Cloud entitlement map (PoLP / IAM)
Full workflow
Complete guide (limitations, CI, published lens): cloud-entitlements
Why use CCE
Over-permissioned IAM policies are a top cloud security risk. Manual policy reviews miss call sites buried in shared libraries, and Terraform alone does not tell you which API actions application code actually invokes.
CCE builds a code-derived entitlement map — every cloud SDK call site with provider, service, and operation — so you can right-size IAM to least privilege (PoLP).
Example command
cce -folder . -language AUTO -filter cloud -format json -output entitlements.json
Analysis recipe
This use case is registered as recipe cloud-entitlements — run with:
cce run -folder . -language AUTO -recipes cloud-entitlements -output cloud-entitlements.json