Built-in scenario

aws/sample_aws_alb_ec2_rds_plan.json

ALB / EC2 / RDS Demo

Analyzed sample_aws_alb_ec2_rds_plan.json with 19 normalized resources and 4 trust boundaries.

Analyze another plan

Active findings

4

Trust boundaries

4

Resources

19

Observations

1
High 0
Medium 3
Low 1

Analysis coverage

Audit trail for this run

Terraform resources 19
Unsupported 0
Enabled rules 83
Unresolved refs 0

Resource coverage

Provider resources considered
19
Normalized resources
19

No unsupported AWS resource types were encountered.

Rule coverage

Registered rules
83
Disabled rules
0
  • aws-public-alb-waf-missing1
  • aws-rds-cloudwatch-log-exports-missing1
  • aws-vpc-flow-logs-not-configured1
  • aws-private-data-transitive-exposure1

Findings

Severity bands

High

0

No high findings.

Medium

3

Public Application Load Balancer is not associated with a WAF Web ACL

aws-public-alb-waf-missing

aws_lb.web is an internet-facing Application Load Balancer, but the Terraform plan does not show a deterministic AWS WAFv2 Web ACL association targeting it. Public edge traffic can reach the ALB without a modeled WAF or edge protection policy.

Category
Tampering
Boundary
not-applicable
Resources
aws_lb.web
Evidence
  • target load balancer: address=aws_lb.web; type=aws_lb; arn=arn:aws:elasticloadbalancing:us-east-1:333344445555:loadbalancer/app/web-prod/123456; load_balancer_type=application; public_exposure=true; load balancer is internet-facing and attached security groups allow internet ingress
  • waf association coverage: target_resource_arn=arn:aws:elasticloadbalancing:us-east-1:333344445555:loadbalancer/app/web-prod/123456; resolved_web_acl_association_count=0; modeled_web_acl_association_count=0

Sensitive data tier is transitively reachable from an internet-exposed path

aws-private-data-transitive-exposure

aws_db_instance.app is not directly public, but internet traffic can first reach aws_lb.web, move through aws_lb.web can reach aws_instance.app, and then cross into the private data tier through aws_instance.app. That creates a quieter transitive exposure path than a directly public data store.

Category
Information Disclosure
Boundary
workload-to-data-store:aws_instance.app->aws_db_instance.app
Resources
aws_lb.web, aws_instance.app, aws_db_instance.app, aws_security_group.app
Evidence
  • network path: internet reaches aws_lb.web; aws_lb.web reaches aws_instance.app; aws_instance.app reaches aws_db_instance.app
  • security group rules: aws_security_group.app ingress tcp 8080 from sg-web-lb-001 (Application traffic from the ALB)
  • subnet posture: aws_lb.web sits in public subnet aws_subnet.public_edge with an internet route; aws_instance.app sits in private subnet aws_subnet.private_app with NAT-backed egress
  • data tier posture: aws_db_instance.app is not directly public; database has no direct internet ingress path
  • boundary rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.

VPC Flow Logs are not configured for a modeled VPC

aws-vpc-flow-logs-not-configured

aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.

Category
Repudiation
Boundary
not-applicable
Resources
aws_vpc.main
Evidence
  • target vpc: address=aws_vpc.main; type=aws_vpc; identifier=vpc-web-001; cidr_block=10.20.0.0/16
  • flow log coverage: target_vpc_id=vpc-web-001; resolved_vpc_flow_log_count=0; aws_flow_log resources are not modeled

Low

1

RDS database does not export engine CloudWatch logs

aws-rds-cloudwatch-log-exports-missing

aws_db_instance.app (engine `postgres`) does not export any of the baseline CloudWatch Logs expected for its engine family (postgresql). Without these log exports the database lacks the basic observability posture needed to investigate errors, slow queries, and audit activity from CloudWatch.

Category
Repudiation
Boundary
not-applicable
Resources
aws_db_instance.app
Evidence
  • target resource: address=aws_db_instance.app; type=aws_db_instance; identifier=db-web-001; engine=postgres
  • log export posture: enabled_cloudwatch_logs_exports=[]; expected_log_exports=['postgresql']; engine-family baseline log exports are absent

Observations

Controls and mitigating signals

RDS instance is private and storage encrypted

aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.

aws_db_instance.app

Trust boundaries

Crossings that drive the model

internet-to-service

internet -> aws_lb.web

The resource is directly reachable or intentionally exposed to unauthenticated network clients.

public-subnet-to-private-subnet

aws_subnet.public_edge -> aws_subnet.private_app

The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.

public-subnet-to-private-subnet

aws_subnet.public_edge -> aws_subnet.private_data

The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.

workload-to-data-store

aws_instance.app -> aws_db_instance.app

Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.

