Skip to content

Add cloud identity containment evidence gates#1470

Open
jddark62 wants to merge 1 commit into
UnitOneAI:mainfrom
jddark62:improve/containment-cloud-identity-imds-1467
Open

Add cloud identity containment evidence gates#1470
jddark62 wants to merge 1 commit into
UnitOneAI:mainfrom
jddark62:improve/containment-cloud-identity-imds-1467

Conversation

@jddark62

@jddark62 jddark62 commented Jun 6, 2026

Copy link
Copy Markdown

Summary

Closes #1467.

This updates containment with evidence gates for cloud-managed identity containment, metadata-service isolation, API throttling decisions, volatile-evidence preservation, and post-containment integrity before reconnection.

What Changed

  • Add CONT-CLOUD-01 through CONT-CLOUD-06 checks for destructive containment before volatile evidence, network-only SaaS/cloud token containment, missing IMDS/metadata blast-radius evidence, hard-block-only API exfiltration response, missing reconnection integrity checks, and missing Not Evaluable evidence states.
  • Add decision rules for Critical/High/Medium/Not Evaluable containment risk when cloud sessions, refresh tokens, OAuth grants, service-account keys, metadata-derived credentials, or rollback integrity evidence are missing.
  • Add cloud/SaaS identity containment strategies for refresh-token revocation, OAuth grant revocation, PIM/JIT role deactivation, service-account key rotation, and tenant-wide sign-out.
  • Add metadata-service containment guidance for AWS IMDSv2, Google Cloud metadata, and Azure IMDS / managed identity scenarios.
  • Add API exfiltration containment guidance that distinguishes hard blocking from throttling, scoped key revocation, quota reduction, and observation-preserving controls.
  • Extend validation and output sections with cloud identity / metadata containment and reconnection integrity matrices.
  • Add six YAML fixtures covering power-off-before-evidence, SaaS token network-only containment, AWS IMDS gaps, API throttling, reconnect-without-integrity, and a complete containment package.

Validation

  • git diff --check
  • Parsed all 6 YAML fixtures successfully
  • Markdown fence balance check
  • Marker/content scan for CONT-CLOUD, IMDS, metadata, refresh-token revocation, reconnection integrity, and 1.0.2
  • Live official reference checks returned HTTP 200 for AWS IMDSv2, AWS metadata credential guidance, Microsoft Entra sign-in session revocation, Google Cloud metadata, and Azure IMDS
  • Privacy scan for local paths, personal email, and workspace identifiers

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms.
  • Preferred payment method can be coordinated privately after maintainer acceptance.

/claim #1467

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] containment: add Cloud-Managed Identity revocation and 'Metadata-Service' isolation gates

1 participant

@jddark62