Skip to content

Cloud entitlement map (PoLP / IAM)

Why use CCE

Over-permissioned IAM policies are a top cloud security risk. Manual policy reviews miss call sites buried in shared libraries, and Terraform alone does not tell you which API actions application code actually invokes.

CCE builds a code-derived entitlement map — every cloud SDK call site with provider, service, and operation — so you can right-size IAM to least privilege (PoLP).

What CCE extracts

JSON field Meaning for this use case
provider Cloud vendor (AWS, GCP, AZURE, OCI, …)
resource Service name (s3, storage, compute, …)
operation API action (GetObject, ListBuckets, …)
file / line Exact call site for policy or code review
method / signature Fully qualified method for automation

CLI wiring

Uses the built-in mapper (pkg/resourcemapper/definition/definition.yaml). Omit -mapper-file.

# Local checkout → cloud-only JSON entitlement map
cce -folder ./payments-api \
    -language AUTO \
    -filter cloud \
    -format json \
    -output entitlement-map.json

# Private GitHub repo
export GITHUB_TOKEN=ghp_xxx
cce -repo acme/payments-api -ref main \
    -language AUTO \
    -filter cloud \
    -format json \
    -output -

Container equivalent:

docker run --rm -v "$(pwd):/work/src:ro" ghcr.io/stackgenhq/cce:latest \
  -folder /work/src -language AUTO -filter cloud -format json -output -

How to read the JSON output

  • summary.by_provider — entitlement counts per cloud (dashboard input).
  • entitlements[] — one row per mapped call site; use for IAM policy generation or LLM-assisted rewrites.
  • -filter cloud — drops rows with empty provider or resource (unmapped calls).

Example row:

{
  "provider": "AWS",
  "resource": "s3",
  "operation": "GetObject",
  "file": "internal/storage/s3.go",
  "line": 87,
  "method": "github.com/aws/aws-sdk-go-v2/service/s3.GetObject"
}

CI/CD snippet

- name: Cloud entitlement scan
  run: |
    cce -folder . -language AUTO -filter cloud -format json -output entitlement-map.json
    # optional: diff against baseline or fail on new entitlements

Published lens

This use case uses the built-in mapper (omit -mapper-file). No lens YAML is published under releases; the catalog marks it as built-in only.

Known limitations

Proof status: Verified (Go, Java, Python, JS + AWS sample repos) — see KNOWN_LIMITATIONS.md (cloud-entitlements) and docs/proof.

Limitation Impact
IAM effective permissions Not computed—only code invocations are listed.
Internal SDK facades May hide real cloud APIs unless wrappers are in the lens.
Polyglot repositories Require one scan per -language (GO, JAVA, PYTHON, JAVASCRIPT).

Platform limits (CGO, languages, static analysis, mapper precedence, filters): KNOWN_LIMITATIONS.md.