explaingit

josephtui767-cloud/mii

Analysis updated 2026-05-18

4PythonAudience · ops devopsComplexity · 4/5LicenseSetup · moderate

TLDR

An open-source platform that discovers, maps, and risk-scores machine identities (IAM roles, CI/CD tokens, OIDC federations) across AWS, with blast-path simulation and AI-generated fix plans.

Mindmap

mindmap
  root((MII))
    Discovery
      IAM roles
      OIDC federations
      CI/CD tokens
    Analysis
      Trust graph
      Risk scoring 0 to 100
      Blast path simulation
    Reporting
      Trust debt A to F
      Compliance checks
      PDF and Excel export
    Tech stack
      FastAPI backend
      React frontend
      PostgreSQL
      Terraform
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Discover every IAM role and CI/CD token in your AWS account and see which ones are overprivileged.

USE CASE 2

Simulate what an attacker could access if a specific machine identity were compromised.

USE CASE 3

Generate an A-F trust debt score and get a prioritized list of unnecessary permissions to remove.

USE CASE 4

Export compliance evidence for 8 automated policy checks to share with auditors.

What is it built with?

PythonFastAPIReactTypeScriptPostgreSQLTerraformDockerOpenAI

How does it compare?

josephtui767-cloud/miiadeliox/klein-head-swapats4321/ragit
Stars444
LanguagePythonPythonPython
Setup difficultymoderatemoderatemoderate
Complexity4/53/52/5
Audienceops devopsdesignerdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Docker and AWS credentials, a docker-compose command starts the full stack.

Use freely for any purpose including commercial projects, as long as you keep the copyright and license notice.

In plain English

MII (Machine Identity Intelligence) is an open-source security platform that helps organizations track and assess the risk of machine identities in AWS. Machine identities include things like IAM roles, CI/CD pipeline tokens, and OIDC federations, which are the non-human accounts that give automated systems permission to access cloud resources. These identities can outnumber human accounts by 80 to 1, yet most teams have no central place to see them all. The platform automatically discovers every IAM role, OIDC federation, and CI/CD identity in your AWS account and in connected GitLab or GitHub pipelines. It then builds a map of how those identities trust each other, revealing hidden paths an attacker could walk if they compromised one account. Every identity gets a risk score from 0 to 100 based on six factors: whether it has admin access, whether it touches production, how far its trust extends, whether it crosses accounts, how old it is, and whether it has been used recently. A feature called Blast Path Simulation lets you ask what happens if a given identity is compromised and then traces the full chain of accounts and permissions an attacker could reach. A Trust Debt score, graded A through F, quantifies how much unnecessary trust has built up so you know what to clean up first. Eight automated compliance checks run against standard policies and produce pass or fail results with evidence you can export for audits. An optional AI layer connects to OpenAI and can explain in plain English why an identity is risky, and it generates step-by-step fix plans with exact AWS CLI commands and Terraform code. This feature requires an API key, the platform works fully without it. To run it locally you need Docker. A docker-compose command and a database migration are all it takes to get started, and the frontend appears at port 3000. A separate guide covers deploying to AWS with EC2, S3, and CloudFront. The tool is read-only and never modifies your AWS account. It is released under the MIT license.

Copy-paste prompts

Prompt 1
How do I run MII locally with Docker and connect it to my AWS account to start discovering IAM roles?
Prompt 2
What AWS IAM permissions does MII need to scan my account, and how do I create a read-only role for it?
Prompt 3
How does MII's blast path simulation work, and how do I interpret the attack chain it shows for a compromised OIDC federation?
Prompt 4
How do I enable the AI remediation feature in MII and what does a generated Terraform fix plan look like?
Prompt 5
What is trust debt in MII and what actions does it recommend to improve a failing grade?

Frequently asked questions

What is mii?

An open-source platform that discovers, maps, and risk-scores machine identities (IAM roles, CI/CD tokens, OIDC federations) across AWS, with blast-path simulation and AI-generated fix plans.

What language is mii written in?

Mainly Python. The stack also includes Python, FastAPI, React.

What license does mii use?

Use freely for any purpose including commercial projects, as long as you keep the copyright and license notice.

How hard is mii to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is mii for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub josephtui767-cloud on gitmyhub

Verify against the repo before relying on details.