{"id":8461,"date":"2026-02-03T05:46:26","date_gmt":"2026-02-03T05:46:26","guid":{"rendered":"https:\/\/gurukulgalaxy.com\/blog\/?p=8461"},"modified":"2026-03-01T05:27:57","modified_gmt":"2026-03-01T05:27:57","slug":"top-10-cloud-policy-as-code-tools-features-pros-cons-comparison","status":"publish","type":"post","link":"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/","title":{"rendered":"Top 10 Cloud Policy as Code Tools: Features, Pros, Cons &amp; Comparison"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"559\" src=\"https:\/\/gurukulgalaxy.com\/blog\/wp-content\/uploads\/2026\/02\/969.jpg\" alt=\"\" class=\"wp-image-8477\" srcset=\"http:\/\/gurukulgalaxy.com\/blog\/wp-content\/uploads\/2026\/02\/969.jpg 1024w, http:\/\/gurukulgalaxy.com\/blog\/wp-content\/uploads\/2026\/02\/969-300x164.jpg 300w, http:\/\/gurukulgalaxy.com\/blog\/wp-content\/uploads\/2026\/02\/969-768x419.jpg 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_81 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#Introduction\" >Introduction<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#Top_10_Cloud_Policy_as_Code_Tools\" >Top 10 Cloud Policy as Code Tools<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#1_%E2%80%94_Open_Policy_Agent_OPA\" >1 \u2014 Open Policy Agent (OPA)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#2_%E2%80%94_HashiCorp_Sentinel\" >2 \u2014 HashiCorp Sentinel<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#3_%E2%80%94_Kyverno\" >3 \u2014 Kyverno<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#4_%E2%80%94_Checkov_Prisma_Cloud\" >4 \u2014 Checkov (Prisma Cloud)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#5_%E2%80%94_Pulumi_CrossGuard\" >5 \u2014 Pulumi CrossGuard<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#6_%E2%80%94_AWS_Config\" >6 \u2014 AWS Config<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#7_%E2%80%94_Azure_Policy\" >7 \u2014 Azure Policy<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#8_%E2%80%94_Google_Cloud_Policy_Controller\" >8 \u2014 Google Cloud Policy Controller<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#9_%E2%80%94_Conftest\" >9 \u2014 Conftest<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#10_%E2%80%94_Terrascan_by_Tenable\" >10 \u2014 Terrascan (by Tenable)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#Comparison_Table\" >Comparison Table<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#Evaluation_Scoring_of_Cloud_Policy_as_Code_Tools\" >Evaluation &amp; Scoring of Cloud Policy as Code Tools<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#Which_Cloud_Policy_as_Code_Tool_Is_Right_for_You\" >Which Cloud Policy as Code Tool Is Right for You?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#Frequently_Asked_Questions_FAQs\" >Frequently Asked Questions (FAQs)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"http:\/\/gurukulgalaxy.com\/blog\/top-10-cloud-policy-as-code-tools-features-pros-cons-comparison\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Introduction\"><\/span>Introduction<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>Cloud Policy as Code (PaC)<\/strong>&nbsp;is the practice of defining, managing, and enforcing infrastructure and security rules using machine-readable definition files. Just as Infrastructure as Code (IaC) allows you to provision servers with a script, Policy as Code allows you to write &#8220;guardrails&#8221; in code to ensure those servers are encrypted, tagged, and private by default. These tools act as automated gatekeepers that evaluate your configurations against a set of logic-based rules before any resource is deployed or while it is running in production.<\/p>\n\n\n\n<p>The importance of PaC tools cannot be overstated. According to industry reports, over 95% of cloud security failures are the result of customer misconfigurations. By codifying policies, organizations can achieve &#8220;Shift-Left&#8221; security, catching errors in the CI\/CD pipeline rather than discovering them after a breach. Real-world use cases include preventing the deployment of public S3 buckets, enforcing cost-control limits on expensive GPU instances, and ensuring that all Kubernetes clusters follow CIS Benchmarks automatically. When evaluating these tools, users should look for a clear policy language (like Rego or YAML), deep integration with popular IaC frameworks (Terraform, Pulumi), and the ability to provide developer-friendly feedback loops.