Hacker News: alexsmolen

Show HN: TrailTool – open-source CLI for querying CloudTrail data with AI agents

alexsmolen — Tue, 24 Mar 2026 18:59:40 +0000

I've been working on AWS security for years and querying CloudTrail has always been a huge pain - getting data about like "what did this role actually use in the last 30 days?" means either writing custom queries and result parsing code or getting vague data from built-in tools like Access Analyzer.

TrailTool's core idea is to pre-aggregate CloudTrail events at ingest time into entity relationships — People, Sessions, Roles, Services, Resources — so queries are DynamoDB reads rather than log scans. The CLI talks directly to your DynamoDB tables using standard AWS credentials, no API layer needed.

The four workflows in the post (ClickOps detection, least-privilege policy generation, AccessDenied remediation, break-glass validation) all came from things I was actually doing manually. The session transcripts are real Claude Code runs using the tool.

Wondering if this feels useful to folks, or if there are other CloudTrail questions that could be pre-computed this way to accomplish common tasks.

Comments URL: https://news.ycombinator.com/item?id=47507510

Points: 2

# Comments: 0

New comment by alexsmolen in "Ask HN: What are you working on? (February 2026)"

alexsmolen — Mon, 09 Feb 2026 22:49:04 +0000

I'm working on TrailTool, which aggregates CloudTrail for analysis in both UI and AI contexts. I've always found it tough to tie together CloudTrail logs into meaningful narratives useful not only for security investigations but also "role engineering" (i.e. reducing privileges on human-operated IAM roles). The idea is to make this info available via MCP for agent workflows as well, so you can get high quality, low latency, manageable context size CloudTrail data.

If you want to kick the tires, you an deploy a CloudFormation stack to a Sandbox AWS account - see https://trailtool.io/install.html

New comment by alexsmolen in "Company as Code"

alexsmolen — Thu, 05 Feb 2026 16:45:23 +0000

In my research I haven’t come across the prior art you suggest exists. The trust centers you linked aren’t fungible with what I’m building with GraphGRC. The idea is to make all your security docs just a GitHub repo with structured markdown that permits useful automation (e.g. generating linked internal site, validating all docs have been “reviewed” annually by checking metadata, change control via PR, etc.)

There are plenty of GRC products out there and are popular for good reasons, but I don’t think any of them are Git/Markdown/developer-first.

New comment by alexsmolen in "Company as Code"

alexsmolen — Thu, 05 Feb 2026 16:07:30 +0000

I love this idea despite the real world operational challenges - most people with governance responsibilities in organizations don't want to code, and code is often too precise to model messy social/organizational context without constant tweaking, tending, and exception management.

I'm an advocate for bringing software culture to GRC, or as it's sometimes called “GRC Engineering”. While there are plenty of products to automate evidence generation for auditors, the underlying policies and documents that they prescribe are usually still old-school Word/PDF-style boilerplate junk.

I'm working on an open source project for security policies/processes/standards that map back to underlying frameworks (e.g. SOC 2, GDPR, ISO 27001, etc.) Docs are Markdown with YAML frontmatter metadata, interlinks generated automatically, site is published via GitHub actions.

The code is at https://github.com/engseclabs/graphgrc, and you can see an example published site here https://graphgrc.engseclabs.com.

Would love to know if others find it useful or have built similar systems.

What Should I Work on Next? A Framework for High-Impact Security Work

alexsmolen — Wed, 12 Nov 2025 18:56:51 +0000

Article URL: https://engseclabs.com/blog/what-should-i-work-on-next/

Comments URL: https://news.ycombinator.com/item?id=45904358

Points: 2

# Comments: 0

Backyard Apt: A Raccoon Story

alexsmolen — Wed, 12 Nov 2025 18:54:46 +0000

Article URL: https://engseclabs.com/blog/raccoon-diaries/

Comments URL: https://news.ycombinator.com/item?id=45904306

Points: 3

# Comments: 1

Refocusing Vendor Security on Risk Reduction

alexsmolen — Wed, 01 Oct 2025 17:39:53 +0000

Article URL: https://engseclabs.com/blog/refocusing-vendor-security-on-risk-reduction/

Comments URL: https://news.ycombinator.com/item?id=45440616

Points: 3

# Comments: 1

Small language model for secrets detection

alexsmolen — Mon, 23 Jun 2025 00:53:33 +0000

Article URL: https://www.wiz.io/blog/small-language-model-for-secrets-detection-in-code

Comments URL: https://news.ycombinator.com/item?id=44351556

Points: 3

# Comments: 0

Securing GitHub Organizations

alexsmolen — Sat, 15 Jan 2022 04:51:55 +0000

Article URL: https://alsmola.medium.com/securing-github-organizations-9c33c850638

Comments URL: https://news.ycombinator.com/item?id=29943669

Points: 3

# Comments: 0

New comment by alexsmolen in "Building Webhooks into Your Application: Guidelines and Best Practices (2020)"

alexsmolen — Tue, 09 Mar 2021 21:53:34 +0000

This is a pretty good article about preventing SSRF including DNS rebinding-based attacks in Go https://www.agwa.name/blog/post/preventing_server_side_reque...

