Open-source MII tool aims to inventory and assess machine identities in AWS and CI/CD

MII: Machine Identity Intelligence — discover and risk-score IAM roles, OIDC federations, and CI/CD tokens across AWS

Released an open-source tool for a problem I kept hitting: no visibility into machine identities. CyberArk's 2025 report found machine identities outnumber humans 82:1. Every IAM role, every OIDC federation from CI/CD to AWS, every service account — they pile up with no one monitoring them. MII connects to your AWS account (read-only) and: Discovers every IAM role and trust relationship Maps them into a directed trust graph Scores each one 0-100 (admin permissions, cross-account trust, staleness, etc.) Simulates blast paths — "if this identity is compromised, what's the damage?" Measures trust debt — unnecessary permissions accumulated over time Generates remediation plans with specific AWS CLI commands Also supports GitLab CI/CD identity discovery (finds OIDC federations to AWS). Docker Compose for local dev, Terraform for AWS deployment (EC2 + CloudFront). MIT licensed: https://github.com/josephtui767-cloud/MII Happy to answer questions about the architecture or methodology.

2 hours ago

How Machine Identities The Invisible Attack Surface: Why Machine Identities Are Cloud Security's Biggest Blind Spot

And how I built an open-source platform to solve it. The Problem No One Is Talking About Here's a number that should concern every CISO: 82 to 1. That's the ratio of machine identities to human identities in modern cloud environments, according to CyberArk's 2025 Machine Identity Security Report. For every developer, engineer, or admin in your organization, there are 82 IAM roles, service accounts, CI/CD tokens, and OIDC federations operating silently in the background. These machine identities are now the #1 attack vector for cloud breaches. Not phishing. Not credential stuffing. Machine identities. Yet most security teams have zero centralized visibility into them. Why This Matters to Your Organization Let me paint a picture that exists in almost every AWS environment I've assessed: Scenario: A GitLab CI/CD pipeline has an OIDC federation to AWS. The trusted IAM role has AdministratorAccess attached. There's no branch restriction on the trust policy. Impact: Any developer with merge request access to that GitLab project can become a full AWS administrator. One compromised pipeline — one malicious merge request — and your entire cloud account is owned. This isn't theoretical. This exact pattern exists in production environments right now. And no one knows it's there because: IAM roles accumulate over years with no cleanup Trust policies are set once and never audited Cross-account relationships are invisible without deep manual investigation Compliance teams can't answer basic questions like "How many identities have admin access?" Security debt grows silently — permissions granted but never revoked The machines running your infrastructure have more power than the humans managing them. And unlike human accounts, machine identities have no MFA, no access reviews, and no one watching them. What's Missing From the Market I looked at existing tools. Here's what I found: What Exists What's Missing IAM analyzers that list permissions No trust chain visualization — who can assume whom? Static risk scores No attack simulation — what's the real-world impact? Human identity governance Machine identities ignored entirely Point-in-time audits No continuous monitoring or trend tracking AWS-only or single-platform tools No unified view across AWS + CI/CD pipelines No tool answered the fundamental question: "If this machine identity is compromised, what's the blast radius?" That's when I decided to build one. Introducing MII: Machine Identity Intelligence MII is an open-source platform purpose-built for machine identity security. It discovers, maps, risk-scores, and provides AI-powered remediation for every machine identity across your AWS accounts and CI/CD pipelines. What It Does 1. Discovery & Inventory Connects to your AWS accounts (read-only) and automatically discovers every IAM role, trust policy, attached permission, and OIDC federation. Supports AWS Organizations for enterprises with 100+ accounts. 2. Trust Graph Visualization Builds a directed graph of all trust relationships. You can finally see — visually — who can assume whom, which CI/CD pipelines can become AWS admins, and where cross-account trust creates hidden attack paths. 3. Risk Scoring (0–100) Every identity is scored using six weighted factors: Admin permissions (+35) Production access (+25) Trust relationship count (+20) Cross-account trust (+20) Staleness / age (+15) Unused status (+10) No exceptions. Every machine identity gets a score. 