Sentinel ressources/data created outside TFCB


I am working to impliment sentinel in our infrastructure,
We need to apply some policies to check resources created outside TFCE, or get parameters the are not figuring in tfpla/tfconfig/tfrun/tfstate files,
For example : we need to verify that If AMI’s owner is Same “Self” than mandatory to have preserver tag, and in TF data, i have only the “ami_id” passed to create the EC2 from and internel module, so to check that i will need to dynamically get all AMI IDs for the account and test the value.
Or in an other example, No ingress from SG outside principle AWS account.

Any suggestions ?

Thank you