2026-02-04 · Authensor

SafeClaw Policy Recipe: Infrastructure Agent

This policy is for AI agents managing cloud infrastructure — running Terraform, kubectl, AWS CLI, or similar tools. Every infrastructure mutation requires human approval. Read-only commands (plan, describe, get) are allowed. Direct production access, destructive operations, and credential file reads are blocked. Install SafeClaw with npx @authensor/safeclaw and paste this into safeclaw.config.yaml.

Use Case

An infrastructure agent assists DevOps engineers with cloud operations: planning Terraform changes, inspecting Kubernetes pod status, describing AWS resources, and generating infrastructure-as-code. The agent may be powered by Claude Code, an AutoGen executor, or a custom LangChain tool chain. The risks are severe — an unrestricted infrastructure agent could destroy production resources, modify security groups, delete databases, exfiltrate cloud credentials, or deploy untested changes. This policy enforces a strict approve-before-mutate pattern where all write operations require human sign-off through the SafeClaw dashboard.

The Policy

# safeclaw.config.yaml — Infrastructure Agent For: DevOps agents, Terraform/kubectl automation, cloud management Install: npx @authensor/safeclaw version: "1.0" agent: infra-agent defaultAction: deny rules: # --- FILE READ RULES --- # Block reading cloud credentials - id: deny-read-aws-creds action: file_read target: "~/.aws/credentials" decision: deny description: "Block reading AWS credential file" # Block reading GCP keys - id: deny-read-gcp-keys action: file_read target: "*/service-account*.json" decision: deny description: "Block reading GCP service account key files" # Block reading kubeconfig with production contexts - id: deny-read-kubeconfig action: file_read target: "~/.kube/config" decision: deny description: "Block direct kubeconfig access — use RBAC" # Block reading SSH keys - id: deny-read-ssh action: file_read target: "~/.ssh/**" decision: deny description: "Block reading SSH private keys" # Allow reading Terraform files - id: allow-read-terraform action: file_read target: "./infra/*/.tf" decision: allow description: "Allow reading Terraform configuration files" # Allow reading Terraform variables - id: allow-read-tfvars action: file_read target: "./infra/*/.tfvars" decision: allow description: "Allow reading Terraform variable files" # Allow reading Kubernetes manifests - id: allow-read-k8s action: file_read target: "./k8s/*/.{yaml,yml}" decision: allow description: "Allow reading Kubernetes manifest files" # Allow reading Helm charts - id: allow-read-helm action: file_read target: "./helm/**" decision: allow description: "Allow reading Helm chart files" # Allow reading documentation - id: allow-read-docs action: file_read target: "./docs/**" decision: allow description: "Allow reading infrastructure documentation" # --- FILE WRITE RULES --- # Gate writing Terraform files (agent may generate IaC) - id: gate-write-terraform action: file_write target: "./infra/*/.tf" decision: require_approval description: "Require approval to modify Terraform config" # Gate writing Kubernetes manifests - id: gate-write-k8s action: file_write target: "./k8s/*/.{yaml,yml}" decision: require_approval description: "Require approval to modify Kubernetes manifests" # Allow writing plan output files - id: allow-write-plans action: file_write target: "./output/plans/**" decision: allow description: "Allow writing terraform plan output for review" # Allow writing logs - id: allow-write-logs action: file_write target: "./logs/**" decision: allow description: "Allow writing operation logs" # --- SHELL EXEC RULES --- # Block destructive Terraform commands - id: gate-terraform-apply action: shell_exec target: "terraform apply*" decision: require_approval description: "Require human approval for terraform apply" # Block terraform destroy - id: gate-terraform-destroy action: shell_exec target: "terraform destroy*" decision: require_approval description: "Require human approval for terraform destroy" # Allow terraform plan (read-only) - id: allow-terraform-plan action: shell_exec target: "terraform plan*" decision: allow description: "Allow terraform plan — read-only operation" # Allow terraform init - id: allow-terraform-init action: shell_exec target: "terraform init*" decision: allow description: "Allow terraform init for provider setup" # Allow terraform validate - id: allow-terraform-validate action: shell_exec target: "terraform validate*" decision: allow description: "Allow terraform validate — syntax checking" # Allow terraform fmt - id: allow-terraform-fmt action: shell_exec target: "terraform fmt*" decision: allow description: "Allow terraform fmt — code formatting" # Gate kubectl apply/delete/patch (mutations) - id: gate-kubectl-apply action: shell_exec target: "kubectl apply*" decision: require_approval description: "Require approval for kubectl apply" # Gate kubectl delete - id: gate-kubectl-delete action: shell_exec target: "kubectl delete*" decision: require_approval description: "Require approval for kubectl delete" # Allow kubectl get (read-only) - id: allow-kubectl-get action: shell_exec target: "kubectl get*" decision: allow description: "Allow kubectl get — read-only inspection" # Allow kubectl describe - id: allow-kubectl-describe action: shell_exec target: "kubectl describe*" decision: allow description: "Allow kubectl describe — read-only inspection" # Allow kubectl logs - id: allow-kubectl-logs action: shell_exec target: "kubectl logs*" decision: allow description: "Allow kubectl logs — read-only log viewing" # Gate AWS CLI write operations - id: gate-aws-mutate action: shell_exec target: "aws --region" decision: require_approval description: "Require approval for AWS CLI operations with region" # Allow AWS describe/list/get commands - id: allow-aws-describe action: shell_exec target: "aws describe" decision: allow description: "Allow AWS describe commands — read-only" # Allow AWS list commands - id: allow-aws-list action: shell_exec target: "aws list" decision: allow description: "Allow AWS list commands — read-only" # Block sudo - id: deny-sudo action: shell_exec target: "sudo *" decision: deny description: "Block all sudo commands" # Block SSH into production servers - id: deny-ssh action: shell_exec target: "ssh *" decision: deny description: "Block direct SSH access to servers" # --- NETWORK RULES --- # Allow cloud provider APIs - id: allow-aws-api action: network target: "https://.amazonaws.com/" decision: allow description: "Allow AWS API calls" # Allow Terraform registry - id: allow-terraform-registry action: network target: "https://registry.terraform.io/*" decision: allow description: "Allow Terraform provider/module registry"

