u/RoseSec_

Is anyone generating SBOMs for their IaC repositories? Looking into the best way to accomplish this for compliance and curious if a tool that converts Terraform lockfiles to SPDX would be beneficial?

I just implemented Cloud Custodian across our environment with checks for unused IAM roles and users. What are your favorite use cases for the tool? Looking for cool ideas on how to use the tooling to increase security.