Fetching latest headlines…
[Open Source] Built a tool to discover and risk-score all IAM roles + OIDC trust relationships across AWS accounts
NORTH AMERICA
🇺🇸 United StatesJune 29, 2026

[Open Source] Built a tool to discover and risk-score all IAM roles + OIDC trust relationships across AWS accounts

0 views0 likes0 comments
Originally published byDev.to

If you're running multiple AWS accounts, you probably have hundreds of IAM roles with trust policies you've never audited. I built MII to solve this.

What it does:

Scans all IAM roles across your AWS accounts (read-only, uses IAMReadOnlyAccess)
Parses trust policies to find OIDC federations, cross-account trust, wildcard principals
Builds a graph of "who can assume whom"
Scores every role based on risk factors (admin access + OIDC = critical)
Simulates attack paths through the trust chain
Supports AWS Organizations for auto-discovering all accounts
Findings it catches:

OIDC role with AdministratorAccess (any CI/CD pipeline = full admin)
Cross-account trust without ExternalId (confused deputy)
Wildcard principals in trust policies (any AWS identity worldwide can assume)
Unused roles with active trust policies (dormant backdoors)
Self-hosted, MIT licensed, Docker Compose to get started in 5 minutes.

https://github.com/josephtui767-cloud/MII

Comments (0)

Sign in to join the discussion

Be the first to comment!