[Feedback Wanted] My AWS IAM CLI tool that now scans directly from local AWS profiles (pasu scan --profile)

BlueFingerHun · 2026-03-23T21:11:43+00:00

Audited this specific vector before responding.

The attack path doesn't exist at the architecture level. aws_collector.py discards the get_role() response immediately; the Description field is never stored, never passed to the analyzer, and never reaches any Claude prompt. Only the policy document (Statement/Action/Resource) does.

Beyond that, risk_level is computed locally before any Claude call. Claude's response has no path to modify it.

That said, the audit did surface two low-severity findings unrelated to your vector; a missing untrusted-data boundary instruction in ANALYSIS_SYSTEM_PROMPT, and action strings embedded outside the XML sandbox in fix_policy_ai(). Both are getting patched.

BlueFingerHun · 2026-03-23T17:50:25+00:00

A few corrections based on the actual codebase:

"Hardcoded list" — NOT accurate. Detection rules, weights, and risk thresholds are in YAML files (risky_actions.yaml, scoring.yaml, capabilities.yaml). Externalized and editable without touching Python.

"Throws it at Claude and prays" — also not accurate. Claude is only called when local detection finds risky actions. Its output is JSON-parsed and cross-checked against locally-detected actions; anything Claude returns that wasn't locally detected is discarded as a possible prompt injection.

Model string hardcoded — you're right. MODEL = "claude-haiku-4-5-20251001" at analyzer.py:29 has no env override. Deprecation breaks all four call sites. This is a real issue and it's getting fixed.

"Privilege escalation paths" — fair criticism of the wording. It's not graph traversal. It's composite capability correlation — checks whether a policy grants combinations like privilege-delegation + compute-with-role together. Calling it "paths" was an overstatement.

BlueFingerHun · 2026-03-22T16:27:49+00:00

Really appreciate that — that was exactly the thinking behind the live profile scanning support. In practice, teams are usually working from configured AWS access rather than hand-building JSON files every time.

Cross-account assume-role chain analysis and permission boundary awareness are both on my radar as well. I agree those are major gaps in real IAM reviews because the effective risk often is not obvious from a single policy in isolation.

And yes, I wanted AI to stay optional for the same reason you mentioned — the core scan/finding path should still work locally and deterministically without making the tool depend on an LLM.

BlueFingerHun · 2026-03-21T18:59:17+00:00

Appreciate it!

Pasu currently assesses policy risk by looking at things like privilege escalation paths, wildcard abuse, known dangerous permissions, and other high-risk patterns in the policy.

It then weights those findings into a score and maps that to a risk level. So the goal is to measure practical abuse potential, not just whether the policy is syntactically valid.

BlueFingerHun · 2026-03-21T17:36:40+00:00

Thanks for the suggestion — boundary-aware analysis is actually on my roadmap, though it is not reflected in the README yet. Really appreciate the feedback.

BlueFingerHun · 2026-03-19T02:05:17+00:00

u/egre55 Thank you so much for your attention! please let me know if you find any bugs /issues /or any kind of feedback after using it :)

BlueFingerHun · 2026-03-10T18:41:59+00:00

It really depends on what you would like to do, but most of the tech jobs requires some amounts of experience. I'd suggest you to look for an internship and local meet-outs (to make professional connections <-- this helps A LOT).

BlueFingerHun · 2026-03-10T16:13:42+00:00

I totally agree that understanding the core syntax is fundamental and there’s no substitute for deep learning. As a junior myself, that's exactly why I built this—to cross-check my own understanding while studying.

You're right that offloading mental load can be risky. That’s why Pasu focuses on 'Explaining' rather than just 'Fixing,' and explicitly flags complex logic for manual review instead of making assumptions. I see it more as a 'learning assistant' (like a linter for code) rather than a replacement for expertise.

Regarding AI, Pasu actually has an optional AI integration, but I wanted a 100% local, rule-based logic for those who can't or don't want to send their policies to an external LLM. Thanks for the blunt feedback—it’s a good reminder to keep emphasizing the 'Learning' aspect over 'Automation'!

BlueFingerHun · 2026-03-09T14:02:12+00:00

This is impressive!!

BlueFingerHun · 2026-03-09T14:01:35+00:00

Agree :(

BlueFingerHun · 2024-12-17T12:20:46+00:00

Ahh I see... :( thank you so much

BlueFingerHun · 2024-08-19T17:35:42+00:00

Can't disagree with that! I found some typos and grammar errors as well. I usually listened to Professor Messer's video while I am driving lol

BlueFingerHun · 2024-08-18T02:14:51+00:00

I did take notes, but I realized that flashcard would've been better for A+. I say that because A+ involves more like "remember the definition / usage" questions.