Raw outputs

Stable contract and markdown

JSON report
{
  "kind": "tfstride-report",
  "version": "1.1",
  "tool": {
    "name": "tfstride",
    "version": "0.4.23"
  },
  "title": "ALB / EC2 / RDS Demo",
  "analyzed_file": "sample_aws_alb_ec2_rds_plan.json",
  "analyzed_path": "sample_aws_alb_ec2_rds_plan.json",
  "summary": {
    "normalized_resources": 19,
    "unsupported_resources": 0,
    "trust_boundaries": 4,
    "active_findings": 4,
    "total_findings": 4,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "severity_counts": {
      "high": 0,
      "medium": 3,
      "low": 1
    }
  },
  "filtering": {
    "total_findings": 4,
    "active_findings": 4,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "suppressions_path": null,
    "baseline_path": null
  },
  "analysis_coverage": {
    "resources": {
      "total_resources": 19,
      "provider_resources": 19,
      "normalized_resources": 19,
      "unsupported_resources": 0,
      "unsupported_resource_types": {}
    },
    "rules": {
      "registered_rule_count": 83,
      "enabled_rules": [
        "aws-public-compute-broad-ingress",
        "aws-lambda-public-invocation",
        "aws-load-balancer-http-public-listener",
        "aws-load-balancer-listener-tls-certificate-missing",
        "aws-load-balancer-listener-ssl-policy-weak-or-unknown",
        "aws-public-alb-waf-missing",
        "aws-cloudfront-viewer-http-allowed",
        "aws-cloudfront-viewer-tls-policy-weak-or-unknown",
        "aws-cloudfront-access-logging-not-configured",
        "aws-public-cloudfront-waf-missing",
        "aws-api-gateway-cors-permissive",
        "aws-public-api-gateway-waf-missing",
        "aws-api-gateway-public-route-authorization-none",
        "aws-api-gateway-stage-access-logs-missing",
        "aws-cloudtrail-multi-region-disabled",
        "aws-cloudtrail-log-file-validation-disabled",
        "aws-cloudtrail-management-events-disabled",
        "aws-cloudtrail-data-events-not-modeled",
        "aws-cloudtrail-insight-selectors-missing",
        "aws-guardduty-detector-disabled-or-missing",
        "aws-securityhub-account-missing",
        "aws-config-recorder-disabled-or-missing",
        "aws-config-delivery-channel-missing",
        "aws-access-analyzer-not-configured",
        "aws-macie-not-enabled-for-sensitive-storage",
        "aws-rds-storage-encryption-disabled",
        "aws-rds-public-endpoint-enabled",
        "aws-rds-backup-retention-insufficient",
        "aws-rds-deletion-protection-disabled",
        "aws-rds-customer-managed-kms-key-missing",
        "aws-rds-multi-az-disabled",
        "aws-rds-performance-insights-disabled",
        "aws-rds-cloudwatch-log-exports-missing",
        "aws-rds-iam-auth-disabled",
        "aws-s3-public-access",
        "aws-s3-customer-managed-encryption-missing",
        "aws-s3-versioning-disabled",
        "aws-s3-object-lock-retention-missing",
        "aws-s3-lifecycle-noncurrent-retention-insufficient",
        "aws-ecr-image-tag-mutability-enabled",
        "aws-ecr-customer-managed-encryption-missing",
        "aws-ecr-repository-scanning-disabled",
        "aws-workload-image-not-digest-pinned",
        "aws-workload-ecr-mutable-tag",
        "aws-workload-can-modify-image-repository",
        "aws-ecs-sensitive-environment-value-inline",
        "aws-ecs-secret-access-blast-radius",
        "aws-public-ecs-secret-access",
        "aws-public-ecs-s3-mutation-access",
        "aws-public-ecs-messaging-mutation-access",
        "aws-sns-customer-managed-encryption-missing",
        "aws-sqs-customer-managed-encryption-missing",
        "aws-sqs-message-retention-insufficient",
        "aws-sqs-dead-letter-queue-not-configured",
        "aws-secretsmanager-customer-managed-kms-key-missing",
        "aws-secretsmanager-recovery-window-too-short",
        "aws-secretsmanager-rotation-not-configured-or-too-long",
        "aws-kms-key-rotation-disabled-or-unknown",
        "aws-kms-key-deletion-window-too-short",
        "aws-workload-secretsmanager-vpc-endpoint-missing",
        "aws-workload-kms-vpc-endpoint-missing",
        "aws-workload-s3-vpc-endpoint-missing",
        "aws-vpc-endpoint-policy-broad-access",
        "aws-vpc-flow-logs-not-configured",
        "aws-vpc-flow-log-traffic-type-incomplete",
        "aws-vpc-flow-log-destination-missing",
        "aws-eks-api-endpoint-public-unrestricted",
        "aws-eks-private-endpoint-not-enabled",
        "aws-eks-secrets-encryption-not-configured",
        "aws-eks-control-plane-logging-incomplete",
        "aws-eks-authentication-mode-weak-or-unknown",
        "aws-eks-vpc-cni-network-policy-not-enabled",
        "aws-database-permissive-ingress",
        "aws-missing-tier-segmentation",
        "aws-sensitive-resource-policy-external-access",
        "aws-service-resource-policy-external-access",
        "aws-iam-wildcard-permissions",
        "aws-iam-privileged-role-assignment",
        "aws-workload-role-sensitive-permissions",
        "aws-private-data-transitive-exposure",
        "aws-control-plane-sensitive-workload-chain",
        "aws-role-trust-expansion",
        "aws-role-trust-missing-narrowing"
      ],
      "disabled_rules": [],
      "severity_overrides": {},
      "finding_counts_by_rule": {
        "aws-public-compute-broad-ingress": 0,
        "aws-lambda-public-invocation": 0,
        "aws-load-balancer-http-public-listener": 0,
        "aws-load-balancer-listener-tls-certificate-missing": 0,
        "aws-load-balancer-listener-ssl-policy-weak-or-unknown": 0,
        "aws-public-alb-waf-missing": 1,
        "aws-cloudfront-viewer-http-allowed": 0,
        "aws-cloudfront-viewer-tls-policy-weak-or-unknown": 0,
        "aws-cloudfront-access-logging-not-configured": 0,
        "aws-public-cloudfront-waf-missing": 0,
