What It Does
- Detect ClickOps — find resources created via the console that bypassed IaC and change control
- Define least-privilege IAM policies — generate tight policies from what roles have actually done
- Respond to AccessDenied errors — surface blocked events and draft the exact policy additions needed
- Validate break-glass access — compare what someone actually did in a session against their stated justification
Open Source
The core ingestor Lambda and CLI are open source. Deploy to your own account and query with standard AWS credentials.
View on GitHub →
Hosted Version
trailtool.io adds features that go beyond what the open source CLI provides:
- Web UI — browse people, sessions, roles, services, and resources without touching a terminal
- REST API — integrate TrailTool data into your own tooling and dashboards
- MCP server — connect Claude Code or any MCP-compatible agent directly to your CloudTrail data
- Multi-account & multi-org support — manage producers across accounts from one place
- Magic link auth — no IAM credentials needed for teammates browsing the UI
Get Early Access
The hosted version is in early development. Leave your email and we'll reach out when it's ready.
Questions? info@engseclabs.com