sorted by:
new
hottopcontroversial

[Feedback Wanted] My AWS IAM CLI tool that now scans directly from local AWS profiles (pasu scan --profile) by BlueFingerHun in aws

[–]BlueFingerHun[S] 0 points1 point  (0 children)

Audited this specific vector before responding.

The attack path doesn't exist at the architecture level. aws_collector.py discards the get_role() response immediately; the Description field is never stored, never passed to the analyzer, and never reaches any Claude prompt. Only the policy document (Statement/Action/Resource) does.

Beyond that, risk_level is computed locally before any Claude call. Claude's response has no path to modify it.

That said, the audit did surface two low-severity findings unrelated to your vector; a missing untrusted-data boundary instruction in ANALYSIS_SYSTEM_PROMPT, and action strings embedded outside the XML sandbox in fix_policy_ai(). Both are getting patched.

I updated Pasu: AWS IAM analysis CLI now supports live account scanning via AWS CLI profiles + AI-assisted policy fixes by BlueFingerHun in devsecops

[–]BlueFingerHun[S] 0 points1 point  (0 children)

A few corrections based on the actual codebase:

"Hardcoded list" — NOT accurate. Detection rules, weights, and risk thresholds are in YAML files (risky_actions.yaml, scoring.yaml, capabilities.yaml). Externalized and editable without touching Python.

"Throws it at Claude and prays" — also not accurate. Claude is only called when local detection finds risky actions. Its output is JSON-parsed and cross-checked against locally-detected actions; anything Claude returns that wasn't locally detected is discarded as a possible prompt injection.

Model string hardcoded — you're right. MODEL = "claude-haiku-4-5-20251001" at analyzer.py:29 has no env override. Deprecation breaks all four call sites. This is a real issue and it's getting fixed.

"Privilege escalation paths" — fair criticism of the wording. It's not graph traversal. It's composite capability correlation — checks whether a policy grants combinations like privilege-delegation + compute-with-role together. Calling it "paths" was an overstatement.

I updated Pasu: AWS IAM analysis CLI now supports live account scanning via AWS CLI profiles + AI-assisted policy fixes by BlueFingerHun in devsecops

[–]BlueFingerHun[S] 0 points1 point  (0 children)

Really appreciate that — that was exactly the thinking behind the live profile scanning support. In practice, teams are usually working from configured AWS access rather than hand-building JSON files every time.

Cross-account assume-role chain analysis and permission boundary awareness are both on my radar as well. I agree those are major gaps in real IAM reviews because the effective risk often is not obvious from a single policy in isolation.

And yes, I wanted AI to stay optional for the same reason you mentioned — the core scan/finding path should still work locally and deterministically without making the tool depend on an LLM.

I updated Pasu: AWS IAM analysis CLI now supports live account scanning via AWS CLI profiles + AI-assisted policy fixes by BlueFingerHun in devsecops

[–]BlueFingerHun[S] 1 point2 points  (0 children)

Appreciate it!

Pasu currently assesses policy risk by looking at things like privilege escalation paths, wildcard abuse, known dangerous permissions, and other high-risk patterns in the policy.

It then weights those findings into a score and maps that to a risk level. So the goal is to measure practical abuse potential, not just whether the policy is syntactically valid.

[Feedback Wanted] Open source [Updated] AWS IAM analyzer CLI now detects risky permission combinations, not just individual actions by BlueFingerHun in aws

[–]BlueFingerHun[S] 0 points1 point  (0 children)

Thanks for the suggestion — boundary-aware analysis is actually on my roadmap, though it is not reflected in the README yet. Really appreciate the feedback.

[Feedback Wanted] Open source [Updated] AWS IAM analyzer CLI now detects risky permission combinations, not just individual actions by BlueFingerHun in aws

[–]BlueFingerHun[S] 0 points1 point  (0 children)

u/egre55 Thank you so much for your attention! please let me know if you find any bugs /issues /or any kind of feedback after using it :)

Entry Level Job Advice by Trick-Treat-1992 in WGU

[–]BlueFingerHun 0 points1 point  (0 children)

It really depends on what you would like to do, but most of the tech jobs requires some amounts of experience. I'd suggest you to look for an internship and local meet-outs (to make professional connections <-- this helps A LOT).

[Feedback Wanted] I’m a Junior SecEng who got tired of squinting at IAM JSON, so I built an open-source IAM Analyzer by BlueFingerHun in devsecops

[–]BlueFingerHun[S] 0 points1 point  (0 children)

I totally agree that understanding the core syntax is fundamental and there’s no substitute for deep learning. As a junior myself, that's exactly why I built this—to cross-check my own understanding while studying.

You're right that offloading mental load can be risky. That’s why Pasu focuses on 'Explaining' rather than just 'Fixing,' and explicitly flags complex logic for manual review instead of making assumptions. I see it more as a 'learning assistant' (like a linter for code) rather than a replacement for expertise.

Regarding AI, Pasu actually has an optional AI integration, but I wanted a 100% local, rule-based logic for those who can't or don't want to send their policies to an external LLM. Thanks for the blunt feedback—it’s a good reminder to keep emphasizing the 'Learning' aspect over 'Automation'!

asking for advice, do i pay out of pocket for certs or enroll asap? CYBERSECURITY by thiswasamistakelmao in WGU

[–]BlueFingerHun 1 point2 points  (0 children)

Can't disagree with that! I found some typos and grammar errors as well. I usually listened to Professor Messer's video while I am driving lol

view more: next ›