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<p><strong>Best for:<\/strong>&nbsp;DevSecOps engineers, platform teams, and compliance officers in mid-to-large enterprises. It is essential for organizations in highly regulated sectors\u2014such as finance, healthcare, and government\u2014where manual audits are insufficient to maintain continuous compliance across thousands of cloud resources.<\/p>\n\n\n\n<p><strong>Not ideal for:<\/strong>&nbsp;Small startups with very simple, single-cloud environments where the overhead of learning a policy language might outweigh the risks. Organizations that do not yet use Infrastructure as Code (IaC) will also find these tools difficult to implement, as they are designed to plug into automated workflows.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Top_10_Cloud_Policy_as_Code_Tools\"><\/span>Top 10 Cloud Policy as Code Tools<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_%E2%80%94_Open_Policy_Agent_OPA\"><\/span>1 \u2014 Open Policy Agent (OPA)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Open Policy Agent is the industry standard for general-purpose policy enforcement. It is a CNCF-graduated project that uses a specialized declarative language called&nbsp;<strong>Rego<\/strong>&nbsp;to define policies across the entire cloud-native stack.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key features:<\/strong>\n<ul class=\"wp-block-list\">\n<li>General-purpose engine that works for Kubernetes, Terraform, APIs, and microservices.<\/li>\n\n\n\n<li>Uses\u00a0<strong>Rego<\/strong>, a powerful and expressive language for complex logic.<\/li>\n\n\n\n<li>Decouples policy decision-making from application and infrastructure logic.<\/li>\n\n\n\n<li>Integrated with Kubernetes via\u00a0<strong>Gatekeeper<\/strong>\u00a0for admission control.<\/li>\n\n\n\n<li>High-performance evaluation with a lightweight footprint.<\/li>\n\n\n\n<li>Extensible ecosystem with hundreds of community-contributed policies.<\/li>\n\n\n\n<li>Supports unit testing for policies to ensure correctness.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Pros:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Total vendor neutrality and massive community support.<\/li>\n\n\n\n<li>Can be used as a single source of truth for policy across different clouds and tools.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cons:<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>Rego<\/strong>\u00a0has a steep learning curve and can be difficult for beginners to master.<\/li>\n\n\n\n<li>Managing OPA at scale across multiple clusters requires additional tooling like Styra.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security &amp; compliance:<\/strong>\u00a0Supports SSO, detailed audit logs of every decision, and is SOC 2 compliant.<\/li>\n\n\n\n<li><strong>Support &amp; community:<\/strong>\u00a0Exceptional documentation; huge community on Slack and GitHub; enterprise support available via Styra.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_%E2%80%94_HashiCorp_Sentinel\"><\/span>2 \u2014 HashiCorp Sentinel<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Sentinel is a proprietary policy-as-code framework integrated into the HashiCorp enterprise stack. It is designed specifically to work with Terraform, Vault, and Nomad.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key features:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Deep integration with Terraform Cloud and Terraform Enterprise.<\/li>\n\n\n\n<li>Supports multiple enforcement levels: Advisory, Soft Mandatory, and Hard Mandatory.<\/li>\n\n\n\n<li>Policies can access information not available in standard IaC files, such as historical data.<\/li>\n\n\n\n<li>Integrated testing framework to simulate policy outcomes.<\/li>\n\n\n\n<li>Built-in functions for common cloud governance tasks.<\/li>\n\n\n\n<li>Role-based access control for policy management.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Pros:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Native integration with the HashiCorp ecosystem provides a seamless &#8220;plan-policy-apply&#8221; workflow.