        "aws-api-gateway-cors-permissive": 0,
        "aws-public-api-gateway-waf-missing": 0,
        "aws-api-gateway-public-route-authorization-none": 0,
        "aws-api-gateway-stage-access-logs-missing": 0,
        "aws-cloudtrail-multi-region-disabled": 0,
        "aws-cloudtrail-log-file-validation-disabled": 0,
        "aws-cloudtrail-management-events-disabled": 0,
        "aws-cloudtrail-data-events-not-modeled": 0,
        "aws-cloudtrail-insight-selectors-missing": 0,
        "aws-guardduty-detector-disabled-or-missing": 0,
        "aws-securityhub-account-missing": 0,
        "aws-config-recorder-disabled-or-missing": 0,
        "aws-config-delivery-channel-missing": 0,
        "aws-access-analyzer-not-configured": 0,
        "aws-macie-not-enabled-for-sensitive-storage": 0,
        "aws-rds-storage-encryption-disabled": 0,
        "aws-rds-public-endpoint-enabled": 0,
        "aws-rds-backup-retention-insufficient": 0,
        "aws-rds-deletion-protection-disabled": 0,
        "aws-rds-customer-managed-kms-key-missing": 0,
        "aws-rds-multi-az-disabled": 0,
        "aws-rds-performance-insights-disabled": 0,
        "aws-rds-cloudwatch-log-exports-missing": 1,
        "aws-rds-iam-auth-disabled": 0,
        "aws-s3-public-access": 0,
        "aws-s3-customer-managed-encryption-missing": 0,
        "aws-s3-versioning-disabled": 0,
        "aws-s3-object-lock-retention-missing": 0,
        "aws-s3-lifecycle-noncurrent-retention-insufficient": 0,
        "aws-ecr-image-tag-mutability-enabled": 0,
        "aws-ecr-customer-managed-encryption-missing": 0,
        "aws-ecr-repository-scanning-disabled": 0,
        "aws-workload-image-not-digest-pinned": 0,
        "aws-workload-ecr-mutable-tag": 0,
        "aws-workload-can-modify-image-repository": 0,
        "aws-ecs-sensitive-environment-value-inline": 0,
        "aws-ecs-secret-access-blast-radius": 0,
        "aws-public-ecs-secret-access": 0,
        "aws-public-ecs-s3-mutation-access": 0,
        "aws-public-ecs-messaging-mutation-access": 0,
        "aws-sns-customer-managed-encryption-missing": 0,
        "aws-sqs-customer-managed-encryption-missing": 0,
        "aws-sqs-message-retention-insufficient": 0,
        "aws-sqs-dead-letter-queue-not-configured": 0,
        "aws-secretsmanager-customer-managed-kms-key-missing": 0,
        "aws-secretsmanager-recovery-window-too-short": 0,
        "aws-secretsmanager-rotation-not-configured-or-too-long": 0,
        "aws-kms-key-rotation-disabled-or-unknown": 0,
        "aws-kms-key-deletion-window-too-short": 0,
        "aws-workload-secretsmanager-vpc-endpoint-missing": 0,
        "aws-workload-kms-vpc-endpoint-missing": 0,
        "aws-workload-s3-vpc-endpoint-missing": 0,
        "aws-vpc-endpoint-policy-broad-access": 0,
        "aws-vpc-flow-logs-not-configured": 1,
        "aws-vpc-flow-log-traffic-type-incomplete": 0,
        "aws-vpc-flow-log-destination-missing": 0,
        "aws-eks-api-endpoint-public-unrestricted": 0,
        "aws-eks-private-endpoint-not-enabled": 0,
        "aws-eks-secrets-encryption-not-configured": 0,
        "aws-eks-control-plane-logging-incomplete": 0,
        "aws-eks-authentication-mode-weak-or-unknown": 0,
        "aws-eks-vpc-cni-network-policy-not-enabled": 0,
        "aws-database-permissive-ingress": 0,
        "aws-missing-tier-segmentation": 0,
        "aws-sensitive-resource-policy-external-access": 0,
        "aws-service-resource-policy-external-access": 0,
        "aws-iam-wildcard-permissions": 0,
        "aws-iam-privileged-role-assignment": 0,
        "aws-workload-role-sensitive-permissions": 0,
        "aws-private-data-transitive-exposure": 1,
        "aws-control-plane-sensitive-workload-chain": 0,
        "aws-role-trust-expansion": 0,
        "aws-role-trust-missing-narrowing": 0
      }
    },
    "references": {
      "unresolved_reference_count": 0,
      "unresolved_references": []
    }
  },
  "inventory": {
    "provider": "aws",
    "unsupported_resources": [],
    "metadata": {
      "primary_account_id": "333344445555",
      "supported_resource_types": [
        "aws_accessanalyzer_analyzer",
        "aws_api_gateway_authorizer",
        "aws_api_gateway_method",
        "aws_api_gateway_rest_api",
        "aws_api_gateway_stage",
        "aws_apigatewayv2_api",
        "aws_apigatewayv2_route",
        "aws_apigatewayv2_stage",
        "aws_cloudfront_distribution",
        "aws_cloudtrail",
        "aws_config_configuration_recorder",
        "aws_config_configuration_recorder_status",
        "aws_config_delivery_channel",
        "aws_db_instance",
        "aws_ecr_registry_scanning_configuration",
        "aws_ecr_repository",
        "aws_ecs_cluster",
        "aws_ecs_service",
        "aws_ecs_task_definition",
        "aws_eks_addon",
        "aws_eks_cluster",
        "aws_flow_log",
        "aws_guardduty_detector",
        "aws_iam_instance_profile",
        "aws_iam_openid_connect_provider",
        "aws_iam_policy",
        "aws_iam_role",
        "aws_iam_role_policy",
        "aws_iam_role_policy_attachment",
        "aws_instance",
        "aws_internet_gateway",
        "aws_kms_key",
        "aws_lambda_function",
        "aws_lambda_function_url",
        "aws_lambda_permission",
        "aws_lb",
        "aws_lb_listener",
        "aws_lb_listener_rule",
        "aws_lb_target_group",
        "aws_macie2_account",
        "aws_nat_gateway",
        "aws_route_table",
        "aws_route_table_association",
        "aws_s3_bucket",
        "aws_s3_bucket_lifecycle_configuration",
        "aws_s3_bucket_object_lock_configuration",
        "aws_s3_bucket_policy",
        "aws_s3_bucket_public_access_block",
        "aws_s3_bucket_server_side_encryption_configuration",
