Define fine-grained governance policies for AI agents using AWS IAM-inspired syntax
What are Sekuire Policies? Policies define what actions AI agents can perform, on which resources, and under what conditions. They use a familiar JSON structure inspired by AWS IAM policies.
Policies are assigned to workspaces, allowing different teams to have different governance rules within the same organization.
Policies are evaluated in real-time as agents attempt actions. Denied actions are blocked immediately and logged for audit.
A Sekuire policy consists of the following top-level fields:
{
"Version": "2024-12-02",
"Description": "Human-readable description of this policy",
"Statement": [
{
"Sid": "StatementID",
"Effect": "Allow | Deny",
"Action": "action | [actions]",
"Resource": "resource | [resources]",
"Condition": {}
}
],
"ResourceLimits": {},
"RequireApproval": {},
"AuditLog": {}
}Format: YYYY-MM-DD
Current version: 2024-12-02
Array of policy statements defining what is allowed or denied. Each statement contains:
Allow or DenySet limits on agent resource usage: execution time, tokens, cost, memory, concurrent requests, API calls, and storage.
Specify actions that require human approval before execution. Includes approver role, timeout, and notification channels.
Configure audit logging: retention period, what to include, and PII redaction settings.
Actions follow the format: resource:action[:subaction]
file:Readfile:Writefile:Deletefile:Listfile:*db:Selectdb:Insertdb:Updatedb:Deletedb:Schemadb:*api:Getapi:Postapi:Putapi:Deleteapi:*tool:bash:executetool:git:committool:docker:runtool:*agent:Callagent:Delegateagent:Subscribeagent:*data:ReadPIIdata:ReadFinancialdata:ReadHealthdata:*Wildcards: Use * to match all actions in a category (e.g., file:*) or all actions (*)
Resources use URI-like format: protocol://path/*
file://workspace/*All files in the workspace directory
file://workspace/tmp/*Only files in the temporary directory
https://api.example.com/*All endpoints on api.example.com
db://production/*All tables in the production database
db://analytics/usersOnly the users table in analytics database
*All resources (use with caution)
Conditions allow you to add contextual restrictions to policy statements.
StringEqualsMatch exact string values
"Condition": {
"StringEquals": {
"context.environment": "production"
}
}StringLikeMatch strings with wildcards
"Condition": {
"StringLike": {
"resource.path": "/api/v*/users/*"
}
}IpAddressMatch source IP address or CIDR range
"Condition": {
"IpAddress": {
"source.ip": ["10.0.0.0/8", "172.16.0.0/12"]
}
}NumericLessThanNumeric comparison
"Condition": {
"NumericLessThan": {
"context.cost": 100.00
}
}BoolBoolean condition check
"Condition": {
"Bool": {
"encryption.enabled": true
}
}DateLessThanDate/time comparison
"Condition": {
"DateLessThan": {
"time.current": "2024-12-31T23:59:59Z"
}
}Start with one of our pre-built templates and customize as needed.
Permissive policy for development environments with read/write access and moderate limits
{
"Version": "2024-12-02",
"Description": "Permissive policy for development environments",
"Statement": [
{
"Sid": "AllowAllRead",
"Effect": "Allow",
"Action": [
"file:Read",
"file:List",
"api:Get",
"db:Select"
],
"Resource": "*"
},
{
"Sid": "AllowSafeWrites",
"Effect": "Allow",
"Action": [
"file:Write",
"api:Post"
],
"Resource": [
"file://workspace/tmp/*",
"https://api.staging.example.com/*"
]
}
],
"ResourceLimits": {
"MaxExecutionTime": "600s",
"MaxTokens": 50000,
"MaxCostPerHour": "$10.00",
"MaxMemory": "8GB"
},
"AuditLog": {
"Required": true,
"RetentionDays": 30,
"Include": [
"all_actions",
"outcomes"
]
}
}Restricted policy for production with read-only access, approval requirements, and strict limits
{
"Version": "2024-12-02",
"Description": "Restricted policy for production environments",
"Statement": [
{
"Sid": "AllowReadOnly",
"Effect": "Allow",
"Action": [
"file:Read",
"api:Get",
"db:Select"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"source.ip": [
"10.0.0.0/8",
"172.16.0.0/12"
]
}
}
},
{
"Sid": "DenyDestructive",
"Effect": "Deny",
"Action": [
"file:Delete",
"db:Delete",
"db:Schema"
],
"Resource": "*"
}
],
"ResourceLimits": {
"MaxExecutionTime": "300s",
"MaxTokens": 10000,
"MaxCostPerHour": "$5.00",
"MaxMemory": "4GB",
"MaxConcurrentRequests": 5
},
"RequireApproval": {
"Actions": [
"db:Update",
"db:Insert",
"file:Write",
"api:Post",
"api:Put"
],
"ApproverRole": "admin",
"TimeoutSeconds": 1800
},
"AuditLog": {
"Required": true,
"RetentionDays": 90,
"Include": [
"all_actions",
"resources",
"outcomes",
"timestamps",
"context"
],
"RedactPII": true
}
}Healthcare-focused policy with encryption requirements, 7-year audit retention, and strict approval workflows
{
"Version": "2024-12-02",
"Description": "HIPAA-compliant policy for healthcare data",
"Statement": [
{
"Sid": "AllowEncryptedHealthData",
"Effect": "Allow",
"Action": [
"data:ReadHealth"
],
"Resource": "db://healthcare/*",
"Condition": {
"Bool": {
"encryption.enabled": true
},
"StringEquals": {
"data.classification": "PHI"
}
}
},
{
"Sid": "DenyUnencryptedAccess",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"Bool": {
"encryption.enabled": false
}
}
}
],
"ResourceLimits": {
"MaxExecutionTime": "120s",
"MaxMemory": "2GB"
},
"RequireApproval": {
"Actions": [
"data:ReadHealth",
"data:WriteHealth"
],
"ApproverRole": "admin",
"TimeoutSeconds": 3600
},
"AuditLog": {
"Required": true,
"RetentionDays": 2555,
"Include": [
"all_actions",
"resources",
"outcomes",
"timestamps",
"context"
],
"RedactPII": false
}
}Test your policy syntax in real-time. Paste your policy JSON below to validate it.
Edit the policy JSON below to validate in real-time
Grant only the minimum permissions needed for agents to perform their tasks. Start restrictive and expand as needed.
Explicitly deny access to sensitive operations like deletions, schema changes, or access to production databases.
Use the RequireApproval field for actions that modify critical data or systems.
Always set ResourceLimits to prevent runaway costs and resource exhaustion.
Avoid "Action": "*", "Resource": "*", "Effect": "Allow" in production environments. This grants unlimited access.
Always keep audit logs enabled for compliance and security incident investigation.