Analysis updated 2026-05-18
Discover every IAM role and CI/CD token in your AWS account and see which ones are overprivileged.
Simulate what an attacker could access if a specific machine identity were compromised.
Generate an A-F trust debt score and get a prioritized list of unnecessary permissions to remove.
Export compliance evidence for 8 automated policy checks to share with auditors.
| josephtui767-cloud/mii | adeliox/klein-head-swap | ats4321/ragit | |
|---|---|---|---|
| Stars | 4 | 4 | 4 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | moderate | moderate |
| Complexity | 4/5 | 3/5 | 2/5 |
| Audience | ops devops | designer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Docker and AWS credentials, a docker-compose command starts the full stack.
MII (Machine Identity Intelligence) is an open-source security platform that helps organizations track and assess the risk of machine identities in AWS. Machine identities include things like IAM roles, CI/CD pipeline tokens, and OIDC federations, which are the non-human accounts that give automated systems permission to access cloud resources. These identities can outnumber human accounts by 80 to 1, yet most teams have no central place to see them all. The platform automatically discovers every IAM role, OIDC federation, and CI/CD identity in your AWS account and in connected GitLab or GitHub pipelines. It then builds a map of how those identities trust each other, revealing hidden paths an attacker could walk if they compromised one account. Every identity gets a risk score from 0 to 100 based on six factors: whether it has admin access, whether it touches production, how far its trust extends, whether it crosses accounts, how old it is, and whether it has been used recently. A feature called Blast Path Simulation lets you ask what happens if a given identity is compromised and then traces the full chain of accounts and permissions an attacker could reach. A Trust Debt score, graded A through F, quantifies how much unnecessary trust has built up so you know what to clean up first. Eight automated compliance checks run against standard policies and produce pass or fail results with evidence you can export for audits. An optional AI layer connects to OpenAI and can explain in plain English why an identity is risky, and it generates step-by-step fix plans with exact AWS CLI commands and Terraform code. This feature requires an API key, the platform works fully without it. To run it locally you need Docker. A docker-compose command and a database migration are all it takes to get started, and the frontend appears at port 3000. A separate guide covers deploying to AWS with EC2, S3, and CloudFront. The tool is read-only and never modifies your AWS account. It is released under the MIT license.
An open-source platform that discovers, maps, and risk-scores machine identities (IAM roles, CI/CD tokens, OIDC federations) across AWS, with blast-path simulation and AI-generated fix plans.
Mainly Python. The stack also includes Python, FastAPI, React.
Use freely for any purpose including commercial projects, as long as you keep the copyright and license notice.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.