coilyco-bridge/coily
1
0
Fork 0
Code Issues 97 Pull requests Projects Releases 19 Packages Wiki Activity Actions

read-only aws lockdowns: audit-row without argv gate is a leak surface, not a boundary #54

New issue
Open
opened 2026-05-23 20:54:03 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:54:03 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-05T11:21:53Z - https://github.com/coilysiren/coily/issues/58

Proposal

Extend the coily ops aws argv gate to cover read-only sub-verbs against sensitive resource patterns (buckets, roles, regions, account boundaries). Today read-only aws verbs land an audit row but pass through without argv validation. The audit row documents the leak; it does not stop it.

Why

Surfaced 2026-05-05 while seeding coily-ops-aws-meta's anti-signal catalogue. The framing "read-only aws verbs do not need an audit row" is false (audit is the trail), but the inverse is also wrong: "audit row is sufficient for read-only verbs" treats the trail as the gate. It is not. Read-only invocations exfiltrate (s3 ls on a sensitive bucket), confirm threat-model state (sts get-caller-identity after an unauthorized role assumption), and enumerate (ec2 describe-*, iam list-*).

The boundary needs a pre-send deny on read-only patterns the operator did not intend to expose. iam scoping is wider than the runtime needs (lazy role reuse) and CloudTrail is post-hoc - neither is the layer that prevents the read from happening in the first place.

Mechanical scope

  • pkg/policy learns a read-only-pattern deny list for aws (sensitive bucket name globs, role-arn patterns, account boundaries).
  • Default-deny on the patterns; explicit allow via config or per-invocation flag.
  • Audit row continues to land for both denied and allowed reads; verb name distinguishes (ops.aws.read.denied vs ops.aws.read.allowed or similar).
  • Tests in cmd/coily/security_claims_test.go family pin the new claims so prose and runtime move together.
  • Doc update in SECURITY.md adding the read-only-deny claim.

Out of scope

  • Destructive-verb gate changes. That layer already has policy coverage; this issue is the read-side gap.
  • iam policy tightening on the AWS account itself. Different layer; the coily gate is the runtime narrowing of an iam surface that is already (correctly) wider than the runtime needs.
  • Cross-host shadow of the audit log. Tracked in #55.

Originating thread

coily-ops-aws-meta skill seeding, 2026-05-05. The skill's anti-signal catalogue (section 1) cites this issue once filed.

