Skip to content
IDENTRAIL

Machine identity security category

Machine identity security for AWS and Kubernetes.

Discover machine identities, map trust paths, surface real escalation risk, and roll out authorization changes with explainable audit trails.

View DocsGet Started
AWS + KubernetesIdentity graphDeterministic findingsRepo exposure scannerPolicy simulationAudit-ready

Identrail Console / prod-main

Reachable trust path

k8s:payments/api

ServiceAccount

arn:aws:iam::prod:role/orders-runner

IAM Role

arn:aws:iam::prod:role/platform-admin

IAM Role

k8s:shared/maintenance-job

ServiceAccount

arn:aws:iam::prod:role/security-audit

IAM Role

Highlighted escalation path

Findings queue

FND-1028

critical

Wildcard trust into platform-admin

k8s:payments/api -> orders-runner -> platform-admin

FND-1037

high

Ownerless role with active assumption

k8s:shared/maintenance-job -> security-audit

Remediation summary

Restrict `sts:AssumeRole` trust on `platform-admin` to `orders-worker` namespace and enforce service account owner tags.

View path evidence

Credibility

Open sourceAWS + Kubernetes focusedAPI-firstDeterministic findingsExplainable policy decisionsAudit-ready evidence

Product Overview

What Identrail does

Focused machine identity security for AWS and Kubernetes, with coverage scoped to high-impact workflows.

Discover machine identities

Continuously inventory AWS roles, federated principals, and Kubernetes service accounts into one normalized identity catalog.

Map trust relationships

Model who can assume what, where federation links exist, and how workload-to-role inheritance creates reachable privilege paths.

Surface high-signal findings

Prioritize admin-equivalent access, wildcard trust, ownerless identities, and escalation-prone paths with deterministic evidence.

Scan repository history

Run history-aware scans for leaked credentials and insecure patterns while keeping raw secret values out of persistence.

Simulate authorization safely

Compare candidate and enforced policies before rollout, inspect decision traces, and catch denial or over-allow regressions early.

Export evidence and decisions

Ship findings, traces, and audit events into existing workflows with stable schemas built for security and compliance reviews.

Showcase 01

Identity graph and trust mapping

Identrail turns fragmented machine identity relationships into an operator-readable graph with path-level blast-radius context.

  • Trust edges across AWS IAM roles, OIDC providers, and Kubernetes workloads
  • Reachable privilege paths with explicit path-length and escalation tags
  • Environment-aware context for production, staging, and shared platform boundaries
AWS: PRODKUBERNETES: PROD-CLUSTER-AEscalation path detected
k8s:payments/api
role/orders-runner
role/platform-admin
kms/customer-key
k8s:shared/sync

Showcase 02

Findings and remediation evidence

The findings queue favors signal over volume and explains each decision so teams can triage and remediate with confidence.

  • Admin-equivalent, wildcard-trust, stale, and ownerless identity findings
  • Deterministic rationale with impacted principal, source, and privilege path
  • Actionable remediation guidance tied to exact trust or permission changes

Open findings queue

3 high signal
IDCategory / PrincipalSeverity
FND-2014

Wildcard trust

arn:aws:iam::prod:role/platform-admin

critical
FND-2032

Ownerless identity

k8s:shared/legacy-sync

high
FND-2051

Escalation path

k8s:payments/api

high

Showcase 03

Repository exposure scanner

Repository history scanning extends machine identity risk visibility without turning Identrail into a generic secrets product.

  • History-aware Git scan jobs with repo and commit-level references
  • Redacted and hashed evidence handling, raw secret values never persisted
  • Exposure findings correlated with identity posture and remediation workflows

Repository scan job

Read-only mode

RSC-812

critical

AWS access key pattern in commit history

commit: `e5a8711`

evidence: `sha256:9f8b4f9e... (redacted)`

RSC-827

high

Hardcoded kubeconfig token in shell script

commit: `84a13ce`

evidence: `sha256:1b3ce9bd... (redacted)`

Showcase 04

Policy simulation and auditability

Run authorization simulations before enforcement and review explainable decision traces alongside the audit event stream.

  • Candidate versus enforced policy comparison before rollout
  • Stage-by-stage decision traces with final allow or deny state
  • Audit event feed for operator review, governance, and incident timelines

Decision trace

principal.resolve

pass

resource.match

pass

policy.evaluate

deny

guardrail.check

pass
Final state: deny due to candidate policy condition mismatch on workload owner tag.

Rollout comparison

Enforced policy

allow

`payments-api` -> `orders-runner` when namespace is `payments` or `jobs`.

Candidate policy

review

Adds owner-tag guardrail and restricts assumption from shared namespace workloads.

Audit stream

append-only

2026-04-11T01:42:03Z

pass

policy.operator@identrail -> simulation.run

2026-04-11T01:43:18Z

warning

platform.security -> candidate.compare

2026-04-11T01:44:55Z

pass

change-approval-bot -> enforcement.defer

Why It Matters

Machine identity risk is a trust-path problem, not a posture score problem.

Identrail is designed around where non-human identity incidents actually originate in AWS and Kubernetes environments.

Overprivileged machine identities

Workload principals frequently keep grants far beyond operational intent.

Broad trust relationships

Wildcard trust and open assumption paths make lateral movement practical.

Escalation across AWS and Kubernetes

Identity paths can bridge control planes and bypass team boundaries.

Stale and ownerless identities

Dormant principals survive service turnover and become quiet attack paths.

Leaked secrets and insecure repo patterns

Repository history can expose credentials and unsafe identity handling.

Built For Production

Operational controls for teams running real infrastructure.

Designed for auditable operation, scoped access, and deterministic workflows across security and platform teams.

Security and operations controls

production posture
  • OIDC or strong API-key authentication models
  • Scoped access controls and least-privilege operation paths
  • Decision audit logging with exportable evidence records
  • Read-only scanner identities by default
  • Deterministic scans with explainable evidence outputs
  • Stable /v1 API contract for integrations
  • Deployment support for Docker, Kubernetes, Helm, and Terraform
  • Structured controls for policy rollout and simulation gating

Deployment paths

Docker

compose-based local and controlled environment rollout

Kubernetes

cluster-native deployment for worker and API services

Helm

versioned chart values for repeatable operations

Terraform

infrastructure-managed provisioning and drift review

Developer and Operator Workflow

Evaluate with real commands, not screenshots.

Run local deployment, trigger scans, query findings, and execute repository scan jobs through the same API and CLI flow used in operations.

Developer and operator workflow

Local Deployment

bash
cp deploy/docker/.env.example deploy/docker/.env

docker compose -f deploy/docker/docker-compose.yml \
  --env-file deploy/docker/.env \
  up -d --build

curl -sS http://localhost:8080/healthz

Evaluate Identrail

Explore the platform where machine identity risk is mapped, explained, and operationalized.

Start with docs, inspect the codebase, and deploy into AWS and Kubernetes environments with deterministic evidence and policy-safe controls.

Explore the DocsView on GitHubDeploy Identrail