New compliance packs for CIS, NIST, and PCI DSS. Achieving compliance with industry standards such as CIS, NIST, or PCI DSS is a foundational step for every organization. Yet for many teams, it's often a manual, months-long process that involves interpreting controls, authoring custom policies, and validating configurations across multiple clouds. These challenges often slow progress toward a known and secure cloud state. Pulumi is changing that. To simplify this journey, Pulumi launched a new suite of pre-built compliance policy packs for CIS Controls v8.1, NIST SP 800-53 Rev. 5, and PCI DSS v4.0. These packs are your accelerator for the "Get Clean" journey, allowing you to enforce critical security and compliance baselines across your cloud infrastructure in minutes, not months. More than just detection: the complete governance lifecycle. Traditional security tools are reactive, scanning for problems after resources have been deployed. With Pulumi, these new compliance packs are the engine for an end-to-end governance lifecycle that integrates directly into your cloud operations. * Audit for Full Coverage: Run these packs in audit mode to scan your entire cloud estate, including resources managed by Pulumi and those created through other means. This gives you an instant, comprehensive view of your current compliance posture. * Triage and Remediate: When a pack finds a violation, the finding appears in the new Policy Findings hub. From there, your team can triage, assign, and track the issue through its entire lifecycle. And with its new AI-powered capabilities, you can assign the issue to Pulumi Neo to automatically generate a pull request with the fix. * Prevent Non-Compliance: Once your environment is clean, you use these same packs as preventative guardrails. By running them during pulumi up, you block non-compliant resources before they are ever created, ensuring you "Stay Clean." This tri-modal capability - Audit, Remediate, and Prevent - is uniquely powerful, allowing you to fix existing issues while stopping new ones from being introduced. New and expanded compliance packs. Its new policy packs provide extensive, out-of-the-box coverage for some of the most widely adopted security frameworks. They are authored and maintained by Pulumi experts and join its existing library to provide a comprehensive toolkit for cloud governance. Benefits of pre-built packs. * Accelerate Compliance: Implement comprehensive governance controls in minutes without authoring hundreds of policies from scratch. * Leverage Expert Knowledge: Packs are authored and maintained by Pulumi, incorporating deep expertise in cloud and the nuances of each framework. * Codify Controls for Audits: Demonstrate to auditors that specific compliance controls are consistently enforced through code, providing a clear evidence trail. * Reduce Risk Proactively: Catch common security risks and compliance violations before deployment, drastically reducing your organization's exposure. Get started today. These policy packs are available now and are the perfect way to begin your governance journey with Pulumi. To get started, head to the Policies page in your Pulumi Cloud organization and click on the All tab to find these new packs. Add them to an Audit Policy Group and run a scan. Within minutes, you'll see a complete picture of your compliance posture in the Policy Findings hub, ready for triage and remediation. Need a compliance pack for a standard that isn't listed here? Please let Pulumi know by raising a request on its GitHub repository. Try pulumi policies. New to Pulumi? Start your governance journey today. For complete documentation, visit its Policies documentation.

Announcing the next generation of Pulumi Policies: ai-accelerated governance for the cloud. The era of AI-accelerated development has created a paradox: the faster developers move, the bigger the governance challenge becomes. For years, security and platform teams have worked to "shift left," but the tools available have been incomplete. Most focus on detection, which is necessary but not sufficient. They identify thousands of policy violations across an organization's infrastructure but leave teams with an overwhelming backlog and no scalable way to remediate it. This creates a persistent gap between finding a problem and fixing it. The result is an impossible choice between development velocity and organizational control, forcing leadership to slow down innovation to manage risk. Pulumi is thrilled to announce the next generation of Pulumi Policies, a comprehensive governance solution that moves beyond detection to deliver AI-powered remediation at scale. Pulumi is introducing a new lifecycle to secure your cloud: first, Get Clean by using AI to fix your existing policy violations. Second, Stay Clean by using policy as a universal guardrail that makes AI-driven development not just fast, but fundamentally safe. These are not strictly sequential steps; you can begin enforcing "Stay Clean" policies for all new infrastructure while you simultaneously work on the "Get Clean" process for your existing footprint. Part 1: Get Clean - From thousands of issues to a compliant state. The first step to a secure cloud is tackling the mountain of existing misconfigurations spread across your environments. First, gain complete visibility with the new Policy Findings Hub. To fix your issues, you first need to see them clearly. Pulumi has introduced a powerful Policy Findings Hub designed to give every stakeholder the exact view they need. * The Overview Tab: A high-level dashboard with compliance scores for leadership to track trends and measure your organization's posture. * The Compliance Tab: A control-centric view for auditors and infosec teams, grouping findings by policy (e.g., CIS, NIST) to simplify evidence gathering and prove compliance. * The Issues Tab: A collaborative workspace for platform and development teams to triage, assign, prioritize, and track the remediation of every policy issue. This hub is powered by its flexible audit capabilities. With Audit Scans for IaC Stacks, you can get an instant compliance baseline on all your existing Pulumi-managed infrastructure without blocking developers or