RightScale Policy Management allows you to automate governance across your multi-cloud environment to increase agility and efficiency while managing security and risk in your organization. The capability is purpose built to leverage an intelligent policy engine that lets you enforce rules and best practices to help you achieve your business outcomes like saving time, cost reduction, increasing utilization, and rightsizing your cloud environment.

Key Capabilities

  • Built-in Policies for Cost, Security, Operational, and Compliance use cases
  • Dry run policies and then configure them to take approved actions on any API backed cloud, service, and resource
  • Automate policies across your entire cloud landscape (multiple accounts)
  • Maintain policy-as-code using the built-in policy template language to write your own policies
  • Policies can enforce rules on any cloud or any service with an API
  • Automate your policies using the fully-featured Policies API and documentation
Introduction to RightScale Policy Automation

Policy Use Cases

RightScale developed a wide variety of built-in policies that provide high value with minimal effort on Day 1. You can simply select the policy you are interested in, customize it, and apply it to individual accounts or across multiple accounts to achieve your business outcomes. Find the complete list here.

In addition to following examples, the policy engine supports writing custom policies to help customers achieve custom requirements and not be limited by what RightScale provides out of the box.


Increase cost visibility and management in your multi-cloud world and take appropriate actions to run an efficient infrastructure.

  • Identify where you are wasting spend and realize immediate savings
  • Collaborate to reduce future cloud costs
  • Use tagging as a foundation for ongoing cost management
  • Automate waste prevention


Gain visibility and control across all your public and/or private cloud environments with our security policies. Improve security across your applications, data, and associated infrastructure by finding security vulnerabilities before your customers do.

  • Secure public storage buckets
  • Take control of your security groups
  • Monitor and secure IAM access


Save valuable human time and investment by automating everyday IT operations. Running an automated and efficient cloud infrastructure frees up expensive resources on high ROI projects like scaling, growth, and deliver value faster than anyone else.

  • Reduce waste by putting instances on schedule
  • Put automatic key rotation to avoid downtime


Enterprises typically have multiple compliance requirements but struggle to automate them which leads to downtime as well as resource waste. By having a strong compliance strategy but also ability to quickly automate it provides peace of mind and avoids business interruption.

  • Ensure comprehensive tagging strategy
  • Write custom policies for HIPAA, GDPR, PCI, and more

Policy Actions

Policy Engine leverages our multi-cloud orchestration platform written in Cloud Workflow Language that allows managing entire applications running on the cloud. These actions may include adding an approval prior to executing a set of automated actions.


  • Start/Stop instances
  • Change (downsize) instances
  • Add/Remove Tags
  • Add/Terminate/Delete resources (e.g.: Unattached volumes, old snapshots)
  • Migrate between storage classes
  • Slack and Email Notifications
  • Running Operational Runlists
  • Scaling Server Arrays
  • Retrieving and analyzing metrics data
  • Sending requests to external applications

Basic Concepts


Policy Template

Open source Policy definition, written in powerful Policy Template Language, that defines the blueprint of a Policy. It specifies input parameters, conditions, and actions the policy will take when it is triggered. You can use built-in policy templates from RightScale as is or customize the source code to create your own custom policy. Policy Template can be published to the Catalog to make it visible to the entire organization.

Applied Policy

A running policy that has been applied from a policy template. It inherits all the properties of the policy template. One policy template can be applied as many times as needed with different input parameters. For example, you could apply a policy that looks for unattached volumes to development accounts and production accounts with different parameters and resolution actions. In development accounts, you could configure the applied policy to automatically delete unattached volumes after 3 days, while in the production accounts, you could simply send an email alert.


When the conditions of the applied policy are met, an incident is created. It contains all the information about why the policy was triggered and the current status. One applied policy can have more than 1 incident. Incidents can be in one of the following states:

  • active - one or more conditions were found to be true during the policy check (this state is called triggered in the API)
  • resolved - the conditions that created this incident no longer exist, or the resolve_incident function was called
  • terminated - the applied policy was terminated while the incident was active

Incidents that are not actionable (they are terminated or resolved with no pending actions) are archived after 30 days and available only via the API.

