CloudFix: Automated Policy Repair for Cloud Access Control Policies Using Large Language Models

TL;DR

CloudFix tackles the manual burden of maintaining cloud IAM policies by marrying formal-method fault localization with LLM-driven repairs, verified via SMT. Using a dataset of 282 real-world AWS IAM policies, the authors show that fault-localization-guided prompting substantially improves repair accuracy over a Baseline and enables generalization to unseen requests. The work introduces a novel integration of Quacky SMT encoding, fault localization, and LLM reasoning, and releases both the CloudFix tool and the policy repair dataset. This approach reduces manual effort and provides scalable policy repair as cloud environments evolve.

Abstract

Access control policies are vital for securing modern cloud computing, where organizations must manage access to sensitive data across thousands of users in distributed system settings. Cloud administrators typically write and update policies manually, which can be an error-prone and time-consuming process and can potentially lead to security vulnerabilities. Existing approaches based on symbolic analysis have demonstrated success in automated debugging and repairing access control policies; however, their generalizability is limited in the context of cloud-based access control. Conversely, Large Language Models (LLMs) have been utilized for automated program repair; however, their applicability to repairing cloud access control policies remains unexplored. In this work, we introduce CloudFix, the first automated policy repair framework for cloud access control that combines formal methods with LLMs. Given an access control policy and a specification of allowed and denied access requests, CloudFix employs Formal Methods-based Fault Localization to identify faulty statements in the policy and leverages LLMs to generate potential repairs, which are then verified using SMT solvers. To evaluate CloudFix, we curated a dataset of 282 real-world AWS access control policies extracted from forum posts and augmented them with synthetically generated request sets based on real scenarios. Our experimental results show that CloudFix improves repair accuracy over a Baseline implementation across varying request sizes. Our work is the first to leverage LLMs for policy repair, showcasing the effectiveness of LLMs for access control and enabling efficient and automated repair of cloud access control policies. We make our tool Cloudfix and AWS dataset publicly available.

Figures (7)

• Figure 1: Manual Policy Repair Process. Stage 1 shows an administrator authoring a policy while a user generates access requests. In Stage 2, a cloud evaluation engine validates these requests, correctly allowing one (s3:GetObject) but implicitly denying another (ec2:RunInstances) because no statement permits it. In Stage 3, the administrator manually interprets this feedback, adding a new Allow statement to the policy to fix the issue, and resubmits it for validation.
• Figure 2: This flowchart details the architecture of the CloudFix framework.
• Figure 3: An example of a structured input provided to the LLM for a fault-localization-guided repair. The prompt is composed of three parts: the original faulty POLICY, the set of REQUESTS, and the FAULT LOCALIZATION report. The report explicitly maps failed requests to the policy statements responsible for the errors, categorizing them into three types of failures: "denied but explicitly allowed", "allowed but implicitly denied", or "allowed but explicitly denied".
• Figure 4: Average repair accuracy of the Baseline and Fault Localization (FL) approaches against the initial faulty policies across varying request set sizes.
• Figure 5: An overall repair accuracy of four different LLMs using the FL-guided prompting strategy with a request size of 30.