We're excited to launch the TrustFix blog. This is where we'll share our research on OIDC security, AWS IAM misconfigurations, and the evolving landscape of non-human identity (NHI) security.
Why We Built TrustFix
GitHub Actions OIDC federation with AWS is one of the most powerful — and most misconfigured — authentication patterns in modern DevOps. A single missing sub condition in an IAM trust policy can allow any repository in your GitHub organization to assume a production role.
We built TrustFix to detect these misconfigurations automatically and generate Terraform fix PRs using AI.
What We'll Cover
Here's what you can expect from this blog:
Security Research
Deep dives into real-world IAM misconfigurations we've observed across thousands of AWS accounts. We'll break down the attack vectors, explain why they happen, and show you how to fix them.
Technical Guides
Step-by-step tutorials on securing your GitHub Actions workflows, writing least-privilege IAM policies, and implementing OIDC federation correctly.
# Example: A properly configured OIDC trust policy
resource "aws_iam_role" "github_actions" {
name = "github-actions-deploy"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
Federated = "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
}
Action = "sts:AssumeRoleWithWebIdentity"
Condition = {
StringEquals = {
"token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
"token.actions.githubusercontent.com:sub" = "repo:your-org/your-repo:ref:refs/heads/main"
}
}
}]
})
}
Product Updates
New features, detection capabilities, and integrations as we continue building the most comprehensive NHI security platform.
The 10 Finding Types
TrustFix currently detects 10 distinct types of IAM misconfigurations:
| Finding Type | Severity | Description |
|---|---|---|
| Missing Sub Condition | CRITICAL | No repository restriction on OIDC trust |
| Overly Broad Trust | CRITICAL | Wildcard patterns in trust policy |
| Fork/PR Risk | HIGH | Workflows from forks can assume role |
| Missing Audience | MEDIUM | No aud claim verification |
| Expired OIDC Provider | CRITICAL | Stale or unknown OIDC provider |
| Admin OIDC Role | CRITICAL | Admin-level role with OIDC trust |
| Overprivileged Role | HIGH | Excessive permissions attached |
| Wildcard Environment | MEDIUM | No environment restriction |
| AI Agent Overprivileged | CRITICAL | AI/ML role with broad permissions |
| AI Agent Missing Scope | HIGH | AI role without scope conditions |
Tip: You can scan your AWS accounts for free at trustfix.dev. Detection is free forever — no credit card required.
Stay Updated
Subscribe to our newsletter to get new posts delivered to your inbox. We publish 2-3 times per month, always focused on actionable security research.
Subscribe to our newsletter
Get OIDC security research and AWS IAM insights delivered to your inbox. 2-3 posts per month.