diff --git a/terraform/binary-auth.tf b/terraform/binary-auth.tf
index 3d90bed..7d74f00 100644
--- a/terraform/binary-auth.tf
+++ b/terraform/binary-auth.tf
@@ -79,8 +79,12 @@ resource "google_binary_authorization_policy" "default" {
   global_policy_evaluation_mode = "ENABLE"
 
   default_admission_rule {
-    evaluation_mode  = "ALWAYS_ALLOW"
+    evaluation_mode  = "REQUIRE_ATTESTATION"
     enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
+
+    require_attestations_by = [
+      google_binary_authorization_attestor.deploy.name,
+    ]
   }
 
   depends_on = [google_project_service.binaryauthorization]