New comment by alexsmolen in "Building Webhooks into Your Application: Guidelines and Best Practices (2020)"

alexsmolen — Tue, 09 Mar 2021 19:45:15 +0000

Kind of wild that there's no mention of SSRF. A quick search shows it's a pretty frequent security issue in Webhooks: https://www.google.com/search?q=ssrf+webhook

Use AWS Glue to Make CloudTrail Parquet Partitions

alexsmolen — Tue, 07 Jul 2020 18:11:14 +0000

Article URL: https://medium.com/@alsmola/use-aws-glue-to-make-cloudtrail-parquet-partitions-c903470dc3e5

Comments URL: https://news.ycombinator.com/item?id=23762238

Points: 1

# Comments: 0

New comment by alexsmolen in "Ask HN: Any “Git diff”-like service but for when terms of conditions changes?"

alexsmolen — Mon, 18 Nov 2019 15:38:36 +0000

This is what https://tosback.org/ does, I believe.

Wag: A Go Web API Generator

alexsmolen — Wed, 28 Mar 2018 18:39:03 +0000

Article URL: https://medium.com/always-a-student/wag-a-go-web-api-generator-7eeb901de60b

Comments URL: https://news.ycombinator.com/item?id=16700486

Points: 6

# Comments: 0

Implementing the sudo access pattern for AWS IAM Users

alexsmolen — Mon, 05 Feb 2018 22:48:12 +0000

Article URL: https://medium.com/@alsmola/implementing-the-sudo-access-pattern-for-aws-iam-users-268307e28e19

Comments URL: https://news.ycombinator.com/item?id=16312958

Points: 1

# Comments: 0

Creating IAM resources and policies simply with terrafam

alexsmolen — Wed, 19 Jul 2017 18:37:33 +0000

Article URL: https://medium.com/@alsmola/iam-simply-with-terrafam-c436241c4054

Comments URL: https://news.ycombinator.com/item?id=14806713

Points: 6

# Comments: 0

New comment by alexsmolen in "Early Warning Detectors Using AWS Access Keys as Honeytokens"

alexsmolen — Wed, 30 Nov 2016 22:50:27 +0000

Yeah, I think it’s tricky to figure out how to place it somewhere that attackers would look but AWS tooling wouldn’t, by default, since otherwise they may be used in legitimate operation.

New comment by alexsmolen in "Secret Management with Vault"

alexsmolen — Fri, 28 Oct 2016 22:43:42 +0000

I recently helped build a secret store system for our infrastructure, and we decided to not use Vault.

A big reason was that Vault’s AWS authentication backend is not based on AWS infrastructure like IAM/KMS, but uses a somewhat backhanded method (https://www.vaultproject.io/docs/auth/aws-ec2.html) to establish verify an EC2 instance. We use ECS, and it doesn't play well with it - see https://github.com/hashicorp/vault/issues/1298

Instead, we would have had to fall back to the App ID method, which requires separate configuration, and is “Trust On First Use” so doesn’t offer as strong of security guarantees in my opinion.

Also, the only Hashicorp supported-backends are file (non-HA) and Consul.

If you're all-AWS, I'd recommend checking out Confidant/Knox (run as a separate service) or Credstash/Biscuit (run directly against AWS infra).

New comment by alexsmolen in "There are limits to 2FA"

alexsmolen — Mon, 01 Aug 2016 01:35:38 +0000

The problem is that SMS provides better recovery rates than TOTP/HOTP + backup codes, because people can go to their carrier and get a new device at the same number.

It's important to remember that availability is an important aspect of security. If you protect a user primarily concerned with mass-account takeover attacks from a low-probability threat (people intercepting their SMS channel) but introduce a high-probability threat (dropping their phone in the toilet and being locked out of their account forever) you may not have made a good security tradeoff.

18F caused a data breach using Slack

alexsmolen — Fri, 13 May 2016 18:00:58 +0000

Article URL: http://www.nextgov.com/cio-briefing/2016/05/watchdog-18f-caused-data-breach-using-slack/128288/?oref=nextgov_breaking_alert

Comments URL: https://news.ycombinator.com/item?id=11692038

Points: 18

# Comments: 0