Cloud entitlement map (PoLP / IAM)
Why use CCE
Over-permissioned IAM policies are a top cloud security risk. Manual policy reviews miss call sites buried in shared libraries, and Terraform alone does not tell you which API actions application code actually invokes.
CCE builds a code-derived entitlement map — every cloud SDK call site with provider, service, and operation — so you can right-size IAM to least privilege (PoLP).
What CCE extracts
| JSON field | Meaning for this use case |
|---|---|
provider |
Cloud vendor (AWS, GCP, AZURE, OCI, …) |
resource |
Service name (s3, storage, compute, …) |
operation |
API action (GetObject, ListBuckets, …) |
file / line |
Exact call site for policy or code review |
method / signature |
Fully qualified method for automation |
CLI wiring
Uses the built-in mapper (pkg/resourcemapper/definition/definition.yaml). Omit -mapper-file.
# Local checkout → cloud-only JSON entitlement map
cce -folder ./payments-api \
-language AUTO \
-filter cloud \
-format json \
-output entitlement-map.json
# Private GitHub repo
export GITHUB_TOKEN=ghp_xxx
cce -repo acme/payments-api -ref main \
-language AUTO \
-filter cloud \
-format json \
-output -
Container equivalent:
docker run --rm -v "$(pwd):/work/src:ro" ghcr.io/stackgenhq/cce:latest \
-folder /work/src -language AUTO -filter cloud -format json -output -
How to read the JSON output
summary.by_provider— entitlement counts per cloud (dashboard input).entitlements[]— one row per mapped call site; use for IAM policy generation or LLM-assisted rewrites.-filter cloud— drops rows with emptyproviderorresource(unmapped calls).
Example row:
{
"provider": "AWS",
"resource": "s3",
"operation": "GetObject",
"file": "internal/storage/s3.go",
"line": 87,
"method": "github.com/aws/aws-sdk-go-v2/service/s3.GetObject"
}
CI/CD snippet
- name: Cloud entitlement scan
run: |
cce -folder . -language AUTO -filter cloud -format json -output entitlement-map.json
# optional: diff against baseline or fail on new entitlements
Published lens
This use case uses the built-in mapper (omit -mapper-file). No lens YAML is published under releases; the catalog marks it as built-in only.
- Catalog: https://releases.stackgen.com/cce/lenses/index.json —
"cloud-entitlements": { "builtin": true }
Known limitations
Proof status: Verified (Go, Java, Python, JS + AWS sample repos) — see KNOWN_LIMITATIONS.md (cloud-entitlements) and docs/proof.
| Limitation | Impact |
|---|---|
| IAM effective permissions | Not computed—only code invocations are listed. |
| Internal SDK facades | May hide real cloud APIs unless wrappers are in the lens. |
| Polyglot repositories | Require one scan per -language (GO, JAVA, PYTHON, JAVASCRIPT). |
Platform limits (CGO, languages, static analysis, mapper precedence, filters): KNOWN_LIMITATIONS.md.
Related
- Multiple operations (e.g. S3 read + write in one function): Entitlements & IAM guide
- Lens reference (built-in):
cloud-entitlements.yaml - Pipeline overview:
modernization_use_cases.md