Cloud governance has a timing problem.
Most organizations discover cloud misconfigurations after they happen, through CSPM dashboards, CNAPP alerts, or tickets that arrive long after the risky change is already live. By then, platform teams are stuck reacting instead of preventing.
The Nirmata Cloud Controller (NCC) changes that model by bringing preventive, policy-as-code governance directly to the cloud API layer, while still providing continuous compliance and visibility as environments evolve.
For platform engineers, Cloud Controller acts as a central control plane for governing cloud actions, cloud drift, and cloud posture, using the same Kyverno-style policies and reporting models they already trust in Kubernetes.
What Is the Nirmata Cloud Controller?
The Nirmata Cloud Controller is a preventive cloud governance platform that enforces policy-as-code on AWS API requests in real time while continuously scanning cloud environments for drift and compliance gaps.
Unlike traditional CSPM or CNAPP tools that detect issues after deployment, Cloud Controller can block non-compliant cloud changes before they are applied.
Stop Risky Cloud Changes The Moment They Happen
The defining capability of the Nirmata Cloud Controller is admission-style control for cloud APIs.
Instead of only scanning for issues later, Cloud Controller can intercept AWS API requests in real-time, evaluate them against policy, and decide whether they should be allowed at all.
Cloud Admission Controller
CLI / SDK / Automation
|
v
Nirmata Cloud Admission Controller
|
Kyverno Policy Evaluation
|
Allow ✅ Deny ❌
|
v
AWS APIs
This applies to:
- AWS CLI commands
- Automation and pipelines
- Scripts and tooling
- Any direct API-driven cloud change
This is true preventive governance, not just visibility after the fact.
How the Cloud Controller Works
Cloud Controller consists of two complementary control paths:
1. Inline Enforcement (Admission Control)
- Intercepts AWS API calls
- Evaluates requests against selected Kyverno JSON policies
- Blocks or allows changes before AWS applies them
2. Continuous Scanning (Drift & Legacy Detection)
- Periodically scans existing cloud resources
- Evaluates real-world state (not just IaC)
- Produces standardized policy reports
Together, these cover both new changes and existing environments.
Continuous Compliance When Reality Drifts from IaC
Even the best IaC practices don’t capture everything.
Cloud environments drift due to:
- Console changes
- Emergency fixes
- Manual overrides
- Third-party automation
The Cloud Scanner addresses this gap.
Cloud Scanner Flow
Kubernetes Cluster
|
v
Cloud Scanner Pod
|
AWS Cloud Control API
|
v
Current Resource State
|
Kyverno JSON Policies
|
v
Policy Reports (CRDs)
Key Characteristics:
- Runs inside your Kubernetes cluster
-
- Uses the AWS Cloud Control API for consistent access across services
- Evaluates resources using Kyverno JSON policies
- Generates policy reports on a configurable schedule
This ensures governance stays accurate even as environments evolve.
Kyverno-Style Policies Extended Beyond Kubernetes
One of the biggest differentiators of the Nirmata Cloud Controller is consistency.
If you already use Kyverno for Kubernetes you don’t need to:
- Learn a new policy model
- Manage a separate reporting system
- Fragment governance across tools
Cloud Controller intentionally mirrors the Kyverno experience:
- Policy-as-code enforcement
- Label-based policy selection
- Policy reports aligned with Kubernetes Policy WG formats
Unified Governance Model
Kyverno Policies
|
+– Kubernetes Admission Control
|
+– Cloud Admission Control (AWS APIs)
|
+– Cloud Scanner (Drift & Legacy)
This makes cloud governance feel like a natural extension of Kubernetes governance, not a parallel system.
Built for Large AWS Organizations
Enterprises don’t operate in single AWS accounts and Cloud Controller reflects that reality.
Using AWSOrgConfig, Cloud Controller can:
- Discover AWS Organizations recursively
- Traverse OUs and accounts
- Automatically create AWSAccountConfig resources
- Discover EKS clusters via ClusterConfig
Enterprise Discovery Model
This drastically reduces onboarding effort and enables governance to scale without manual configuration per account.
Standardized Policy Reporting for Platform Teams
Cloud Controller produces Kubernetes-native policy reports as CRDs.
These reports:
- Contain results of applying ValidatingPolicy and ImageVerificationPolicy
- Are generated per account or globally
- Follow open Kubernetes Policy WG formats
- Fit naturally into existing governance workflows
For platform engineers, this means:
- One reporting mental model
- Easier integration with dashboards and automation
- No translation between cloud and Kubernetes governance data
Unified Governance Across Pipelines, Clusters, and Cloud
Cloud Controller is a core part of the Nirmata Cloud Hub (NCH).
Instead of fragmented tools for:
- CI/CD pipelines
- Kubernetes clusters
- Cloud resources
Platform teams get a single source control hub for governance visibility across all 3 layers.
Unified Governance View
Pipelines ──┐
Clusters ──┼── Nirmata Cloud Hub
Cloud ──┘
This helps platform teams reason about risk holistically, not in isolated silos.
How is Cloud Controller Different from CSPM and CNAPP?
CSPM and CNAPP tools tell you what went wrong.
Cloud Controller helps ensure it never happens in the first place.
Key Differences
| Traditional CSPM / CNAPP | Nirmata Cloud Controller |
| Detect after deployment | Prevent at API boundary |
| Ticket and alert driven | Allow / deny enforcement |
| Separate policy models | Kyverno-native policies |
| Visibility-focused | Control + visibility |
| Account-by-account setup | Org-aware discovery |
Cloud Controller doesn’t replace visibility tools, it adds a control layer they fundamentally lack.
How to Get Started with Nirmata Cloud Controller
A typical onboarding flow looks like this:
- Deploy Cloud Controller into Kubernetes
- Configure AWS access and org discovery
- Define Kyverno JSON policies
- Start in scan-only mode
- Enable admission control selectively
- Expand coverage across accounts and services
This enables progressive adoption, reducing risk and friction.
From Reactive Cloud Governance to Preventative Platform Control
The Nirmata Cloud Controller represents a shift from reactive cloud governance to preventive platform control.
By combining:
- Admission-style enforcement at the cloud API boundary
- Continuous scanning for drift and legacy resources
- Kyverno-style policies and standardized reports
- Enterprise-grade AWS organization discovery
It gives platform engineers a practical way to govern cloud environments at scale, without slowing teams down.
Cloud governance doesn’t have to be a cleanup exercise anymore. With Nirmata Cloud Controller, it becomes a first-class platform capability.