re-deploying thousands of stacks. This is combined with discovery scans of your cloud accounts to give you a single, unified view of every resource, whether managed by Pulumi or not. The solution to remediation at scale: ai-powered fixes with Pulumi Neo. Visibility creates a new problem: an overwhelming backlog. Manually fixing thousands of issues is an impossible task. This is where Pulumi Neo provides a powerful solution. Pulumi Neo, its AI platform engineer, is now integrated directly into the Policy Findings hub to automate the most difficult part of the process: the fix itself. From the Issues tab, your teams can now select a group of policy issues, assign them to Neo, and trigger a remediation flow. * Analyze the non-compliant resources and the policies they are violating. * Understand the required configuration to make them compliant. * Generate a pull request with the exact code changes needed to fix the issues. Most powerfully, for an unmanaged resource discovered via a cloud scan, Neo will generate the code to import the resource into a Pulumi stack and apply the fix. This "Import and Fix" workflow transforms unmanaged infrastructure into governed, compliant code, turning a task that could take a developer hours into a simple review-and-merge process. Your teams can finally burn down their issue backlog and achieve a state of continuous compliance. Part 2: Stay Clean - The universal guardrail for humans and AI. Once you begin cleaning your environment, the next challenge is to stay clean. As AI accelerates infrastructure creation, you need robust guardrails to ensure it doesn't also accelerate the creation of security risks. The answer is Policy as Real Code. Pulumi Policies uses general-purpose languages like TypeScript and Python to create sophisticated guardrails that govern every change. To help you establish these controls immediately, Pulumi is launching a new suite of pre-built compliance packs authored and maintained by Pulumi experts. | Framework | AWS | Azure | Google Cloud | | CIS Controls v8.1 | | | NIST SP 800-53 Rev. 5 | / | / | | PCI DSS v4.0 | / | / | | HITRUST CSF v11.5 | | | Pulumi Best Practices | | These policies act as a universal guardrail for your entire organization by blocking non-compliant changes during pulumi up, before they are ever created. Learn more about its compliance packs. And now, you can even use Neo to author new policies. You can ask Neo in plain English to "create a policy that prevents overly permissive IAM roles," and it will generate the code for you. This creates a powerful, dynamic governance system where AI can help you build the very rules that then govern its own actions. If you then ask Neo to create an admin role, the deployment will be blocked by the policy it just helped write. This is how Pulumi make AI safe to go fast. A new era of collaboration. This "Get Clean, Stay Clean" lifecycle transforms how teams work together: * Platform Teams lead prevention by building real-code guardrails, proving their value with measurable compliance scores. * Security Teams drive the "Get Clean" process with continuous, non-blocking audit scans and use the Findings hub to manage compliance without slowing development. Governance that accelerates you. The age of AI-driven development demands AI-powered governance. With this new generation of Pulumi Policies, Pulumi is providing the essential infrastructure for platform engineering teams to not just survive, but thrive. You can finally build preventative guardrails that developers love, secure your cloud at scale, and transform governance from a blocker into a business accelerator. Learn more about Pulumi Insights & Governance capabilities. This powerful new experience is available today. Navigate to the Policies and Policy Findings tab in Pulumi Cloud to explore your new governance capabilities and meet the future of platform engineering.

Pulumi ESC: Open Approvals. Many teams live with the fear that a production environment might be accidentally opened, exposing credentials or sensitive systems before anyone even notices. Pulumi is excited to announce a new feature for Pulumi ESC: Open approvals. A governance capability that lets organizations require review and sign-off before an environment is opened (i.e. activated or exposed). Expanding on its mission to enforce compliance and security without slowing teams down. You may recall that earlier this year Pulumi introduced Approvals for updates, which allows teams to require review and sign-off before applying modifications to environment configurations. Pulumi is now extending Pulumi ESC auditing and governance capabilities to enable Just in time (JIT) access control. Many organizations require more robust guardrails around when an environment becomes active or accessible. Open Approvals introduces a gate before environment activation, enforcing that every environment open is intentional, reviewed, and governed. Open Approvals introduces a gate before environment activation, enforcing that every environment open is intentional, reviewed, and governed. How it works. When configuring Approvals gates for your environments under Settings | Approval Rulesets, you can now gate Open actions in addition to Updates. From this very same UI, you can define the approvals requirements: * Number of required reviewers * Specific teams or individuals allowed to approve * Whether self-approval is permitted Once a ruleset is defined, all open operations in the corresponding environment will require to be approved before proceeding. To create an open request, users need to specify the approval duration, how long they need access after opening the environment, and a description explaining why access is needed. Approvals can be later review and approved from the Approvals tab. A request access can also be created from the CLI via the newly introdcued env open-request command. Closing notes. Open approvals expands on Pulumi ESC support for compliance and governance capability while Pulumi stay true to its goal: empower teams to move fast while staying secure and compliant: no matter where or how changes happen. Pulumi is excited about what's ahead and look forward to building it together with your feedback.