IaC ↔ application alignment (PoLP++)
Full workflow
Complete guide (limitations, CI, published lens): iac-alignment
Why use CCE
Terraform and IAM policies often grant more than application code uses — or miss actions code actually calls. Drift between declared infrastructure permissions and observed SDK usage creates audit findings and blast-radius risk.
CCE produces the application-side entitlement map; diff that JSON against parsed IaC/IAM output in your pipeline.
Example command
cce -folder . -language AUTO -filter cloud -format json -output scan.json