<\/li>\n\n\n\n<li>Enforcement levels allow for &#8220;grace periods&#8221; where developers are warned before being blocked.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cons:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Proprietary and locked into the HashiCorp ecosystem; requires a paid license for most features.<\/li>\n\n\n\n<li>Uses its own language, which is distinct from Rego or standard programming languages.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security &amp; compliance:<\/strong>\u00a0High-grade audit trails, SSO integration, and ISO\/SOC 2 compliant.<\/li>\n\n\n\n<li><strong>Support &amp; community:<\/strong>\u00a0World-class enterprise support; extensive HashiCorp Learn documentation; smaller community than OPA.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_%E2%80%94_Kyverno\"><\/span>3 \u2014 Kyverno<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Kyverno is a Kubernetes-native policy engine that allows users to manage policies without learning a new language. Policies are written entirely in&nbsp;<strong>YAML<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key features:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Kubernetes-native design: policies are managed as standard K8s resources.<\/li>\n\n\n\n<li>No new domain-specific language (DSL) is required for DevOps teams.<\/li>\n\n\n\n<li>Can\u00a0<strong>validate, mutate, and generate<\/strong>\u00a0Kubernetes resources.<\/li>\n\n\n\n<li>Integrated with standard Kubernetes tools like\u00a0<code>kubectl<\/code>\u00a0and GitOps workflows.<\/li>\n\n\n\n<li>High-visibility reporting on non-compliant resources.<\/li>\n\n\n\n<li>Background scanning to detect drift in existing clusters.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Pros:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Low barrier to entry for teams already comfortable with Kubernetes YAML.<\/li>\n\n\n\n<li>Unique ability to automatically\u00a0<em>generate<\/em>\u00a0resources (like default NetworkPolicies) when a namespace is created.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cons:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Strictly limited to Kubernetes; cannot be used for Terraform or cloud-level API policies.<\/li>\n\n\n\n<li>Less expressive than OPA\/Rego for extremely complex, nested logical checks.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security &amp; compliance:<\/strong>\u00a0Uses Kubernetes RBAC for security; supports audit logging and CIS compliance.<\/li>\n\n\n\n<li><strong>Support &amp; community:<\/strong>\u00a0Very active CNCF project; excellent documentation and Slack community.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"4_%E2%80%94_Checkov_Prisma_Cloud\"><\/span>4 \u2014 Checkov (Prisma Cloud)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Checkov is an open-source static code analysis tool for Infrastructure as Code. It is a &#8220;developer-first&#8221; tool that scans IaC files for misconfigurations before they are even committed.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key features:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Supports Terraform, CloudFormation, Kubernetes, ARM Templates, and Serverless framework.<\/li>\n\n\n\n<li>Over 1,000 built-in policies based on compliance frameworks like HIPAA and PCI-DSS.<\/li>\n\n\n\n<li>Graph-based analysis to identify complex, multi-resource vulnerabilities.<\/li>\n\n\n\n<li>Integrated with VS Code and JetBrains IDEs for real-time feedback.<\/li>\n\n\n\n<li>Automated remediation suggestions for identified issues.<\/li>\n\n\n\n<li>Seamless integration with CI\/CD pipelines (GitHub Actions, Jenkins).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Pros:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Incredibly easy to start; provides immediate value with pre-built policies.<\/li>\n\n\n\n<li>&#8220;Shift-Left&#8221; focus catches errors in the IDE before they ever reach the cloud.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cons:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Primarily a static analysis tool; does not enforce policies at runtime (unless using Prisma Cloud).<\/li>\n\n\n\n<li>Large number of rules can lead to &#8220;alert fatigue&#8221; without proper tuning.