Policy as Code: OPA u0026 Sentinel in IaC Quiz Quiz

Strengthen your understanding of Policy as Code practices in Infrastructure as Code by exploring how OPA and Sentinel manage compliance, governance, and resource control. This quiz covers syntax, policy evaluation, and integration concepts crucial for secure and automated IaC workflows.

1. OPA Policy Structure

   Which statement most accurately describes the structure of a typical OPA policy used in Infrastructure as Code scenarios?

   1. It consists of rules written in a declarative language that evaluate input data to allow or deny actions.
   2. It enforces rules using regular expressions only, without a formal syntax.
   3. It requires policies to be embedded directly into infrastructure templates as plain text comments.
   4. It uses imperative functions with conditional loops to control resource creation.

   Explanation: OPA policies are composed of declarative rules that examine input data and determine whether actions should be allowed or denied. The policies are typically separate from the infrastructure templates and use Rego, a policy language, rather than being written as plain comments or imperative code. Using loops or regular expressions alone does not make a complete or accurate OPA policy structure.

2. Sentinel Policy Decision Outcomes

   In the context of Policy as Code for Infrastructure as Code, what is the primary result returned by a Sentinel policy evaluation?

   1. A set of cloud credentials for authorized users.
   2. A YAML file that lists all compliant resources.
   3. A sorted list of all resources generated by the plan.
   4. A boolean indicating pass or fail, with optional custom messages for feedback.

   Explanation: When Sentinel policies are evaluated, the main outcome is whether the input passes or fails the defined policy, often with the ability to provide messages for explanation. The system does not generate YAML files of compliant resources, distribute credentials, or simply sort resources. The focus is on compliance assessment, not infrastructure output generation.

3. OPA vs Sentinel: Policy Language Differences

   What distinguishes the policy language used by OPA from the policy language used by Sentinel in Infrastructure as Code frameworks?

   1. OPA utilizes embedded Python scripts, whereas Sentinel uses only JSON schemas.
   2. OPA uses Rego, a high-level declarative language, while Sentinel employs its own domain-specific language.
   3. OPA and Sentinel both use SQL queries as their core language.
   4. OPA requires YAML syntax exclusively, while Sentinel can use JavaScript.

   Explanation: OPA relies on Rego, a dedicated declarative language crafted for policy definitions, while Sentinel has its own specific language designed for policy logic. OPA does not use Python scripts or YAML files as its primary syntax, and Sentinel does not use JavaScript or JSON schemas for writing policies. Neither uses SQL as their primary language.

4. Policy as Code Enforcement Points

   At which stage do Policy as Code engines like OPA and Sentinel typically evaluate policies during the Infrastructure as Code deployment lifecycle?

   1. During the planning or pre-apply phase before infrastructure changes are actually made.
   2. When writing initial code but not during execution.
   3. Only after resources have already been provisioned in the environment.
   4. Directly on the operating system after deployment finishes.

   Explanation: Policy engines like OPA and Sentinel are designed to intervene during the planning or pre-apply phase, evaluating potential changes before they affect the environment. This proactive approach helps catch violations early, rather than reacting after deployment. They are not applied just when writing code or limited to post-deployment checks on the operating system.

5. Benefits of Policy as Code in IaC

   Which of the following is a primary benefit of implementing Policy as Code with tools like OPA and Sentinel in Infrastructure as Code environments?

   1. Accelerating the execution speed of each virtual machine by default.
   2. Automated enforcement of compliance and security standards across all infrastructure changes.
   3. Eliminating the need for source code version control systems.
   4. Reducing the cost of cloud provider storage directly.

   Explanation: The main advantage of Policy as Code is that it automates the enforcement of required standards, greatly improving governance and reducing manual review. Using Policy as Code does not replace source code version control, nor does it inherently affect storage costs or virtual machine performance. Its value is in automated, consistent compliance and security.