# Block all other network access - id: deny-network-default action: network target: "*" decision: deny description: "Block all other outbound network requests"

What This Policy Allows

Reading Terraform files, Kubernetes manifests, and Helm charts
Running terraform plan, terraform init, terraform validate, terraform fmt
Running kubectl get, kubectl describe, kubectl logs
Running AWS describe and list commands
Writing plan output files and operation logs
Network access to AWS APIs and Terraform registry

What This Policy Blocks

Reading cloud credential files (AWS, GCP, SSH keys, kubeconfig)
Running sudo or ssh commands
All network requests outside AWS and Terraform registry
Writing to any path outside designated output and log directories

What Requires Approval

terraform apply and terraform destroy (infrastructure mutations)
kubectl apply and kubectl delete (cluster mutations)
Modifying Terraform .tf files or Kubernetes manifest .yaml files
AWS CLI operations targeting specific regions
All approvals handled through the SafeClaw dashboard at safeclaw.onrender.com

Customization Guide

Add your cloud provider. If you use GCP or Azure instead of AWS, replace the AWS-specific shell rules with equivalents for gcloud or az CLI. Add network allow rules for https://.googleapis.com/ or https://management.azure.com/*.

Restrict to specific Kubernetes namespaces. Add conditions to kubectl rules to limit operations to specific namespaces. For example, allow kubectl get pods -n staging but gate kubectl get pods -n production.

Allow Helm operations. If your workflow uses Helm, add allow rules for helm template, helm lint, and helm status (read-only), and require_approval rules for helm install, helm upgrade, and helm delete (mutations).

Example Session

1. ALLOW — Agent runs terraform plan:

{
  "actionType": "shell_exec",
  "target": "terraform plan -out=./output/plans/plan-20260213.tfplan",
  "agentId": "infra-agent",
  "decision": "ALLOW",
  "rule": "allow-terraform-plan",
  "evaluationTime": "0.3ms"
}

2. REQUIRE_APPROVAL — Agent attempts terraform apply:

{
  "actionType": "shell_exec",
  "target": "terraform apply ./output/plans/plan-20260213.tfplan",
  "agentId": "infra-agent",
  "decision": "REQUIRE_APPROVAL",
  "rule": "gate-terraform-apply",
  "evaluationTime": "0.2ms"
}

3. ALLOW — Agent inspects pod status:

{
  "actionType": "shell_exec",
  "target": "kubectl get pods -n staging",
  "agentId": "infra-agent",
  "decision": "ALLOW",
  "rule": "allow-kubectl-get",
  "evaluationTime": "0.3ms"
}

4. DENY — Agent attempts to read AWS credentials:

{
  "actionType": "file_read",
  "target": "~/.aws/credentials",
  "agentId": "infra-agent",
  "decision": "DENY",
  "rule": "deny-read-aws-creds",
  "evaluationTime": "0.2ms"
}

5. DENY — Agent attempts SSH to production:

{
  "actionType": "shell_exec",
  "target": "ssh ubuntu@prod-server-01.example.com",
  "agentId": "infra-agent",
  "decision": "DENY",
  "rule": "deny-ssh",
  "evaluationTime": "0.2ms"
}

All decisions are recorded in SafeClaw's tamper-proof audit trail (SHA-256 hash chain). This is especially important for infrastructure operations where you need a complete record of what the agent attempted and what was approved. SafeClaw evaluates each rule in sub-millisecond time, has zero third-party dependencies, and is verified across 446 tests in TypeScript strict mode. The control plane sees only action metadata, never your cloud credentials or infrastructure details.

Cross-References

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw