diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index ca86467..53e6ba8 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -112,14 +112,20 @@ jobs:
               if: steps.plan.outcome == 'failure'
               run: exit 1
       
-            - name: Snyk scan
+            - name: Setup snyk
               uses: snyk/actions/setup@master
+
+            - name: IaC Test
               run: snyk iac test
               env:
                 SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
-            - name: Report infrastructure costs
+            - name: setup infracost
               uses: infracost/actions/setup@v2
+
+            - name: Report on IaC Costs
+              env:
+                INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }}
               run: |
                 infracost breakdown --path=. \
                           --format=json \
@@ -134,8 +140,6 @@ jobs:
                      --compare-to=infracost-base.json \
                      --format=json \
                      --out-file=infracost.json
-              with:
-                api-key: ${{ secrets.INFRACOST_API_KEY }}
 
             - name: 'Sentinel Test'
               uses: hashicorp/sentinel-github-actions@master
@@ -147,8 +151,6 @@ jobs:
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-
-
             - name: Terraform Apply
               if: github.ref == 'refs/heads/main' && github.event_name == 'push'
               run: terraform apply -auto-approve
diff --git a/policy/policy.policy b/policy/policy.policy
new file mode 100644
index 0000000..3053b4f
--- /dev/null
+++ b/policy/policy.policy
@@ -0,0 +1,47 @@
+import "strings"
+
+limitTotalDiff = rule {
+    float(breakdown.totalMonthlyCost) < 1500
+}
+
+awsInstances = filter breakdown.projects[0].breakdown.resources as _, resource {
+	strings.split(resource.name, ".")[0] is "aws_instance"
+}
+
+limitInstanceCost = rule {
+  all awsInstances as _, instance {
+  	float(instance.hourlyCost) <= 2.00
+  }
+}
+
+instanceBaseCost = func(instance) {
+  cost = 0.0
+ 	for instance.costComponents as cc {
+    cost += float(cc.hourlyCost)
+  }
+  return cost
+}
+
+instanceIOPSCost = func(instance) {
+  cost = 0.0
+ 	for instance.subresources as sr {
+    for sr.costComponents as cc {
+      if cc.name == "Provisioned IOPS" {
+        cost += float(cc.hourlyCost)
+      }
+    }
+  }
+  return cost
+}
+
+limitInstanceIOPSCost = rule {
+   all awsInstances as _, instance {
+  	instanceIOPSCost(instance) <= instanceBaseCost(instance)
+  }
+}
+
+main = rule {
+    limitTotalDiff and
+    limitInstanceCost and
+    limitInstanceIOPSCost
+}