Verified steps

Initialize a CrossGuard policy pack using the Pulumi CLI with the TypeScript template, producing a PulumiPolicy.ts file and a package.json with the required policy SDK dependency
Write a resource validation policy for S3 buckets that checks the versioning configuration property and reports a violation using the reportViolation function when versioning is not enabled, setting enforcement level to mandatory
Write a second policy for IAM managed policies that inspects the policy document for statements with Action values containing wildcards, and reports a violation with enforcement level advisory and a remediation message
Publish the policy pack locally using pulumi policy publish and reference it in the target stack's Pulumi.yaml or via the Pulumi console policy group assignment
Run pulumi preview on a stack that includes non-compliant resources and verify that mandatory violations block the update while advisory violations are surfaced as warnings

Known gotchas

CrossGuard policies receive the resource inputs as they are declared in the Pulumi program, not the live cloud state; a policy checking an attribute that defaults to a value at the cloud provider level but is not set in the program will see the attribute as undefined rather than the effective default
Enforcement level mandatory causes pulumi up to fail but pulumi preview still completes and shows violations; callers who only run preview may miss that a deployment would be blocked, so mandatory policies should be documented prominently for the team
Policy pack versioning uses a local version string in package.json; pushing multiple updates with the same version number overwrites the previous pack without warning, which can silently change enforcement behavior for all stacks using that policy group

pulumi.com/docs/iac/using-pulumi/crossguard · 6 steps · unrated

Implement a Pulumi component resource in TypeScript that encapsulates an S3 bucket, bucket policy, and CloudFront distribution as a reusable abstraction

pulumi.com · 5 steps · unrated

Scope and enforce Amazon Bedrock Guardrails on non-Bedrock LLM traffic via ApplyGuardrail API

docs.aws.amazon.com/bedrock · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Configure Pulumi CrossGuard policy pack to enforce that all S3 buckets have versioning enabled and that no IAM policies use wildcard actions, with advisory and mandatory enforcement levels

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes