Skip to content

Cloud entitlement map (PoLP / IAM)

Full workflow

Complete guide (limitations, CI, published lens): cloud-entitlements

Why use CCE

Over-permissioned IAM policies are a top cloud security risk. Manual policy reviews miss call sites buried in shared libraries, and Terraform alone does not tell you which API actions application code actually invokes.

CCE builds a code-derived entitlement map — every cloud SDK call site with provider, service, and operation — so you can right-size IAM to least privilege (PoLP).

Example command

cce -folder . -language AUTO -filter cloud -format json -output entitlements.json

Analysis recipe

This use case is registered as recipe cloud-entitlements — run with:

cce run -folder . -language AUTO -recipes cloud-entitlements -output cloud-entitlements.json