Skip to main content
IntentLang
← All examples

NetworkEgressPolicy

examples/NetworkEgressPolicy.intent

NetworkEgressPolicy.intent
1# NetworkEgressPolicy.intent
2# Domain: infrastructure policy. Which outbound connections a workload may open,
3# expressed as intent rather than buried in firewall rules. Deny by default; never
4# allow unencrypted egress to the public internet. The policy runs as a decision.
5
6mission NetworkEgressPolicy
7use product
8
9title "Decide whether a workload may open an outbound connection"
10for PlatformSecurity
11
12goal
13 Allow only egress that is to an approved destination and encrypted in transit,
14 and deny everything else.
15
16why
17 Unrestricted egress is how data exfiltrates and how compromised workloads phone
18 home. The safe default is to deny and to require a reason to allow.
19
20requires
21 DestinationCatalog
22 EncryptionStandard
23
24input
25 destinationApproved: Flag
26 encrypted: Flag
27 destinationIsPublic: Flag
28
29output
30 decision: EgressDecision
31
32guarantee approved, encrypted egress is allowed
33 because blocking sanctioned traffic breaks the workloads the policy protects
34 verify allowlist egress test
35
36guarantee unapproved destinations are denied by default
37 because an implicit allow is an open door nobody chose to open
38 verify deny by default test
39
40never
41 allow unencrypted egress to the public internet
42 allow egress to a destination not in the catalog
43
44never allow unencrypted egress to the public internet
45 because plaintext over the open internet exposes data to anyone on the path
46 verify encryption in transit test
47
48never allow egress to a destination not in the catalog
49 because an uncatalogued endpoint has no owner and no justification on record
50 verify allowlist egress test
51
52# Deny-by-default egress policy as a decision. `intent run` / `intent test`.
53decision AllowEgress
54 inputs
55 destinationApproved
56 encrypted
57 destinationIsPublic
58 rule publicPlaintext
59 when destinationIsPublic == true and encrypted == false
60 return Deny
61 rule unapproved
62 when destinationApproved == false
63 return Deny
64 rule approvedEncrypted
65 when destinationApproved == true and encrypted == true
66 return Allow
67 default
68 return Deny
69
70target
71 Tests
72
73test AllowEgress
74 case approved encrypted egress is allowed
75 given destinationApproved true, encrypted true, destinationIsPublic false
76 expect Allow
77 case unapproved destination is denied
78 given destinationApproved false, encrypted true, destinationIsPublic false
79 expect Deny
80 case unencrypted public egress is denied
81 given destinationApproved true, encrypted false, destinationIsPublic true
82 expect Deny
83 case approved but unencrypted falls through to deny
84 given destinationApproved true, encrypted false, destinationIsPublic false
85 expect Deny
Draft syntax. This file is illustrative and does not run yet.