What is the difference between Policies and Policy Sets?

A policy encapsulates a specific rule which should be true of the scanned project. For example, a common policy is that s3 buckets should not be world readable to reduce the possibility of unauthorized access to their contents.

A policy set is a collection of policies which together define what is considered “acceptable security” for your projects. Policy sets are often aligned to one or more compliance standards, such as the CIS Benchmark or PCI DSS, as well as organization-specfic policies. They provide a convenient way to manage policies and associate them with projects according to the needs of the project and the risks it will face in production.