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security &amp; compliance:<\/strong>\u00a0SOC 2 compliant; policies are mapped directly to compliance frameworks.<\/li>\n\n\n\n<li><strong>Support &amp; community:<\/strong>\u00a0Strong backing by Palo Alto Networks; large open-source contributor base.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"5_%E2%80%94_Pulumi_CrossGuard\"><\/span>5 \u2014 Pulumi CrossGuard<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>CrossGuard is the policy-as-code framework for Pulumi. It allows you to write policies using general-purpose programming languages like TypeScript, Python, and Go.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key features:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Policies are written in the same languages developers use for their applications.<\/li>\n\n\n\n<li>Works across all Pulumi-supported cloud providers (AWS, Azure, GCP).<\/li>\n\n\n\n<li>Enforces policies during the\u00a0<code>pulumi preview<\/code>\u00a0and\u00a0<code>pulumi up<\/code>\u00a0stages.<\/li>\n\n\n\n<li>Includes a set of pre-built &#8220;Compliance-Ready&#8221; policies.<\/li>\n\n\n\n<li>Fine-grained control over which resources are targeted.<\/li>\n\n\n\n<li>Highly extensible through standard library imports.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Pros:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Developers love it because they don&#8217;t have to learn a proprietary DSL or YAML syntax.<\/li>\n\n\n\n<li>Full power of a programming language allows for complex API lookups and external data integration.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cons:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Only works for infrastructure managed by Pulumi.<\/li>\n\n\n\n<li>The flexibility of a programming language can lead to overly complex policy code if not governed.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security &amp; compliance:<\/strong>\u00a0Integrated with Pulumi Cloud\u2019s audit logs and identity management.<\/li>\n\n\n\n<li><strong>Support &amp; community:<\/strong>\u00a0Good documentation; responsive Slack community; enterprise support for Pulumi customers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"6_%E2%80%94_AWS_Config\"><\/span>6 \u2014 AWS Config<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>AWS Config is a managed service that provides a detailed view of the configuration of AWS resources. It uses &#8220;Rules&#8221; to enforce desired configurations.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key features:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Fully managed by AWS; requires no infrastructure to run.<\/li>\n\n\n\n<li>Extensive library of AWS-managed rules (e.g., &#8220;S3-Bucket-Public-Read-Prohibited&#8221;).<\/li>\n\n\n\n<li>Support for Custom Rules written in AWS Lambda (using Python, Java, etc.).<\/li>\n\n\n\n<li>Continuous monitoring and automated remediation via AWS Systems Manager.<\/li>\n\n\n\n<li>Integrated with AWS Organizations for multi-account governance.<\/li>\n\n\n\n<li>Visual timeline of resource changes for forensic analysis.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Pros:<\/strong>\n<ul class=\"wp-block-list\">\n<li>The easiest way to achieve baseline compliance for AWS-only environments.<\/li>\n\n\n\n<li>&#8220;Recording&#8221; feature provides an invaluable audit trail for compliance officers.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cons:<\/strong>\n<ul class=\"wp-block-list\">\n<li>AWS-specific; does not provide a unified view if you also use Azure or GCP.<\/li>\n\n\n\n<li>Costs can scale quickly if you have a high volume of resource changes.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security &amp; compliance:<\/strong>\u00a0HIPAA, PCI DSS, GDPR, ISO, and SOC compliant.<\/li>\n\n\n\n<li><strong>Support &amp; community:<\/strong>\u00a0Standard AWS enterprise support; massive ecosystem of AWS partners.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"7_%E2%80%94_Azure_Policy\"><\/span>7 \u2014 Azure Policy<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key features:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Built directly into the Azure Resource Manager (ARM).<\/li>\n\n\n\n<li>Enforces policies at the management group, subscription, and resource group levels.