> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ubiquex.io/llms.txt
> Use this file to discover all available pages before exploring further.

# policy

> The policy block defines governance rules that are checked against declared resources.

The `policy` block defines a governance rule that is checked against the resources in a stack. Policies are evaluated during plan- and scan-style checks (see [`ubx scan`](/v1/cli/scan)) to enforce organizational standards before changes are applied.

## Syntax

```xcl theme={"theme":"css-variables","languages":{"custom":["/languages/xcl.json"]}}
policy name {
  description = "…"
  severity    = "error"

  rule {
    resource  = "aws.s3.Bucket"
    condition = <boolean expression>
  }
}
```

The label is a bare identifier, quotes optional. A quoted label may contain spaces.

## Fields

| Field         | Description                                                                                        |
| ------------- | -------------------------------------------------------------------------------------------------- |
| `description` | Optional. A human-readable explanation of the policy.                                              |
| `severity`    | `"error"` or `"warn"`. An `error` fails the check; a `warn` reports the violation without failing. |
| `rule { }`    | One or more rule blocks. See [rule](#rule-blocks).                                                 |

## Rule blocks

| Field       | Description                                                     |
| ----------- | --------------------------------------------------------------- |
| `resource`  | The resource type the rule applies to, e.g. `"aws.s3.Bucket"`.  |
| `condition` | A boolean expression that must hold for every matched resource. |

<Note>
  Inside `condition`, bare identifiers resolve against the matched resource's attributes — for example, `acl` refers to the matched bucket's `acl` attribute.
</Note>

## Example

```xcl theme={"theme":"css-variables","languages":{"custom":["/languages/xcl.json"]}}
policy no_public_buckets {
  description = "S3 buckets must not be public"
  severity    = "error"

  rule {
    resource  = "aws.s3.Bucket"
    condition = acl != "public-read"
  }
}
```

## How policies are used

Policies are evaluated during plan- and scan-style checks. Every matched resource is tested against each rule's `condition`; a failing rule reports its policy according to the declared `severity`.
