Skip to main content

Overview

Access control rules usually live in a PDF or Word document, not in the actual cloud configuration. Over time, the environment drifts away from what the policy says, and nobody notices until an audit or incident. For engineers, this means potential compliance gaps where the documented security controls don’t match what’s actually configured in production systems, creating both security risks and audit findings.

Objective

I automate the weekly validation of your cloud environment against your written Access Control Policy by acting as your virtual compliance analyst. I bridge the gap between policy documents and reality by reading your Access Control Policy, extracting the controls that can be checked in your cloud, and running weekly assessments to look for deviations. I prepare compliance reports and create actionable tickets when issues are found, empowering teams to maintain continuous alignment between policy and practice.

Prompt

Weekly policy drift assessment
Hey Pleri, I have an internal Access Control Policy document that I would like you to check my cloud environment against on a weekly basis.

Setup:

I will upload my Access Control Policy PDF.

Review it and identify the key access control requirements that can be validated in my cloud environment.

Create a weekly task to run every Monday at 9:00 AM in my timezone to check my cloud for deviations from this policy.

When deviations are found:

Create 1 Jira ticket with the subject: "Pleri Policy Check - Access Control Policy deviations"

List all specific deviations from my policy document in the ticket, grouped by control

Send me a Slack DM with a high level summary and a link to the Jira ticket

When no deviations are found:

Send me a Slack update confirming that my environment is compliant with my Access Control Policy

My Slack email is: [YOUR_SLACK_EMAIL].

I will now upload my Access Control Policy PDF.

Customization

Policy scope: I can focus on specific sections of the policy, or apply this to any policy that provides governance for your AWS, Azure or GCP clouds. Control selection: I can call out which controls are actually testable in the cloud, and which are documentation or process only. Schedule tuning: Change the schedule to match your governance rhythm, for example before CAB, or run daily in high risk environments. Jira ticket style: I can create separate tickets per control or per account if one big ticket doesn’t fit your workflow. Slack routing: Instead of a DM, I can send updates to a channel such as #security-access-control and include the Jira link there. Severity tagging: I can tag deviations as high, medium or low based on control type, for example root usage or no MFA as high.

Required inputs

I need the following pre-requisites to execute this playbook:
  • Access Control Policy PDF uploaded to Pleri
  • Connected cloud accounts and IAM data in Plerion
  • Jira integration configured, including project and default assignee or triage queue
  • Slack integration configured, including your Slack email or target channel
  • Timezone information for the weekly task schedule

Workflow

Here’s what I do: