Contact Us
24/7
Python BlogDjango BlogSearch for Kubernetes Big DataSearch for Kubernetes AWS BlogCloud Services
<< ALL PROJECTS

Scaling Cost and Compliance with Policy as Code

Stacklet

CHALLENGE

Stacklet serves organizations with massive cloud footprints. Their clients need tighter control over cloud spend and stronger compliance without dedicating large teams to writing and maintaining policy logic.

The company needed the ability to generate comprehensive, out-of-the-box Policy as Code (PaC) for AWS and Azure using Cloud Custodian (c7n), an open-source Python rules engine for cloud policy management. In practice, several constraints made that difficult to scale:

  • Inconsistent requirements – Compliance frameworks speak different languages. Some operate at a strategic level (control objectives), others at a tactical level (benchmarks that define specific resource checks). The same control appears in multiple frameworks with different wording, making it hard to map requirements to policies systematically.
  • Tool coverage gaps – Cloud Custodian didn't support all the Azure and Entra ID resources referenced in key frameworks. Writing policies for unsupported resources meant choosing between incomplete coverage or custom development.
  • Manual verification bottleneck – Testing hundreds of policies required manual setup and teardown in sensitive cloud accounts. Every iteration carried risk and delay, making it impractical to verify behavior at scale.

The GRC (Governance, Risk, Compliance) taxonomy:

Implementation DetailImplementation Details

Implementation Details

Six Feet Up built a system that transforms vague compliance requirements into verified, production-ready policies that can evolve with changing frameworks and cloud platforms.

Structured Governance Model

The first step was treating frameworks as structured data rather than flat documents. Using Python, Django, and SQLite, Six Feet Up designed a governance, risk, and compliance model that:

  • Captures strategic control objectives, such as “avoid unnecessary public exposure of data.”
  • Links existing tactical benchmarks, mainly from the Center for Internet Security (CIS), to those objectives using cross-framework mappings that show how they are tested on specific AWS and Azure services.

Once frameworks were expressed in this model, many control objectives that looked unique mapped to the same benchmarks. Overlap across frameworks became explicit and reusable, instead of being buried in documents.

Crosswalk from Benchmarks to Policies

Six Feet Up then built a crosswalk application that maps many control objectives to a single benchmark. Each benchmark is implemented as a Cloud Custodian policy in YAML, allowing a single policy to satisfy benchmarks across multiple frameworks and clouds.

This crosswalk:

  • Makes relationships between frameworks, controls, benchmarks, and policies queryable.
  • Exposes which controls are currently enforced and which high-value benchmarks still lack policies.
  • Effectively creates a policy roadmap, showing Stacklet where to focus next for maximum impact.

AI-Accelerated Policy Generation

With structured data in place, AI became practical.  Six Feet Up evaluated several large language models (LLMs), with most use centered on Claude.

The team found that:

  • Feeding raw framework text into an LLM and asking for Cloud Custodian YAML produced inconsistent output.
  • Feeding a single structured benchmark from the model, with its context, produced better candidate policies that engineers could refine.

Engineers review the AI-generated YAML, make adjustments, and run it through automated tests using real infrastructure, defined as code using Terraform. LLMs also suggest concrete interpretations for ambiguous requirements, which the team can accept, reject, or refine.

AI is treated as an accelerator, not as an authority. The guardrails come from the data model and the tests, which is what keeps the focus on cost and compliance outcomes.

Automated Verification and Extension

Policy definitions are only useful if they behave correctly in live environments, especially for rules that touch sensitive Azure and Entra ID resources.

To make verification repeatable, Six Feet Up designed a CI/CD workflow using infrastructure as code:

  • Define minimal, isolated test environments for AWS and Azure.
  • Include only the resources needed for a particular policy or a small group of policies.
  • Run Cloud Custodian against those environments, assert expected changes, and tear down.

Highly sensitive tests run in dedicated infrastructure isolated from production accounts. This lets Stacklet ship or update policies with confidence that each change has been exercised against realistic, contained cloud environments.

As the crosswalk, a map from benchmarks to policies, filled out, it exposed benchmarks that mapped to resources Cloud Custodian didn't yet support. The team used these gaps to drive focused extensions to Cloud Custodian, adding new resource types with tests and documentation, then wiring them back into the crosswalk and testing loop.

Stacklet's Policy as Code capabilities grew in direct response to framework needs.

AI-Accelerated Policy Generation

RESULTS

Policy development at Stacklet now runs as a repeatable, transparent system that grows cost and compliance coverage with Cloud Custodian across AWS and Azure. Controls that once required custom development now ship as part of the platform.

The governance model, crosswalk, and infrastructure as code tests give the team a single view of how frameworks, controls, benchmarks, and policies connect, and a safe way to validate behavior in realistic environments.

The system delivers:

  • Faster, more predictable policy development – Hours spent per policy continue to decrease as the system matures
  • Clearer visibility – Single view of coverage and gaps across frameworks and clouds
  • Safer verification – Repeatable policy testing in isolated, dedicated environments

Stacklet and Six Feet Up continue to evolve this system, adding framework coverage and extending Cloud Custodian's capabilities as new requirements emerge.

Struggling with how to automate tedious, repetitive and error-prone tasks at scale? Contact us.

Implementation DetailResults

More Projects:

View More
Pipelines for Scalable AI Media GenerationPipelines for Scalable AI Media Generation

Pipelines for Scalable AI Media Generation

Technology Company

Python
AWS
Docker
Unlocking Value from Raw Time Series SignalsUnlocking Value from Raw Time Series Signals

Unlocking Value from Raw Time Series Signals

Healthcare technology startup

AWS
Python
FreeBSD/Linux
Terraform
Optimizing a Low-Code Platform for Speed and EfficiencyOptimizing a Low-Code Platform for Speed and Efficiency

Optimizing a Low-Code Platform for Speed and Efficiency

Healthcare Company

Python
PostgreSQL
Launching a High-Stakes Health Campaign on Django and WagtailLaunching a High-Stakes Health Campaign on Django and Wagtail

Launching a High-Stakes Health Campaign on Django and Wagtail

National Public Health Organization

Django/Wagtail
PostgreSQL
Python
How can we assist you?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Contact Us

Six Feet Up, Inc.
11208 Windermere Blvd.
Fishers, IN 46037 - USA
Phone: +1 (317) 861-5948
Email: info@sixfeetup.com

HEAR FROM US

No spam, ever. Your information will only ever be used for Six Feet Up news.

ADVISORY
|
APP DEV
|
AI/ML
|
BIG DATA
|
CLOUD
|
PROJECTS
|
BLOG
|
COMPANY
© 2025 Six Feet Up, Inc. All rights reserved.
PRIVACY POLICY
Text Link
Transportation
Text Link
Others
Text Link
Technology
Text Link
Agriculture
Text Link
Healthcare
Text Link
Life Science
Text Link
Non-Profits
Text Link
FinTech
Text Link
Energy
Text Link
Government
Text Link
Entertainment
Text Link
Education