iac-compliance-reviewlisted

# IaC compliance review (Terraform, verified) Review a Terraform plan for security/compliance gaps and EU data residency, and **prove it** — findings come from a script that parses the real plan JSON and maps each to a control, not from eyeballing HCL. ## Core principle **Compliance is checked, not claimed.** The loop is: review the plan → triage findings by severity → fix the HCL → re-plan → re-review, until the gate is green at your blocking severities. **Be honest about scope (this is the rule that keeps the skill correct):** this is **static plan review**. It sees declared configuration, not runtime state, drift, data flows, or anything outside the encoded policies and the providers covered. Control "mapping" indicates **relevance, not certified conformance**. It is not a substitute for a CSPM tool, a penetration test, or a formal ISO 27001 / SOC 2 audit. Never report "ISO 27001 / SOC 2 / GDPR compliant" from a green run — report "0 blocking findings against the encoded policy catalog." → `references/01-scope-and-control-mapping.md` ## When to use vs. not - Use for: a security/compliance review of Terraform; auditing cloud config for public exposure, encryption, IAM least-privilege, logging; checking EU data residency; mapping findings to ISO 27001 / SOC 2 / GDPR; gating Terraform in CI. - Not for: runtime/posture scanning of a live account (use a CSPM/CNAPP), penetration testing, certifying an audit, or non-Terraform IaC the policy catalog doesn't cover (