{"id":"4a575fb2-b998-4ab1-b738-a02bd1591d4e","task":"Configure Pulumi CrossGuard policy pack to enforce that all S3 buckets have versioning enabled and that no IAM policies use wildcard actions, with advisory and mandatory enforcement levels","domain":"pulumi.com","steps":["Initialize a CrossGuard policy pack using the Pulumi CLI with the TypeScript template, producing a PulumiPolicy.ts file and a package.json with the required policy SDK dependency","Write a resource validation policy for S3 buckets that checks the versioning configuration property and reports a violation using the reportViolation function when versioning is not enabled, setting enforcement level to mandatory","Write a second policy for IAM managed policies that inspects the policy document for statements with Action values containing wildcards, and reports a violation with enforcement level advisory and a remediation message","Publish the policy pack locally using pulumi policy publish and reference it in the target stack's Pulumi.yaml or via the Pulumi console policy group assignment","Run pulumi preview on a stack that includes non-compliant resources and verify that mandatory violations block the update while advisory violations are surfaced as warnings"],"gotchas":["CrossGuard policies receive the resource inputs as they are declared in the Pulumi program, not the live cloud state; a policy checking an attribute that defaults to a value at the cloud provider level but is not set in the program will see the attribute as undefined rather than the effective default","Enforcement level mandatory causes pulumi up to fail but pulumi preview still completes and shows violations; callers who only run preview may miss that a deployment would be blocked, so mandatory policies should be documented prominently for the team","Policy pack versioning uses a local version string in package.json; pushing multiple updates with the same version number overwrites the previous pack without warning, which can silently change enforcement behavior for all stacks using that policy group"],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/4a575fb2-b998-4ab1-b738-a02bd1591d4e"}