Is your AWS trust policy a confused-deputy risk?
Paste a role trust policy (AssumeRolePolicyDocument) or a resource policy JSON for
an instant, spec-cited static analysis: wildcard principals, whole-account-root trust, missing sts:ExternalId on cross-account trust, missing aws:SourceArn/aws:SourceAccount on service principals, wildcard actions, NotPrincipal footguns, and federated OIDC/SAML
trust.
Analyzed in your browser, never uploaded. A pasted policy routinely contains your real AWS account IDs and role ARNs. It is parsed and graded entirely client-side — no network calls, no AWS credentials, nothing fetched. Findings reference structural facts (a statement's position, a principal's kind) and never echo the account ID/ARN values. A saved permalink stores the derived findings only — never the pasted JSON.