Ensuring security, data privacy, and regulatory compliance of software systems at cloud scale is critical yet challenging. This talk presents a static dataflow analysis engine deployed at Amazon, outlining its compositional approach to scalability and the design choices that balance high precision with soundness, as it evolved from a code-review–time vulnerability detector to verifying encryption at rest for cloud storage services, and ultimately to mapping fine-grained dataflows across services for policy enforcement. We discuss practical considerations, including how static analysis results are aggregated and used for holistic system-level reasoning.