Policy
Policies let you override DriftWise's default risk scoring for specific patterns. Use them to escalate risks that matter to your org or suppress known-safe patterns.
How Policies Work
A policy is a list of rules. Each rule matches a risk flag pattern and overrides its severity:
Flag: "public-ingress-0.0.0.0" → Default severity: medium
Policy rule: flag_pattern "public-*" → Override to: critical
Result: "public-ingress-0.0.0.0" reported as critical
Rules are evaluated in order — the first matching rule wins.
Viewing the Current Policy
curl "https://app.driftwise.ai/api/v2/orgs/$ORG_ID/policy" \
-H "x-api-key: $DRIFTWISE_API_KEY"
{
"version": 3,
"rules": [
{
"id": "escalate-public",
"flag_pattern": "public-*",
"resource_pattern": "",
"severity": "critical",
"reason": "All public-facing changes require security review"
},
{
"id": "ignore-tags",
"flag_pattern": "tag-*",
"resource_pattern": "aws_autoscaling_group*",
"severity": "ignore",
"reason": "ASG tag drift is expected from scaling events"
}
],
"updated_at": "2026-04-10T15:30:00Z"
}
Setting a Policy
Policies are replaced as a whole — send the complete rule set:
curl -X PUT "https://app.driftwise.ai/api/v2/orgs/$ORG_ID/policy" \
-H "x-api-key: $DRIFTWISE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"rules": [
{
"id": "escalate-public",
"flag_pattern": "public-*",
"severity": "critical",
"reason": "Security review required for public changes"
},
{
"id": "ignore-asg-tags",
"flag_pattern": "tag-*",
"resource_pattern": "aws_autoscaling_group*",
"severity": "ignore",
"reason": "Expected drift from ASG scaling"
}
]
}'
The version field auto-increments on each save.
Rule Fields
| Field | Type | Required | Description |
|---|---|---|---|
id | string | yes | Unique identifier within the policy |
flag_pattern | string | yes | Glob pattern matching risk flag IDs |
resource_pattern | string | no | Glob pattern matching resource types. Empty = all resources |
severity | string | yes | Override severity: critical, high, medium, low, or ignore |
reason | string | yes | Why this override exists (max 200 chars) |
Pattern Syntax
Both flag_pattern and resource_pattern support glob matching:
| Pattern | Matches |
|---|---|
public-* | Any flag starting with public- |
*-encryption | Any flag ending with -encryption |
*wildcard* | Any flag containing wildcard |
exact-flag-id | Only this exact flag |
aws_s3_* | Any S3 resource type |
Severity Levels
| Level | Effect |
|---|---|
critical | Escalate — highest priority, blocks deployment in strict mode |
high | Escalate — requires attention |
medium | Default for most security-relevant flags |
low | Downgrade — acknowledged but not urgent |
ignore | Suppress — flag still detected but hidden from reports |
Limits
- Maximum 50 rules per policy
- Rule IDs must be unique within the policy
- Patterns must match
[a-zA-Z0-9_*-] - Reason field max 200 characters
Examples
Escalate all IAM changes to critical:
{
"id": "iam-critical",
"flag_pattern": "iam-*",
"severity": "critical",
"reason": "IAM changes require security team approval"
}
Ignore encryption flags on dev resources:
{
"id": "dev-encryption-ok",
"flag_pattern": "*-encryption",
"resource_pattern": "aws_*",
"severity": "ignore",
"reason": "Dev environment does not require encryption"
}
Escalate public access on S3 only:
{
"id": "s3-public",
"flag_pattern": "public-*",
"resource_pattern": "aws_s3_bucket*",
"severity": "critical",
"reason": "Public S3 buckets are a data leak risk"
}