4. Blast Path Simulation Select any identity and simulate full compromise. MII traces every reachable identity and resource through the trust graph, producing a step-by-step attack narrative with severity assessment. This is how you answer: "What happens if our CI/CD pipeline is compromised?" 5. Trust Debt Measurement A concept I developed specifically for this domain. Like technical debt measures accumulated code shortcuts, Trust Debt measures accumulated unnecessary permissions and overprivileged trust relationships. Graded A through F. Tracked over time. Broken down by category: Admin access on CI/CD roles OIDC federations without branch restrictions Unused trust relationships Stale identities with active trust 6. Compliance Checks 8 automated policy checks aligned to IAM security best practices: No unrestricted admin access Least privilege principle OIDC branch restrictions Cross-account ExternalId requirement No wildcard trust policies MFA for production access Identity lifecycle management No stale identities Each check produces pass/fail evidence with specific failing identities — ready for audit. 7. AI-Powered Remediation Integrated with OpenAI (or any compatible provider including Azure OpenAI and local Ollama). For any risky identity, get: Plain English explanation of why it's dangerous Step-by-step remediation plan Specific AWS CLI commands to fix it Terraform code for infrastructure-as-code teams 8. Report Export Every view exports to PDF, Markdown, or Excel. Built for the reality that security findings need to travel — to management, to audit, to engineering teams. The Architecture Built with production readiness in mind: Backend: FastAPI (Python 3.11) + SQLAlchemy + NetworkX for graph operations Frontend: React 18 + TypeScript + React Flow for graph visualization + Tailwind CSS Database: PostgreSQL 15 Infrastructure: Terraform (AWS EC2 + S3 + CloudFront) AI: Any OpenAI-compatible API (including free local inference via Ollama) CI/CD: GitHub Actions (GitLab CI/CD also supported) The platform is entirely read-only — it never mutates your AWS resources or stores credentials. Only identity metadata and relationship data. Who This Is For Security Engineers: Stop manually spelunking through IAM consoles. Get prioritized findings with copy-paste remediation commands. Simulate attack paths before they're exploited. Security Leaders / CISOs: Executive dashboard with quantified risk metrics. Compliance scores for board reporting. Track improvement trends over sprint cycles. Platform / DevOps Teams: Understand which CI/CD roles are overprivileged. Get Terraform snippets to fix trust policies. Identify and remove unused service roles. Compliance & Audit: Automated policy checks with exportable evidence. Identity ownership tracking. Stale identity identification for access reviews. Why Open Source? Machine identity security shouldn't be a luxury that only enterprises with six-figure tooling budgets can afford. Every organization running AWS with CI/CD pipelines has this problem. The attack surface is there whether you can see it or not. By making MII open-source: Security teams can deploy it today with docker-compose up The methodology is transparent and auditable The community can extend it (GitHub collector, Azure support, etc.) No vendor lock-in, no per-seat pricing, no sales calls Getting Started git clone https://github.com/josephtui767-cloud/MII.git cd MII cp .env.example .env # Set your AWS account ID and credentials docker-compose up --build Five minutes to deployment. Your first discovery scan reveals what's been invisible. What's Next This is version 1. The roadmap includes: GitHub Actions identity collector Azure AD / Entra ID support Slack/Teams notifications for new critical findings Scheduled scanning with drift detection Terraform module in the Terraform Registry SBOM-style export for identity inventories Contributions welcome. The codebase is designed to be extended — adding a new collector or compliance check is straightforward. The Takeaway Machine identities are the largest, fastest-growing, and least-monitored attack surface in cloud environments. They outnumber humans 82:1 and they're the path attackers use to move laterally through your infrastructure. You can't secure what you can't see. MII makes them visible. GitHub: https://github.com/josephtui767-cloud/MII If you're dealing with IAM sprawl, trust policy complexity, or CI/CD security questions — I'd love to hear about your challenges. Drop a comment or reach out directly. CloudSecurity #IAM #DevSecOps #OpenSource #MachineIdentity #CyberSecurity #AWS #CICD #TrustGraph #SecurityEngineering

2 hours ago