We're excited to launch the TrustFix blog. This is where we'll share our research on OIDC security, AWS IAM misconfigurations, and the evolving landscape of non-human identity (NHI) security.
Why We Built TrustFix
GitHub Actions OIDC federation with AWS is one of the most powerful — and most misconfigured — authentication patterns in modern DevOps. A single missing sub condition in an IAM trust policy can allow any repository in your GitHub organization to assume a production role.
We built TrustFix to detect these misconfigurations automatically and generate Terraform fix PRs using AI.
What We'll Cover
Here's what you can expect from this blog:
Security Research
Deep dives into real-world IAM misconfigurations we've observed across thousands of AWS accounts. We'll break down the attack vectors, explain why they happen, and show you how to fix them.
Technical Guides
Step-by-step tutorials on securing your GitHub Actions workflows, writing least-privilege IAM policies, and implementing OIDC federation correctly.
# Example: A properly configured OIDC trust policy
resource "aws_iam_role" "github_actions" {
name = "github-actions-deploy"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
Federated = "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
}
Action = "sts:AssumeRoleWithWebIdentity"
Condition = {
StringEquals = {
"token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
"token.actions.githubusercontent.com:sub" = "repo:your-org/your-repo:ref:refs/heads/main"
}
}
}]
})
}
Product Updates
New features, detection capabilities, and integrations as we continue building the most comprehensive NHI security platform.
The 13 Finding Types
TrustFix currently detects 13 distinct types of IAM misconfigurations across four categories: GitHub Actions OIDC trust policies, overprivileged CI/CD roles, AI agent identities, and cross-account / static-credential patterns.
| # | Finding Type | Severity | Description |
|---|---|---|---|
| 1 | Missing Sub Condition | CRITICAL | No sub claim condition on the OIDC trust policy — any repo in any GitHub org can assume the role |
| 2 | Overly Broad Trust | CRITICAL | StringLike with wildcards (repo:*:*, repo:myorg/*) in the sub condition matches unintended repositories |
| 3 | Missing Audience Condition | HIGH | No aud claim check — tokens minted for any OIDC client are accepted |
| 4 | Fork PR Risk | HIGH | Workflow grants id-token: write on the pull_request trigger — a fork PR can mint an OIDC token and assume the role |
| 5 | Wildcard Environment | HIGH | environment:* wildcard in the sub claim bypasses GitHub Environment protection rules and required reviewers |
| 6 | Expired OIDC Provider | MEDIUM | Stale OIDC provider thumbprint, or provider deleted entirely — role trusts an obsolete certificate |
| 7 | Overprivileged CI/CD Role | HIGH | Role grants permissions broader than what the attached workflows actually use (measured against 90 days of CloudTrail activity) |
| 8 | Admin Access in CI/CD | CRITICAL | AdministratorAccess or equivalent Action: "*" / Resource: "*" attached to a CI/CD role |
| 9 | AI Agent Overprivileged | CRITICAL | LLM or AI agent role granted broad bedrock:*, s3:*, or secretsmanager:* permissions — prompt injection becomes data exfiltration |
| 10 | AI Agent Missing Scope | HIGH | AI agent trust policy missing scope/tool-restriction conditions — the agent can assume authority beyond its task surface |
| 11 | Cross-Account Trust: Missing ExternalId | HIGH | Cross-account sts:AssumeRole trust lacks the sts:ExternalId condition — classic AWS confused-deputy vulnerability |
| 12 | Cross-Account Trust: Wildcard Principal | CRITICAL | Trust policy allows Principal: "*" or arn:aws:iam::*:root — any AWS account on Earth can assume the role |
| 13 | GitHub Static Credentials | HIGH | GitHub Actions workflow uses long-lived AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY secrets instead of OIDC federation |
Tip: Request access to scan your AWS accounts at trustfix.dev — TrustFix is invitation-only while we onboard our first customers.
Stay Updated
Subscribe to our newsletter to get new posts delivered to your inbox. We publish 2-3 times per month, always focused on actionable security research.
Subscribe to our newsletter
Get OIDC security research and AWS IAM insights delivered to your inbox. 2-3 posts per month.