<\/li>\n\n\n\n<li>Supports &#8220;Deny&#8221; (block creation), &#8220;Audit&#8221; (log only), and &#8220;Modify&#8221; (fix during deployment).<\/li>\n\n\n\n<li>Integrated compliance dashboard for a high-level view of your posture.<\/li>\n\n\n\n<li>Support for &#8220;Guest Configuration&#8221; to audit settings inside VMs.<\/li>\n\n\n\n<li>Native integration with Azure DevOps and GitHub.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Pros:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Zero extra cost for basic Azure resource governance.<\/li>\n\n\n\n<li>Powerful &#8220;remediation tasks&#8221; can fix thousands of non-compliant resources automatically.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cons:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Limited to the Microsoft Azure ecosystem.<\/li>\n\n\n\n<li>The JSON-based policy structure can be verbose and difficult to debug.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security &amp; compliance:<\/strong>\u00a0Deeply integrated with Microsoft Defender for Cloud; fully compliant with global standards.<\/li>\n\n\n\n<li><strong>Support &amp; community:<\/strong>\u00a0Azure enterprise support; extensive Microsoft Learn documentation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"8_%E2%80%94_Google_Cloud_Policy_Controller\"><\/span>8 \u2014 Google Cloud Policy Controller<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Policy Controller is part of Google Cloud&#8217;s Anthos Config Management. It is built on the Open Policy Agent (OPA) Gatekeeper project.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key features:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Enforces fully programmable policies for your Google Cloud resources.<\/li>\n\n\n\n<li>Includes a library of pre-built &#8220;constraints&#8221; for common security needs.<\/li>\n\n\n\n<li>Audits resources in real-time to detect drift.<\/li>\n\n\n\n<li>Works across on-premises, hybrid, and multi-cloud Kubernetes clusters.<\/li>\n\n\n\n<li>Tight integration with the Google Cloud Console for monitoring.<\/li>\n\n\n\n<li>Allows for &#8220;dry-run&#8221; mode to test impact before enforcement.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Pros:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Combines the power of OPA with the ease of a managed Google service.<\/li>\n\n\n\n<li>Ideal for organizations running Google Kubernetes Engine (GKE) or Anthos.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cons:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Requires Anthos, which can be an expensive entry point for some users.<\/li>\n\n\n\n<li>Primarily focused on Kubernetes and resources managed via Config Connector.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security &amp; compliance:<\/strong>\u00a0Google Cloud standard compliance (SOC, ISO, HIPAA).<\/li>\n\n\n\n<li><strong>Support &amp; community:<\/strong>\u00a0Managed by Google; inherits the large OPA community knowledge base.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"9_%E2%80%94_Conftest\"><\/span>9 \u2014 Conftest<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Conftest is a utility that helps you write tests against structured configuration data. It is a key part of the OPA ecosystem, often used in CI\/CD pipelines.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key features:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Uses\u00a0<strong>Rego<\/strong>\u00a0to test configuration files (Terraform, Dockerfiles, YAML).<\/li>\n\n\n\n<li>Extremely lightweight; designed to be run as a CLI tool.<\/li>\n\n\n\n<li>Can pull policy files from remote sources (OCI registries, Git).<\/li>\n\n\n\n<li>Excellent for &#8220;pre-flight&#8221; checks during development.<\/li>\n\n\n\n<li>Provides clear, colored output for pass\/fail results.<\/li>\n\n\n\n<li>Easy to integrate into existing Makefile or Bash scripts.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Pros:<\/strong>\n<ul class=\"wp-block-list\">\n<li>The fastest way to add OPA-based policy checks to a CI\/CD pipeline.<\/li>\n\n\n\n<li>Versatile\u2014if it&#8217;s a structured file (JSON\/YAML\/HCL), Conftest can test it.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cons:<\/strong>\n<ul class=\"wp-block-list\">\n<li>No native &#8220;runtime&#8221; enforcement; it is strictly a testing\/validation tool.