_Originally filed by @coilysiren on 2026-05-05T11:21:53Z - [https://github.com/coilysiren/coily/issues/58](https://github.com/coilysiren/coily/issues/58)_ ## Proposal Extend the `coily ops aws` argv gate to cover read-only sub-verbs against sensitive resource patterns (buckets, roles, regions, account boundaries). Today read-only aws verbs land an audit row but pass through without argv validation. The audit row documents the leak; it does not stop it. ## Why Surfaced 2026-05-05 while seeding `coily-ops-aws-meta`'s anti-signal catalogue. The framing "read-only aws verbs do not need an audit row" is false (audit is the trail), but the inverse is also wrong: "audit row is sufficient for read-only verbs" treats the trail as the gate. It is not. Read-only invocations exfiltrate (`s3 ls` on a sensitive bucket), confirm threat-model state (`sts get-caller-identity` after an unauthorized role assumption), and enumerate (`ec2 describe-*`, `iam list-*`). The boundary needs a *pre-send* deny on read-only patterns the operator did not intend to expose. iam scoping is wider than the runtime needs (lazy role reuse) and CloudTrail is post-hoc - neither is the layer that prevents the read from happening in the first place. ## Mechanical scope - `pkg/policy` learns a read-only-pattern deny list for aws (sensitive bucket name globs, role-arn patterns, account boundaries). - Default-deny on the patterns; explicit allow via config or per-invocation flag. - Audit row continues to land for both denied and allowed reads; verb name distinguishes (`ops.aws.read.denied` vs `ops.aws.read.allowed` or similar). - Tests in `cmd/coily/security_claims_test.go` family pin the new claims so prose and runtime move together. - Doc update in `SECURITY.md` adding the read-only-deny claim. ## Out of scope - Destructive-verb gate changes. That layer already has policy coverage; this issue is the read-side gap. - iam policy tightening on the AWS account itself. Different layer; the coily gate is the runtime narrowing of an iam surface that is already (correctly) wider than the runtime needs. - Cross-host shadow of the audit log. Tracked in #55. ## Originating thread `coily-ops-aws-meta` skill seeding, 2026-05-05. The skill's anti-signal catalogue (section 1) cites this issue once filed.
coilysiren added
P3
 and removed
P2
 labels 2026-05-31 06:59:48 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-306
args-file-mcporter
claude/coily-docker-image-FF2Rw
claude/busy-almeida-0168e4
v2.50.0
v2.49.1
v2.49.0
v2.48.0
v2.47.0
v2.46.0
v2.45.0
v2.44.1
v2.44.0
v2.43.2
v2.43.1
v2.43.0
v2.42.0
v2.41.0
v2.40.2
v2.40.1
v2.40.0
v2.39.0
v2.37.2
v2.38.0
v2.23.0
v2.37.1
v2.37.0
v2.36.0
v2.35.0
v2.34.0
v2.33.0
v2.32.0
v2.31.0
v2.30.0
v2.29.2
v2.29.1
v2.29.0
v2.28.0
v2.27.0
v2.26.0
v2.25.0
v2.24.0
v2.22.0
v2.21.0
v2.20.0
v2.19.0
v2.18.1
v2.18.0
v2.17.0
v2.16.0
v2.15.2
v2.15.1
v2.15.0
v2.14.0
v2.13.1
v2.13.0
v2.12.0
v2.11.2
v2.11.1
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.1
v2.7.0
v2.6.0
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.0
v2.1.0
v2.0.1
v2.0.0
v1.16.0
v1.15.2
v1.15.1
v1.15.0
v1.14.0
v1.13.0
v1.12.0
v1.11.0
v1.10.0
v1.9.6
v1.9.5
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.8.8
v1.8.7
v1.8.6
v1.8.5
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.8
v1.7.7
v1.7.6
v1.7.5
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.6.0
v1.5.123
v1.5.122
v1.5.121
v1.5.120
v1.5.119
v1.5.118
v1.5.117
v1.5.116
v1.5.115
v1.5.114
v1.5.113
v1.5.112
v1.5.111
v1.5.110
v1.5.109
v1.5.108
v1.5.107
v1.5.106
v1.5.105
v1.5.104
v1.5.103
v1.5.102
v1.5.101
v1.5.100
v1.5.99
v1.5.98
v1.5.97
v1.5.96
v1.5.95
v1.5.94
v1.5.93
v1.5.92
v1.5.91
v1.5.90
v1.5.89
v1.5.88
v1.5.87
v1.5.86
v1.5.85
v1.5.84
v1.5.83
v1.5.82
v1.5.81
v1.5.80
v1.5.79
v1.5.78
v1.5.77
v1.5.76
v1.5.75
v1.5.74
v1.5.73
v1.5.72
v1.5.71
v1.5.70
v1.5.69
v1.5.68
v1.5.67
v1.5.66
v1.5.65
v1.5.64
v1.5.63
v1.5.62
v1.5.61
v1.5.60
v1.5.59
v1.5.58
v1.5.57
v1.5.56
v1.5.55
v1.5.54
v1.5.53
v1.5.52
v1.5.51
v1.5.50
v1.5.49
v1.5.48
v1.5.47
v1.5.46
v1.5.45
v1.5.44
v1.5.43
v1.5.42
v1.5.41
v1.5.40
v1.5.39
v1.5.38
v1.5.37
v1.5.36
v1.5.35
v1.5.34
v1.5.33
v1.5.32
v1.5.31
v1.5.30
v1.5.29
v1.5.28
v1.5.27
v1.5.26
v1.5.25
v1.5.24
v1.5.23
v1.5.22
v1.5.21
v1.5.20
v1.5.19
v1.5.18
v1.5.17
v1.5.16
v1.5.15
v1.5.14
v1.5.13
v1.5.12
v1.5.11
v1.5.10
v1.5.9
v1.5.8
v1.5.7
v1.5.6
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.1
v1.4.0
v1.3.0
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.0
v0.3.2
v0.3.1
v0.3.0
v0.2.0
v0.1.0
v0.0.38
v0.0.37
v0.0.36
v0.0.35
v0.0.34
v0.0.33
v0.0.32
v0.0.31
v0.0.30
v0.0.29
v0.0.28
v0.0.27
v0.0.26
v0.0.25
v0.0.24
v0.0.23
v0.0.22
v0.0.21
v0.0.20
v0.0.19
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
tools-latest
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-bridge/coily#54
No description provided.