Researchers Unveil CloudFix Framework for Automated Repair of Cloud Access Policies

Global: Researchers Unveil CloudFix Framework for Automated Repair of Cloud Access Policies

In a recent preprint posted to arXiv (ID 2512.09957), a team of computer scientists introduced CloudFix, an automated system that repairs cloud access control policies by integrating formal verification techniques with large language models (LLMs). The framework was evaluated on a collection of 282 real‑world AWS policies and demonstrated higher repair accuracy than a baseline approach.

Background

Modern cloud environments rely on extensive access control policies to protect sensitive data across thousands of users. Administrators typically author and update these policies manually, a process that is both time‑consuming and prone to human error, potentially exposing organizations to security breaches.

Prior Approaches

Existing automated solutions have largely depended on symbolic analysis to debug and fix policy errors, but their applicability has been limited in large‑scale cloud settings. While LLMs have shown promise in automated program repair, their suitability for correcting cloud access control policies had not been explored before this work.

Methodology

CloudFix operates in three stages. First, a formal methods‑based fault localization component pinpoints faulty statements within a given policy. Next, an LLM generates candidate repairs for the identified faults. Finally, each candidate is validated using satisfiability modulo theories (SMT) solvers to ensure compliance with the specified allow and deny request sets.

Dataset and Evaluation

The authors compiled a dataset comprising 282 authentic AWS access control policies sourced from public forum posts. To simulate realistic usage, they augmented each policy with synthetically generated request sets that reflect common access scenarios. Experiments examined the framework’s performance across varying request set sizes.

Results

Across all test conditions, CloudFix achieved a measurable improvement in repair accuracy compared with the baseline implementation. The gains were consistent regardless of the number of requests used to define the policy specification.

Implications

By successfully applying LLMs to the domain of cloud policy repair, the study highlights a new avenue for reducing manual effort and minimizing security risks associated with misconfigured access controls. The integration of formal verification ensures that generated fixes are both correct and safe.

Availability

The research team has made the CloudFix tool and the accompanying AWS policy dataset publicly accessible, encouraging further experimentation and adoption by the security community.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.