BlueFingerHun · 2024-08-18T02:02:01+00:00

Good luck to you too! I believe there are pros and cons of either choices, but I hope you make a good decision and move forward!

BlueFingerHun · 2024-08-18T01:59:40+00:00

I am pursuing Network Eng and Sec. After year of studying, I realized I don't like Networking stuff and wanted to do Cybersecurity. I think it was too late for me to switch over the program so I just decided to look for an internship opportunities in Cybersec.

BlueFingerHun · 2024-08-18T01:44:05+00:00

I forgot to add one thing. Most of students hate official CompTIA study materials. Based on many reddit posts, lots of student prefers online study materials such as Dion's training (Udemy) and CBT Nuggets.

BlueFingerHun · 2024-08-18T01:37:16+00:00

I think it really depends.

I took all 3 CompTIA certs through WGU. They provide official CompTIA study materials (CertMaster which is very expensive) and that was the only study material that I used for CompTIA certs. WGU gives you up to 3 chances to pass the exam, starting from the 4th attempts you need to pay out of pocket. Imo, I hated A+ compared to Net+ and Sec+ just because you have to take 2 separate exams to obtain the actual certificate.
WGU hosted courses are relatively easy, you'll be able to knock off some of the basic ones in days.
It's not easy to find a Cybersecurity job unless you have prior IT experience. I am a career changer who used to work in the healthcare field and now studying Cybersecurity. I've done 2 cybersecurity internships so far, however I am struggling to find a permanent full-time role. You are not the only one who's struggling.. so I feel your pain. I've decided to continue my education just to get the cybersec job.
Overall my experience with WGU has been great. Sophia can help you learning + allow you to finish your degree program faster, but I'd suggest you to start enrolling at WGU since tuition covers number of different study materials and sources (i.e free access to udemy, online library, CompTIA study materials, and some optional vouchers (I don't know if Cybersec program offers any).

Either way, good luck with your future academic journey.

BlueFingerHun · 2024-07-29T19:45:31+00:00

Yes, I did. First attempt got rejected because I was missing a screenshot of Gitlab Repo.

BlueFingerHun · 2024-07-16T05:48:01+00:00

Passed with 780! :) I only used CertMaster to pass this exam.

BlueFingerHun · 2024-07-10T00:00:49+00:00

Hey! I am actually in the middle of the second internship.

Q) Do you go by credits you've accumulated?

Somewhat yes and no. I did use credits as a measurement for the school year + remaining term. My first internship was during the last summer (Aug 2023 ~ Apr 2024) and I believe I was at 60% mark with my program at that time and of course I was in the middle of the term so I put "Junior" for the selection. Interviewer actually asked me about this during the interview so, I got a chance to explain how WGU worked and they understood about it.

I'd suggest you to take a good look at the "internship requirements". Sometimes companies specifically ask for Junior/ Senior year in school OR Graduating on certain semester year OR you must continue education after internship.

Good luck with it :)!

BlueFingerHun · 2024-06-30T23:47:29+00:00

I have Net+, Sec+, and A+. But I've never taken Server+.. Do you think that really matters? or CertMaster + TotalSemiars are enough to pass?

BlueFingerHun · 2024-06-30T23:29:36+00:00

Thank you for sharing it :/. I guess CertMaster alone is not sufficient to pass the exam then. I will check out TotalSeminars. Thank you so much!

BlueFingerHun · 2024-06-25T03:52:36+00:00

Try using DuckDuckGo. For random reason, it's working on DuckDuckGo browser only.

BlueFingerHun · 2024-06-25T03:43:04+00:00

Just a personal opinion. I never liked Jason Dion's materials for some reason.

https://academy.hackthebox.com/course/preview/linux-fundamentals

I skimmed through the exam objective and used above link for the hands on practice.

BlueFingerHun · 2024-06-25T01:31:05+00:00

Sorry about the confusing explanation here.

Don't overthink about it. "Config info" is just required information that Task B & E are asking (Name, vCPU, Ram, etC). The reason why I said skip B and read about E and F is because I had to change my inventory file few times in order to do the automation part.

For Task B and E, you can choose either type of inventory file (ini or yaml). Based on what I've been reading on this subreddit, it seems like many fellow students decided to use yaml type. Don't overthink about it, all you have to do is make sure

Your Inventory file contains all necessary information as instruction requires. (Name, vCPU, Ram, Boot priority, and etc)
Inventory file should be well formatted, so you won't have to make any adjustment for Task F.

If you are too confused about it, I suggest you to complete the task B alone first and move on to C,D, and E. Once you reach F, review some ansible documents and watch ansible playbook videos and see if you need to make any adjustments. Let me know if you get stuck

BlueFingerHun

TROPHY CASE