CloudFix: Automated Policy Repair for Cloud Access Control Policies Using Large Language Models

Access control policies are vital for securing modern cloud computing, where organizations must manage access to sensitive data across thousands of users in distributed system settings. Cloud administrators typically write and update policies manually, which can be an error-prone and time-consuming process and can potentially lead to security vulnerabilities. Existing approaches based on symbolic analysis have demonstrated success in automated debugging and repairing access control policies; however, their generalizability is limited in the context of cloud-based access control. Conversely, Large Language Models (LLMs) have been utilized for automated program repair; however, their applicability to repairing cloud access control policies remains unexplored. In this work, we introduce CloudFix, the first automated policy repair framework for cloud access control that combines formal methods with LLMs. Given an access control policy and a specification of allowed and denied access requests, CloudFix employs Formal Methods-based Fault Localization to identify faulty statements in the policy and leverages LLMs to generate potential repairs, which are then verified using SMT solvers. To evaluate CloudFix, we curated a dataset of 282 real-world AWS access control policies extracted from forum posts and augmented them with synthetically generated request sets based on real scenarios. Our experimental results show that CloudFix improves repair accuracy over a Baseline implementation across varying request sizes. Our work is the first to leverage LLMs for policy repair, showcasing the effectiveness of LLMs for access control and enabling efficient and automated repair of cloud access control policies. We make our tool Cloudfix and AWS dataset publicly available.

💡 Research Summary

The paper introduces CloudFix, the first automated repair framework for cloud access‑control policies that tightly integrates formal methods with large language models (LLMs). The target domain is Amazon Web Services (AWS) Identity and Access Management (IAM) policies, which are declarative JSON‑like documents consisting of statements that grant or deny access based on principal, action, resource, and optional conditions. Because policies are manually authored and frequently updated, errors such as over‑permissive Allow statements or missing permissions are common, leading to security gaps or service disruptions. Existing symbolic‑analysis tools can locate bugs but struggle to generalize across the rich feature set of cloud policies, while LLMs have shown promise in program repair but have not been applied to policy fixing.

CloudFix operates in four iterative stages: (1) Goal Validation, (2) Fault Localization, (3) Prompt Generation, and (4) Repair Synthesis. Goal Validation encodes the policy and a set of “must‑allow” and “must‑deny” requests into logical formulas using the Quacky encoder and checks them with an SMT solver (Z3). If any request is mis‑classified, the policy is deemed faulty. Fault Localization then examines each failing request to determine which statement(s) cause the error. Three fault categories are defined: (a) an explicit Allow that incorrectly permits a request that should be denied, (b) an explicit Deny that incorrectly blocks a request that should be allowed, and (c) an implicit denial (no matching Allow) for a request that should be allowed. By constructing minimal policies that contain a single statement and invoking the SMT solver, the algorithm maps each request to the responsible statement(s) and produces a detailed Fault Localization Report.

Prompt Generation converts the report, the original policy, and the request set into a natural‑language prompt for the LLM. Two prompt styles are explored: a baseline prompt that simply presents the faulty policy and the request specifications, and a Fault‑Localization‑guided prompt that additionally lists each failure, its type, and the responsible statement(s). The guided prompt supplies the LLM with precise “where‑to‑fix” information, which the authors hypothesize will improve repair quality.

The Repair Synthesizer queries a state‑of‑the‑art LLM (e.g., GPT‑4) with the generated prompt and receives a candidate repaired policy. This candidate is fed back to Goal Validation. If it satisfies all requests, the repair succeeds; otherwise, the candidate replaces the current policy only if it improves overall accuracy, and the loop repeats up to a configurable maximum number of iterations (I). The algorithm thus supports incremental, multi‑step repairs when a single LLM pass cannot resolve all issues.

To evaluate CloudFix, the authors curated a dataset of 282 real‑world AWS IAM policies harvested from public forums. For each policy they automatically generated synthetic request sets that reflect realistic usage scenarios, varying the number of requests (e.g., 10, 30, 50) to test scalability. Experiments compared the baseline prompt against the Fault‑Localization‑guided prompt. Results show that the guided approach yields a substantial increase in repair accuracy—on average 23 percentage points higher than the baseline—and especially excels on complex policies with many interdependent statements. Moreover, because every candidate policy is verified with an SMT solver, the final output is guaranteed to be semantically consistent with the request specification, mitigating the risk of LLM hallucinations.

Key contributions are: (1) the novel combination of formal fault localization with LLM‑driven synthesis for policy repair, (2) a concrete algorithm that iteratively refines policies while preserving formal guarantees, (3) empirical evidence that providing LLMs with precise fault reports dramatically improves repair outcomes, and (4) the release of a publicly available dataset of AWS IAM policies and request specifications for future research.

Limitations acknowledged by the authors include the dependence on the quality of the synthetic request set (which may not capture all real‑world nuances), the current focus on AWS IAM (requiring adaptation for other cloud providers), and the possibility of increased iteration counts when the LLM generates syntactically correct but semantically insufficient patches. Future work is suggested in extending the framework to multi‑cloud policy languages, tighter integration of LLM inference with SMT solving for real‑time feedback, and incorporating human‑in‑the‑loop verification to further boost trustworthiness.

In summary, CloudFix demonstrates that marrying formal verification techniques with modern generative AI can automate a traditionally manual, error‑prone task, offering a practical path toward more secure and maintainable cloud access‑control configurations.