The Multi-Cloud Zero Trust Policy Engine is a security architecture project designed to demonstrate how risk-based access control can be implemented across multiple cloud providers including AWS, Google Cloud Platform (GCP), and Microsoft Azure.
This system evaluates access requests using Zero Trust security principles, where no request is automatically trusted. Instead, contextual factors such as device trust, MFA status, geographic location, requested action, and resource sensitivity are evaluated to determine whether access should be allowed, challenged, or denied.
The policy engine is implemented using Python and FastAPI, while supporting infrastructure resources across AWS, GCP, and Azure are provisioned using Terraform Infrastructure as Code (IaC). The repository also includes a GitHub Actions CI/CD pipeline to validate project structure and enforce DevSecOps practices.
This project demonstrates how organizations can implement policy-driven security governance across multi-cloud environments, improving access control visibility and automated security decision-making.
The architecture integrates three major cloud platforms with a centralized policy evaluation API.
Access Request → Policy Engine API → Risk Evaluation → Decision (Allow / Challenge / Deny)
Cloud Services Integrated:
-
AWS
- SNS Alerting
- DynamoDB decision storage
-
Google Cloud Platform
- Cloud Storage for policy artifacts
- BigQuery for evaluation logging
-
Microsoft Azure
- Resource Group infrastructure
- Storage Account for policy artifacts
- Log Analytics workspace for monitoring
Access requests are evaluated based on multiple contextual signals:
- Multi-factor authentication status
- Device trust level
- Geographic location of access
- Requested resource sensitivity
- Privileged role access
- Cloud provider identity services
- Workload type (human or service account)
The policy engine assigns a risk score and produces one of the following decisions:
| Risk Score | Decision |
|---|---|
| 0–39 | Allow |
| 40–69 | Challenge |
| 70+ | Deny |
multi-cloud-zero-trust-policy-engine │ ├── app │ ├── main.py │ └── requirements.txt │ ├── terraform │ ├── main.tf │ ├── variables.tf │ └── outputs.tf │ ├── .github │ └── workflows │ └── security-pipeline.yml │ └── README.md
| Folder | Purpose |
|---|---|
| app | Python FastAPI Zero Trust policy engine |
| terraform | Infrastructure provisioning for AWS, GCP, and Azure |
| .github/workflows | DevSecOps CI/CD pipeline |
| README.md | Project documentation |
- Python
- FastAPI
- Terraform
- AWS SNS
- AWS DynamoDB
- Google Cloud Storage
- Google BigQuery
- Microsoft Azure Resource Manager
- Azure Log Analytics
- GitHub Actions
- DevSecOps CI/CD
Install dependencies:
pip install -r app/requirements.txt
CI/CD Pipeline
The project includes a GitHub Actions pipeline that runs automatically when code is pushed.
Pipeline capabilities include:
Repository validation
Infrastructure file checks
DevSecOps workflow validation
Automated security pipeline execution
Use Case
This project demonstrates how enterprises can build a centralized policy evaluation system for multi-cloud environments, ensuring access requests across AWS, Azure, and GCP are evaluated under consistent Zero Trust principles.
Potential applications include:
Multi-cloud access governance
Cloud identity security
Risk-adaptive access control
DevSecOps security automation
Security monitoring platforms
Author
Oluwafemi Okunlola
Cloud Security Engineer | DevSecOps Engineer