<\/li>\n\n\n\n<li>Requires users to learn Rego, which is OPA&#8217;s core challenge.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security &amp; compliance:<\/strong>\u00a0Varies; it is an open-source tool with no central SOC 2.<\/li>\n\n\n\n<li><strong>Support &amp; community:<\/strong>\u00a0Part of the OPA project; high-quality GitHub documentation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"10_%E2%80%94_Terrascan_by_Tenable\"><\/span>10 \u2014 Terrascan (by Tenable)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Terrascan is a powerful static code analyzer for Infrastructure as Code, focusing heavily on security and compliance benchmarks.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key features:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Scans Terraform, Kubernetes (JSON\/YAML), Helm, Kustomize, and Dockerfiles.<\/li>\n\n\n\n<li>Over 500 out-of-the-box policies based on CIS Benchmarks.<\/li>\n\n\n\n<li>Integration with Tenable Cloud Security for a full lifecycle view.<\/li>\n\n\n\n<li>Extensible through Rego (OPA) for custom policy creation.<\/li>\n\n\n\n<li>Admission controller support for Kubernetes.<\/li>\n\n\n\n<li>CI\/CD friendly with plugins for major orchestration tools.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Pros:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Exceptional focus on security benchmarks (CIS); very trusted by security teams.<\/li>\n\n\n\n<li>Supports a wide variety of IaC languages beyond just Terraform.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cons:<\/strong>\n<ul class=\"wp-block-list\">\n<li>UI for the open-source version is non-existent (it&#8217;s a CLI tool).<\/li>\n\n\n\n<li>The &#8220;Shift-Left&#8221; feedback loop isn&#8217;t as polished as Checkov&#8217;s IDE plugins.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Security &amp; compliance:<\/strong>\u00a0Backed by Tenable\u2019s extensive security expertise; SOC 2 and GDPR focused.<\/li>\n\n\n\n<li><strong>Support &amp; community:<\/strong>\u00a0Strong backing by Tenable; good documentation for open-source users.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Comparison_Table\"><\/span>Comparison Table<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><td>Tool Name<\/td><td>Best For<\/td><td>Platform(s) Supported<\/td><td>Standout Feature<\/td><td>Rating (Gartner\/TrueReview)<\/td><\/tr><\/thead><tbody><tr><td><strong>Open Policy Agent<\/strong><\/td><td>Multi-Cloud Governance<\/td><td>Kubernetes, Terraform, APIs<\/td><td>Rego Flexibility<\/td><td>4.8 \/ 5<\/td><\/tr><tr><td><strong>HashiCorp Sentinel<\/strong><\/td><td>Terraform Enterprise<\/td><td>HashiCorp Stack<\/td><td>Enforcement Levels<\/td><td>4.5 \/ 5<\/td><\/tr><tr><td><strong>Kyverno<\/strong><\/td><td>Kubernetes Teams<\/td><td>Kubernetes Only<\/td><td>YAML-Native Design<\/td><td>4.7 \/ 5<\/td><\/tr><tr><td><strong>Checkov<\/strong><\/td><td>Static IaC Scanning<\/td><td>Terraform, K8s, CloudFormation<\/td><td>1,000+ Pre-built Rules<\/td><td>4.6 \/ 5<\/td><\/tr><tr><td><strong>Pulumi CrossGuard<\/strong><\/td><td>Developers<\/td><td>Pulumi Supported Clouds<\/td><td>Policy in Python\/TS<\/td><td>4.4 \/ 5<\/td><\/tr><tr><td><strong>AWS Config<\/strong><\/td><td>AWS-only Shops<\/td><td>AWS<\/td><td>Automated Remediation<\/td><td>4.6 \/ 5<\/td><\/tr><tr><td><strong>Azure Policy<\/strong><\/td><td>Azure-only Shops<\/td><td>Azure<\/td><td>Built-in Remediation<\/td><td>4.5 \/ 5<\/td><\/tr><tr><td><strong>GCP Policy Controller<\/strong><\/td><td>Anthos \/ GKE Users<\/td><td>GCP, Anthos<\/td><td>Managed OPA\/Gatekeeper<\/td><td>4.4 \/ 5<\/td><\/tr><tr><td><strong>Conftest<\/strong><\/td><td>CI\/CD Testing<\/td><td>Any Structured Config<\/td><td>Lightweight CLI<\/td><td>4.3 \/ 5<\/td><\/tr><tr><td><strong>Terrascan<\/strong><\/td><td>Security Benchmarking<\/td><td>Multi-IaC, K8s<\/td><td>Deep CIS Benchmark Focus<\/td><td>4.5 \/ 5<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Evaluation_Scoring_of_Cloud_Policy_as_Code_Tools\"><\/span>Evaluation &amp; Scoring of Cloud Policy as Code Tools<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>We evaluated these tools based on a weighted rubric to reflect the needs of modern DevSecOps teams.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><td>Category<\/td><td>Weight<\/td><td>Description<\/td><\/tr><\/thead><tbody><tr><td><strong>Core Features<\/strong><\/td><td>25%<\/td><td>Ability to block deployments, audit resources, and mutate\/fix configurations.<\/td><\/tr><tr><td><strong>Ease of Use<\/strong><\/td><td>15%<\/td><td>Complexity of the policy language and administrative overhead.<\/td><\/tr><tr><td><strong>Integrations<\/strong><\/td><td>15%<\/td><td>Support for CI\/CD, IDEs, and major cloud providers.<\/td><\/tr><tr><td><strong>Security &amp; Compliance<\/strong><\/td><td>10%<\/td><td>Mapping to frameworks (PCI, HIPAA) and internal tool security.<\/td><\/tr><tr><td><strong>Performance<\/strong><\/td><td>10%<\/td><td>Evaluation speed and scalability for high-volume environments.<\/td><\/tr><tr><td><strong>Support &amp; Community<\/strong><\/td><td>10%<\/td><td>Quality of documentation and availability of help.<\/td><\/tr><tr><td><strong>Price \/ Value<\/strong><\/td><td>15%<\/td><td>Free tier availability vs. enterprise licensing costs.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Which_Cloud_Policy_as_Code_Tool_Is_Right_for_You\"><\/span>Which Cloud Policy as Code Tool Is Right for You?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Choosing a tool depends on where you are in your cloud journey and what specific problems you are trying to solve.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Solo Users and Small Teams:<\/strong>\u00a0Start with\u00a0<strong>Checkov<\/strong>\u00a0or\u00a0<strong>Terrascan<\/strong>. These are free, open-source, and provide immediate value by scanning your code for obvious security holes before you deploy. You don&#8217;t need a complex server setup\u2014just a CLI run in your local environment.<\/li>\n\n\n\n<li><strong>Kubernetes-Only Environments:<\/strong>\u00a0If your entire world is Kubernetes,\u00a0<strong>Kyverno<\/strong>\u00a0is the clear winner. You won&#8217;t have to hire OPA specialists or learn Rego. You can manage everything using the same YAML skills your team already has.<\/li>\n\n\n\n<li><strong>Multi-Cloud Enterprises:<\/strong>\u00a0If you are managing AWS, Azure, and on-premises resources,\u00a0<strong>Open Policy Agent (OPA)<\/strong>\u00a0is the industry standard for a reason. It provides a unified language that can bridge every part of your infrastructure.<\/li>\n\n\n\n<li><strong>HashiCorp or Pulumi Shops:<\/strong>\u00a0If you have already committed heavily to a specific IaC vendor, stick with their native tools (<strong>Sentinel<\/strong>\u00a0or\u00a0<strong>CrossGuard<\/strong>). The integration benefits\u2014like checking policies against &#8220;Plan&#8221; data\u2014are worth the vendor lock-in.<\/li>\n\n\n\n<li><strong>Compliance-Heavy Industries:<\/strong>\u00a0Organizations that need deep auditing and a &#8220;record of everything&#8221; should lean toward cloud-native managed services like\u00a0<strong>AWS Config<\/strong>\u00a0or\u00a0<strong>Azure Policy<\/strong>. These tools are often preferred by auditors because they are built directly into the cloud fabric.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Frequently_Asked_Questions_FAQs\"><\/span>Frequently Asked Questions (FAQs)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>1. Is Policy as Code the same as Infrastructure as Code?<\/strong>&nbsp;No. Infrastructure as Code (IaC) defines&nbsp;<em>what<\/em>&nbsp;to build (e.g., a server). Policy as Code (PaC) defines&nbsp;<em>how<\/em>&nbsp;it should be built (e.g., that server must be encrypted and tagged). PaC sits on top of IaC to provide guardrails.<\/p>\n\n\n\n<p><strong>2. Does implementing PaC slow down developer velocity?<\/strong>&nbsp;Initially, it can. However, long-term velocity increases because security issues are caught automatically in seconds during the coding phase, rather than causing weeks of delay during a security review at the end of a project.<\/p>\n\n\n\n<p><strong>3. Do I need to learn a new programming language?<\/strong>&nbsp;It depends on the tool.&nbsp;<strong>OPA<\/strong>&nbsp;requires Rego, and&nbsp;<strong>Sentinel<\/strong>&nbsp;has its own language.&nbsp;<strong>Kyverno<\/strong>&nbsp;uses YAML, and&nbsp;<strong>Pulumi<\/strong>&nbsp;uses standard languages like Python.<\/p>\n\n\n\n<p><strong>4. Can these tools automatically fix security issues?<\/strong>&nbsp;Yes. Tools like&nbsp;<strong>Azure Policy<\/strong>,&nbsp;<strong>AWS Config<\/strong>, and&nbsp;<strong>Kyverno<\/strong>&nbsp;can &#8220;mutate&#8221; or &#8220;remediate&#8221; resources, automatically adding missing tags or turning on encryption if it was forgotten.<\/p>\n\n\n\n<p><strong>5. Is open-source OPA enough for an enterprise?<\/strong>&nbsp;OPA is robust, but for a large enterprise, you will likely need a &#8220;management plane&#8221; like&nbsp;<strong>Styra<\/strong>&nbsp;or&nbsp;<strong>Spacelift<\/strong>&nbsp;to handle policy distribution, versioning, and unified reporting across thousands of endpoints.<\/p>\n\n\n\n<p><strong>6. Can PaC help with cloud cost management?<\/strong>&nbsp;Absolutely. You can write policies that block the creation of &#8220;over-provisioned&#8221; instances (like a $20\/hour GPU instance for a test site) or require a &#8220;Termination Date&#8221; tag on all sandbox resources.<\/p>\n\n\n\n<p><strong>7. Is static analysis (scanning code) enough?<\/strong>&nbsp;No. Static analysis catches errors&nbsp;<em>before<\/em>&nbsp;deployment, but it cannot see &#8220;runtime&#8221; changes (drift) or manual changes made in the Cloud Console. A complete strategy requires both static scanning and runtime enforcement.<\/p>\n\n\n\n<p><strong>8. What are &#8220;CIS Benchmarks&#8221;?<\/strong>&nbsp;The Center for Internet Security (CIS) provides industry-standard security guidelines for various clouds and tools. Most PaC tools come with pre-built policies to enforce these benchmarks.<\/p>\n\n\n\n<p><strong>9. Can I use these tools with old, existing infrastructure?<\/strong>&nbsp;Yes. Most tools have an &#8220;Audit&#8221; or &#8220;Detection&#8221; mode that identifies existing non-compliant resources without breaking them, allowing you to fix them gradually.<\/p>\n\n\n\n<p><strong>10. How do I handle &#8220;exceptions&#8221; to a policy?<\/strong>&nbsp;Modern PaC tools allow you to &#8220;exempt&#8221; or &#8220;waive&#8221; specific resources from a policy for a set amount of time, ensuring that critical business operations aren&#8217;t blocked by a minor compliance rule.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Cloud Policy as Code is no longer a luxury\u2014it is a foundational requirement for any organization serious about operating in the cloud securely and at scale. By treating governance as a software engineering problem, teams can automate away the friction between security and development. Whether you choose the vendor-neutral power of&nbsp;<strong>Open Policy Agent<\/strong>, the simplicity of&nbsp;<strong>Kyverno<\/strong>, or the deep integration of&nbsp;<strong>Azure Policy<\/strong>, the most important step is to start codifying your guardrails today. The &#8220;best&#8221; tool is simply the one that your developers will actually use.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Cloud Policy as Code (PaC)&nbsp;is the practice of defining, managing, and enforcing infrastructure and security rules using machine-readable definition&hellip;<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[5307,3086,4284,5313,1913],"class_list":["post-8461","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cloudgovernance","tag-cloudsecurity","tag-infrastructureascode","tag-policyascode","tag-devsecops"],"_links":{"self":[{"href":"http:\/\/gurukulgalaxy.com\/blog\/wp-json\/wp\/v2\/posts\/8461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/gurukulgalaxy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gurukulgalaxy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gurukulgalaxy.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"http:\/\/gurukulgalaxy.com\/blog\/wp-json\/wp\/v2\/comments?post=8461"}],"version-history":[{"count":1,"href":"http:\/\/gurukulgalaxy.com\/blog\/wp-json\/wp\/v2\/posts\/8461\/revisions"}],"predecessor-version":[{"id":8488,"href":"http:\/\/gurukulgalaxy.com\/blog\/wp-json\/wp\/v2\/posts\/8461\/revisions\/8488"}],"wp:attachment":[{"href":"http:\/\/gurukulgalaxy.com\/blog\/wp-json\/wp\/v2\/media?parent=8461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gurukulgalaxy.com\/blog\/wp-json\/wp\/v2\/categories?post=8461"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gurukulgalaxy.com\/blog\/wp-json\/wp\/v2\/tags?post=8461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}