACL system with fine-grained logic.
- Key/value must be in proper format (such as integer, text, etc.).
- Consul keys can only be updated during business hours
Policy as code is the next phase of infrastructure automation
Infrastructure as Code was the first phase, which enables codification and automation for the four main components of infrastructure — provision, secure, connect, and run. Infrastructure as Code empowers more users to create and manage infrastructure; however, that comes with risks as less experienced users could make significant mistakes that impact business operations.
Policy as code limits exposure by codifying business and regulatory policies to ensure infrastructure changes are safe. Together Infrastructure as Code and Policy as code empower users to safely and quickly provision, secure, connect, and run any infrastructure for any application.