Key Policy Constructs

There are several key concepts in Policies that will help you better understand both RightScale policies as well as writing your own custom policies.



An event, action or schedule that activates a policy execution to check for the condition (e.g. Every 15 minutes).


Rules that are evaluated when a policy is activated (e.g. ensure instances always have required tags).


Remediation that a policy takes when the conditions are met. Defined as escalation in the policy templates. These actions could be fully automated or can be set to get an approval prior to executing the automated actions, e.g. approve deleting all the unattached volumes detected by the policy and send email notification.


Defines the actions to be taken when a policy violation is resolved. Defined as resolution in the policy template. These actions could be fully automated or can be set to get an approval prior to executing the automated actions, e.g. approve closing a JIRA ticket as part of the resolution.

Feature Overview


Catalog is the central place for viewing published templates available in your organization that can be applied to individual or multiple accounts. Users with policy_publisher role can choose to un-publish policy templates that they do not wish to make it available to other users in the organization.



Dashboard provides a summary view of what is happening in the account. It shows important information on Applied Policies and Incidents to give you complete insights to take actions.


Applied Policies

This view shows all applied policies running in the account. Using the Account selector drop-down at the top of the page, you can switch between different accounts to see the applied policies in each account. You can choose to view complete details on the policy or take actions like terminating the policy or apply a similar one.


Apply Similar Policy

This action makes it seamless to quickly apply a similar policy in a different account or tweaking the input parameters for a new policy. Just click the actions menu and hit Apply Similar and the system will try to pre-fill input parameters from the original policy.



Similar to the Applied Policies page, this view shows all incidents generated by policies over time. You can see complete details on the Incident along with resources, actions, approvals and/or resolutions.



The view is for policy designers so they can upload Policy Templates for testing before publishing them to the Organization for wider use. To publish a policy template, you will need a special organization level role policy_publisher.


Policy Publishing Flow

Below diagram outlines how the policy engine works. Typically a policy developer will develop policy templates and test them by uploading to the Templates page. Once the policy template is ready to be published, policy_publisher can choose to publish it to the Catalog making it available to everyone in the organization.




Access control

RightScale policy management comes with granular access control to provide more flexibility based on the user type. You can grant users these roles using Governance.

Page Features Roles that can use the feature
Catalog View Catalog policy_publisher, policy_designer, policy_manager
Publish a Policy Template policy_publisher
Un-publish a Policy Template policy_publisher
Delete custom Policy Template policy_publisher
Dashboard View Dashboard policy_designer, policy_manager, policy_viewer
Applied Policies View Applied Policies policy_designer, policy_manager, policy_viewer
Terminate a policy policy_designer, policy_manager
Apply a similar policy policy_designer, policy_manager
Incidents View Incidents policy_designer, policy_manager, policy_viewer
Approve or Deny an Action policy_approver
Templates View Templates policy_publisher, policy_designer
Upload a custom policy policy_designer
Apply a policy policy_designer
Delete a custom policy template policy_designer
Publish a Policy Template policy_publisher

How to grant policy roles?

Role based access control is centrally managed by our Governance module. You can grant any roles to the desired user from here. You will need enterprise_manager or admin roles to access Governance.


Additional Role Requirement

Above policy roles only grant users access to the policy management but do not automatically grant the access required to run policies including taking actions (read or write). Based on the policy and action, each policy requires additional role as outlined on the policy list page.

Writing your own Policy

We built the policy engine with a very important goal of keeping it open source so users can either customize RightScale built-in policies or write their own based on the custom requirements.

Get started with writing your custom policies using the Policy Template Language.

API Documentation

Policy management has extensive APIs that are publicly available to the customers.

Policy API Doc