Skip to content
ANCHOR

Policies

Policies turn operational intent into enforceable rules. A policy defines who can operate a resource, when actions are allowed, how rotation works, and what evidence is retained.

Define Define

Write repeatable access and lifecycle requirements.

Bind Bind

Attach policy to a scope or resource boundary.

Enforce Enforce

Apply controls to access, verification, rotation, and sessions.

Review Review

Use logs, drift, posture, and ledger integrity to explain changes.

Policy Bindings

Section titled “Policy Bindings”

Policies become operational when bound to scopes or resources. Scope bindings let teams govern whole operational boundaries; resource bindings let teams handle a specific high-risk target with sharper control.

Bindings deserve review whenever resources move between ownership boundaries, account ownership changes, or a policy starts producing drift, failed verification, or unexpected access outcomes.

Practical Controls

Section titled “Practical Controls”

Common controls include rotation cadence, verification requirements, reveal restrictions, retrieval eligibility, SSH key posture, connect eligibility, session timeouts, recording requirements, clipboard/file-transfer decisions, and administrative review.

Policies are also the place where operational intent becomes repeatable: who can act, which resource or account is in scope, whether a reason is required, and what evidence should exist after the workflow.

{
  "verify_enabled": true,
  "verify_interval_days": 7,
  "rotate_enabled": true,
  "rotate_interval_days": 30,
  "secret_reveal_allowed": false,
  "secret_retrieval_allowed": false,
  "allow_password_auth": true,
  "allow_key_auth": true,
  "key_rotation_enabled": true,
  "discover_unknown_keys": true,
  "session": {
    "launchAllowed": true,
    "recordingRequired": true,
    "sessionTimeoutSeconds": 3600,
    "idleTimeoutSeconds": 900
  }
}

This shape is intentionally readable. Security teams can review it, engineers can automate it, and auditors can understand which controls were expected for a resource.

Effective Policy

Section titled “Effective Policy”

The strongest policy systems explain where a control came from. Anchor’s effective-policy model shows which policy applies to a resource, while resolved behavior explains individual control values, sources, reasons, warnings, and overrides.

That matters during operations. If access is blocked, a session is denied, rotation is overdue, or verification fails, the team should be able to understand the control path without reverse-engineering a ticket trail.

Change Review

Section titled “Change Review”

Policy changes are security-relevant changes. Review ledger and log activity after updating a policy that affects privileged resources.