        "aws_s3_bucket_versioning",
        "aws_secretsmanager_secret",
        "aws_secretsmanager_secret_policy",
        "aws_secretsmanager_secret_rotation",
        "aws_security_group",
        "aws_security_group_rule",
        "aws_securityhub_account",
        "aws_sns_topic",
        "aws_sqs_queue",
        "aws_sqs_queue_redrive_policy",
        "aws_subnet",
        "aws_vpc",
        "aws_vpc_endpoint",
        "aws_wafv2_web_acl",
        "aws_wafv2_web_acl_association"
      ],
      "total_input_resources": 19,
      "provider_resource_count": 19,
      "normalized_resource_count": 19,
      "unsupported_resource_types": {}
    },
    "resources": [
      {
        "address": "aws_db_instance.app",
        "provider": "aws",
        "resource_type": "aws_db_instance",
        "name": "app",
        "category": "data",
        "identifier": "db-web-001",
        "arn": "arn:aws:rds:us-east-1:333344445555:db:web-prod-db",
        "vpc_id": "vpc-web-001",
        "subnet_ids": [],
        "security_group_ids": [
          "sg-web-db-001"
        ],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "engine": "postgres",
          "rds_publicly_accessible_state": "disabled",
          "rds_backup_retention_period": 14,
          "rds_deletion_protection_state": "enabled",
          "rds_multi_az_state": "unknown",
          "rds_kms_key_id": "arn:aws:kms:us-east-1:222233334444:key/rds",
          "rds_performance_insights_enabled_state": "unknown",
          "rds_enabled_cloudwatch_logs_exports": [],
          "rds_iam_database_authentication_enabled_state": "unknown",
          "rds_posture_uncertainties": [],
          "db_subnet_group_name": "web-private-data",
          "publicly_accessible": false,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "storage_encrypted": true,
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_instance.app",
        "provider": "aws",
        "resource_type": "aws_instance",
        "name": "app",
        "category": "compute",
        "identifier": "i-web-app-001",
        "arn": "arn:aws:ec2:us-east-1:333344445555:instance/i-web-app-001",
        "vpc_id": "vpc-web-001",
        "subnet_ids": [
          "subnet-web-private-app-001"
        ],
        "security_group_ids": [
          "sg-web-app-001"
        ],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "ami": "ami-web-123456",
          "instance_type": "t3.medium",
          "associate_public_ip_address": false,
          "iam_instance_profile": null,
          "tags": {
            "Tier": "app"
          },
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": true,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_internet_gateway.main",
        "provider": "aws",
        "resource_type": "aws_internet_gateway",
        "name": "main",
        "category": "network",
        "identifier": "igw-web-001",
        "arn": null,
        "vpc_id": "vpc-web-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_lb.web",
        "provider": "aws",
        "resource_type": "aws_lb",
        "name": "web",
        "category": "edge",
        "identifier": "alb-web-001",
        "arn": "arn:aws:elasticloadbalancing:us-east-1:333344445555:loadbalancer/app/web-prod/123456",
        "vpc_id": "vpc-web-001",
        "subnet_ids": [
          "subnet-web-public-001"
        ],
        "security_group_ids": [
          "sg-web-lb-001"
        ],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": true,
        "public_exposure": true,
        "data_sensitivity": "standard",
        "metadata": {
          "internal": false,
          "load_balancer_type": "application",
          "public_access_reasons": [
            "load balancer is configured as internet-facing"
          ],
          "public_exposure_reasons": [
            "load balancer is internet-facing and attached security groups allow internet ingress"
          ],
          "public_access_configured": true,
          "internet_ingress": true,
          "internet_ingress_capable": true,
          "internet_ingress_reasons": [
            "aws_security_group.lb ingress tcp 443 from 0.0.0.0/0 (HTTPS from internet)"
          ],
          "in_public_subnet": true,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": true
        }
      },
      {
        "address": "aws_nat_gateway.main",
        "provider": "aws",
        "resource_type": "aws_nat_gateway",
        "name": "main",
        "category": "network",
        "identifier": "nat-web-001",
        "arn": null,
        "vpc_id": "vpc-web-001",
        "subnet_ids": [
          "subnet-web-public-001"
        ],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "allocation_id": "eipalloc-web-001",
          "connectivity_type": "public",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": true,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table.private",
        "provider": "aws",
        "resource_type": "aws_route_table",
        "name": "private",
        "category": "network",
        "identifier": "rtb-web-private-001",
        "arn": null,
        "vpc_id": "vpc-web-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "routes": [
            {
              "cidr_block": "0.0.0.0/0",
              "nat_gateway_id": "nat-web-001"
            }
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table.public",
        "provider": "aws",
        "resource_type": "aws_route_table",
        "name": "public",
        "category": "network",
        "identifier": "rtb-web-public-001",
        "arn": null,
        "vpc_id": "vpc-web-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "routes": [
            {
              "cidr_block": "0.0.0.0/0",
              "gateway_id": "igw-web-001"
            }
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table_association.private_app",
        "provider": "aws",
        "resource_type": "aws_route_table_association",
        "name": "private_app",
        "category": "network",
        "identifier": "rtassoc-web-private-app-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "route_table_id": "rtb-web-private-001",
          "subnet_id": "subnet-web-private-app-001",
          "gateway_id": null,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table_association.private_data",
        "provider": "aws",
        "resource_type": "aws_route_table_association",
        "name": "private_data",
        "category": "network",
        "identifier": "rtassoc-web-private-data-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "route_table_id": "rtb-web-private-001",
          "subnet_id": "subnet-web-private-data-001",
          "gateway_id": null,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table_association.public_edge",
        "provider": "aws",
        "resource_type": "aws_route_table_association",
        "name": "public_edge",
        "category": "network",
        "identifier": "rtassoc-web-public-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "route_table_id": "rtb-web-public-001",
          "subnet_id": "subnet-web-public-001",
          "gateway_id": null,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group.app",
        "provider": "aws",
        "resource_type": "aws_security_group",
        "name": "app",
        "category": "network",
        "identifier": "sg-web-app-001",
        "arn": null,
        "vpc_id": "vpc-web-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "egress",
            "protocol": "-1",
            "from_port": 0,
            "to_port": 0,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": null
          },
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 8080,
            "to_port": 8080,
            "cidr_blocks": [],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [
              "sg-web-lb-001"
            ],
            "description": "Application traffic from the ALB"
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "description": "Private app tier reachable only from the ALB",
          "group_name": "web-app-sg",
          "standalone_rule_addresses": [
            "aws_security_group_rule.app_from_lb"
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group.db",
        "provider": "aws",
        "resource_type": "aws_security_group",
        "name": "db",
        "category": "network",
        "identifier": "sg-web-db-001",
        "arn": null,
        "vpc_id": "vpc-web-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "egress",
            "protocol": "-1",
            "from_port": 0,
            "to_port": 0,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": null
          },
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 5432,
            "to_port": 5432,
            "cidr_blocks": [],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [
              "sg-web-app-001"
            ],
            "description": "Postgres from the app tier"
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "description": "Database tier reachable only from the app tier",
          "group_name": "web-db-sg",
          "standalone_rule_addresses": [
            "aws_security_group_rule.db_from_app"
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group.lb",
        "provider": "aws",
        "resource_type": "aws_security_group",
        "name": "lb",
        "category": "network",
        "identifier": "sg-web-lb-001",
        "arn": null,
        "vpc_id": "vpc-web-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 443,
            "to_port": 443,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": "HTTPS from internet"
          },
          {
            "direction": "egress",
            "protocol": "-1",
            "from_port": 0,
            "to_port": 0,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": null
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "description": "Public ALB ingress only",
          "group_name": "web-lb-sg",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group_rule.app_from_lb",
        "provider": "aws",
        "resource_type": "aws_security_group_rule",
        "name": "app_from_lb",
        "category": "network",
        "identifier": "sgrule-web-app-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 8080,
            "to_port": 8080,
            "cidr_blocks": [],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [
              "sg-web-lb-001"
            ],
            "description": "Application traffic from the ALB"
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "security_group_id": "sg-web-app-001",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group_rule.db_from_app",
        "provider": "aws",
        "resource_type": "aws_security_group_rule",
        "name": "db_from_app",
        "category": "network",
        "identifier": "sgrule-web-db-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 5432,
            "to_port": 5432,
            "cidr_blocks": [],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [
              "sg-web-app-001"
            ],
            "description": "Postgres from the app tier"
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "security_group_id": "sg-web-db-001",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_subnet.private_app",
        "provider": "aws",
        "resource_type": "aws_subnet",
        "name": "private_app",
        "category": "network",
        "identifier": "subnet-web-private-app-001",
        "arn": null,
        "vpc_id": "vpc-web-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.20.2.0/24",
          "availability_zone": "us-east-1a",
          "map_public_ip_on_launch": false,
          "tags": {
            "Tier": "app"
          },
          "is_public_subnet": false,
          "route_table_ids": [
            "rtb-web-private-001"
          ],
          "has_public_route": false,
          "has_nat_gateway_egress": true,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_subnet.private_data",
        "provider": "aws",
        "resource_type": "aws_subnet",
        "name": "private_data",
        "category": "network",
        "identifier": "subnet-web-private-data-001",
        "arn": null,
        "vpc_id": "vpc-web-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.20.3.0/24",
          "availability_zone": "us-east-1a",
          "map_public_ip_on_launch": false,
          "tags": {
            "Tier": "data"
          },
          "is_public_subnet": false,
          "route_table_ids": [
            "rtb-web-private-001"
          ],
          "has_public_route": false,
          "has_nat_gateway_egress": true,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_subnet.public_edge",
        "provider": "aws",
        "resource_type": "aws_subnet",
        "name": "public_edge",
        "category": "network",
        "identifier": "subnet-web-public-001",
        "arn": null,
        "vpc_id": "vpc-web-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.20.1.0/24",
          "availability_zone": "us-east-1a",
          "map_public_ip_on_launch": true,
          "tags": {
            "Tier": "edge"
          },
          "is_public_subnet": true,
          "route_table_ids": [
            "rtb-web-public-001"
          ],
          "has_public_route": true,
          "has_nat_gateway_egress": false,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_vpc.main",
        "provider": "aws",
        "resource_type": "aws_vpc",
        "name": "main",
        "category": "network",
        "identifier": "vpc-web-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.20.0.0/16",
          "tags": {
            "Name": "web-main"
          },
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      }
    ]
  },
  "trust_boundaries": [
    {
      "identifier": "internet-to-service:internet->aws_lb.web",
      "boundary_type": "internet-to-service",
      "source": "internet",
      "target": "aws_lb.web",
      "description": "Traffic can cross from the public internet to aws_lb.web.",
      "rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
    },
    {
      "identifier": "public-subnet-to-private-subnet:aws_subnet.public_edge->aws_subnet.private_app",
      "boundary_type": "public-subnet-to-private-subnet",
      "source": "aws_subnet.public_edge",
      "target": "aws_subnet.private_app",
      "description": "Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.",
      "rationale": "The VPC contains both publicly routable and private network segments that should be treated as separate trust zones."
    },
    {
      "identifier": "public-subnet-to-private-subnet:aws_subnet.public_edge->aws_subnet.private_data",
      "boundary_type": "public-subnet-to-private-subnet",
      "source": "aws_subnet.public_edge",
      "target": "aws_subnet.private_data",
      "description": "Traffic can move from aws_subnet.public_edge toward aws_subnet.private_data.",
      "rationale": "The VPC contains both publicly routable and private network segments that should be treated as separate trust zones."
    },
    {
      "identifier": "workload-to-data-store:aws_instance.app->aws_db_instance.app",
      "boundary_type": "workload-to-data-store",
      "source": "aws_instance.app",
      "target": "aws_db_instance.app",
      "description": "aws_instance.app can interact with aws_db_instance.app.",
      "rationale": "Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group."
    }
  ],
  "findings": [
    {
      "fingerprint": "sha256:7764e4c5514d2c0f6130714b1c5bb65fd64fb857cf3124a77d42b7d718d0ac33",
      "title": "Public Application Load Balancer is not associated with a WAF Web ACL",
      "rule_id": "aws-public-alb-waf-missing",
      "category": "Tampering",
      "severity": "medium",
      "affected_resources": [
        "aws_lb.web"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_lb.web is an internet-facing Application Load Balancer, but the Terraform plan does not show a deterministic AWS WAFv2 Web ACL association targeting it. Public edge traffic can reach the ALB without a modeled WAF or edge protection policy.",
      "recommended_mitigation": "Associate an AWS WAFv2 Web ACL with internet-facing Application Load Balancers and keep the association modeled in Terraform so public edge protection is reviewable before deployment.",
      "evidence": [
        {
          "key": "target_load_balancer",
          "values": [
            "address=aws_lb.web",
            "type=aws_lb",
            "arn=arn:aws:elasticloadbalancing:us-east-1:333344445555:loadbalancer/app/web-prod/123456",
            "load_balancer_type=application",
            "public_exposure=true",
            "load balancer is internet-facing and attached security groups allow internet ingress"
          ]
        },
        {
          "key": "waf_association_coverage",
          "values": [
            "target_resource_arn=arn:aws:elasticloadbalancing:us-east-1:333344445555:loadbalancer/app/web-prod/123456",
            "resolved_web_acl_association_count=0",
            "modeled_web_acl_association_count=0"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 4,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:878d7f51554b80571305b48b2d814a70df80e28ee3b2bf44a8feb9bd1d5c3e47",
      "title": "Sensitive data tier is transitively reachable from an internet-exposed path",
      "rule_id": "aws-private-data-transitive-exposure",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "aws_lb.web",
        "aws_instance.app",
        "aws_db_instance.app",
        "aws_security_group.app"
      ],
      "trust_boundary_id": "workload-to-data-store:aws_instance.app->aws_db_instance.app",
      "rationale": "aws_db_instance.app is not directly public, but internet traffic can first reach aws_lb.web, move through aws_lb.web can reach aws_instance.app, and then cross into the private data tier through aws_instance.app. That creates a quieter transitive exposure path than a directly public data store.",
      "recommended_mitigation": "Keep internet-adjacent entry points from chaining into workloads that retain database or secret access, narrow edge-to-workload and workload-to-workload trust, and isolate sensitive data access behind more deliberate service boundaries.",
      "evidence": [
        {
          "key": "network_path",
          "values": [
            "internet reaches aws_lb.web",
            "aws_lb.web reaches aws_instance.app",
            "aws_instance.app reaches aws_db_instance.app"
          ]
        },
        {
          "key": "security_group_rules",
          "values": [
            "aws_security_group.app ingress tcp 8080 from sg-web-lb-001 (Application traffic from the ALB)"
          ]
        },
        {
          "key": "subnet_posture",
          "values": [
            "aws_lb.web sits in public subnet aws_subnet.public_edge with an internet route",
            "aws_instance.app sits in private subnet aws_subnet.private_app with NAT-backed egress"
          ]
        },
        {
          "key": "data_tier_posture",
          "values": [
            "aws_db_instance.app is not directly public",
            "database has no direct internet ingress path"
          ]
        },
        {
          "key": "boundary_rationale",
          "values": [
            "Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group."
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 2,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:c2dad77f15c57ff9b288847015b64eb1504039f1eeae0aa0312b748ec4410f40",
      "title": "VPC Flow Logs are not configured for a modeled VPC",
      "rule_id": "aws-vpc-flow-logs-not-configured",
      "category": "Repudiation",
      "severity": "medium",
      "affected_resources": [
        "aws_vpc.main"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.",
      "recommended_mitigation": "Enable VPC Flow Logs for production VPCs, route them to a retained CloudWatch Logs, S3, or Firehose destination, and manage Flow Log resources in Terraform so network telemetry posture is reviewable.",
      "evidence": [
        {
          "key": "target_vpc",
          "values": [
            "address=aws_vpc.main",
            "type=aws_vpc",
            "identifier=vpc-web-001",
            "cidr_block=10.20.0.0/16"
          ]
        },
        {
          "key": "flow_log_coverage",
          "values": [
            "target_vpc_id=vpc-web-001",
            "resolved_vpc_flow_log_count=0",
            "aws_flow_log resources are not modeled"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:ff9a1b4b0b11630f912c75371010b2df22e43179e7a2112f290cdf09014ab55e",
      "title": "RDS database does not export engine CloudWatch logs",
      "rule_id": "aws-rds-cloudwatch-log-exports-missing",
      "category": "Repudiation",
      "severity": "low",
      "affected_resources": [
        "aws_db_instance.app"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_db_instance.app (engine `postgres`) does not export any of the baseline CloudWatch Logs expected for its engine family (postgresql). Without these log exports the database lacks the basic observability posture needed to investigate errors, slow queries, and audit activity from CloudWatch.",
      "recommended_mitigation": "Enable the CloudWatch Logs exports expected for the RDS engine family (for example `postgresql` for PostgreSQL, `error` and `slowquery` for MySQL/MariaDB) so errors, slow queries, and audit activity are captured for investigation.",
      "evidence": [
        {
          "key": "target_resource",
          "values": [
            "address=aws_db_instance.app",
            "type=aws_db_instance",
            "identifier=db-web-001",
            "engine=postgres"
          ]
        },
        {
          "key": "log_export_posture",
          "values": [
            "enabled_cloudwatch_logs_exports=[]",
            "expected_log_exports=['postgresql']",
            "engine-family baseline log exports are absent"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 1,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 2,
        "severity": "low",
        "computed_severity": null
      }
    }
  ],
  "suppressed_findings": [],
  "baselined_findings": [],
  "observations": [
    {
      "title": "RDS instance is private and storage encrypted",
      "observation_id": "aws-rds-private-encrypted",
      "affected_resources": [
        "aws_db_instance.app"
      ],
      "rationale": "aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.",
      "category": "data-protection",
      "evidence": [
        {
          "key": "database_posture",
          "values": [
            "publicly_accessible is false",
            "storage_encrypted is true",
            "no attached security group allows internet ingress",
            "engine is postgres"
          ]
        }
      ]
    }
  ],
  "limitations": [
    "AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
    "Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
    "IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
    "Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
    "The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
  ]
}
Markdown report
# ALB / EC2 / RDS Demo

- Analyzed file: `sample_aws_alb_ec2_rds_plan.json`
- Provider: `aws`
- Normalized resources: `19`
- Unsupported resources: `0`

## Summary

This run identified **4 trust boundaries** and **4 findings** across **19 normalized resources**.

- High severity findings: `0`
- Medium severity findings: `3`
- Low severity findings: `1`

## Analysis Coverage

- Terraform resources seen: `19`
- Provider resources considered: `19`
- Normalized resources: `19`
- Unsupported resources: `0`
- Registered provider rules (AWS): `83`
- Enabled provider rules (AWS): `83`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
  - `aws-public-alb-waf-missing`: `1`
  - `aws-rds-cloudwatch-log-exports-missing`: `1`
  - `aws-vpc-flow-logs-not-configured`: `1`
  - `aws-private-data-transitive-exposure`: `1`

## Discovered Trust Boundaries

### `internet-to-service`

- Source: `internet`
- Target: `aws_lb.web`
- Description: Traffic can cross from the public internet to aws_lb.web.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.

### `public-subnet-to-private-subnet`

- Source: `aws_subnet.public_edge`
- Target: `aws_subnet.private_app`
- Description: Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.
- Rationale: The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.

### `public-subnet-to-private-subnet`

- Source: `aws_subnet.public_edge`
- Target: `aws_subnet.private_data`
- Description: Traffic can move from aws_subnet.public_edge toward aws_subnet.private_data.
- Rationale: The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.

### `workload-to-data-store`

- Source: `aws_instance.app`
- Target: `aws_db_instance.app`
- Description: aws_instance.app can interact with aws_db_instance.app.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.

## Findings

### High

No findings in this severity band.

### Medium

#### Public Application Load Balancer is not associated with a WAF Web ACL

- STRIDE category: Tampering
- Affected resources: `aws_lb.web`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +0, lateral_movement +1, blast_radius +1, final_score 4 => medium
- Rationale: aws_lb.web is an internet-facing Application Load Balancer, but the Terraform plan does not show a deterministic AWS WAFv2 Web ACL association targeting it. Public edge traffic can reach the ALB without a modeled WAF or edge protection policy.
- Recommended mitigation: Associate an AWS WAFv2 Web ACL with internet-facing Application Load Balancers and keep the association modeled in Terraform so public edge protection is reviewable before deployment.
- Evidence:
  - target load balancer: address=aws_lb.web; type=aws_lb; arn=arn:aws:elasticloadbalancing:us-east-1:333344445555:loadbalancer/app/web-prod/123456; load_balancer_type=application; public_exposure=true; load balancer is internet-facing and attached security groups allow internet ingress
  - waf association coverage: target_resource_arn=arn:aws:elasticloadbalancing:us-east-1:333344445555:loadbalancer/app/web-prod/123456; resolved_web_acl_association_count=0; modeled_web_acl_association_count=0

#### Sensitive data tier is transitively reachable from an internet-exposed path

- STRIDE category: Information Disclosure
- Affected resources: `aws_lb.web`, `aws_instance.app`, `aws_db_instance.app`, `aws_security_group.app`
- Trust boundary: `workload-to-data-store:aws_instance.app->aws_db_instance.app`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +2, blast_radius +1, final_score 5 => medium
- Rationale: aws_db_instance.app is not directly public, but internet traffic can first reach aws_lb.web, move through aws_lb.web can reach aws_instance.app, and then cross into the private data tier through aws_instance.app. That creates a quieter transitive exposure path than a directly public data store.
- Recommended mitigation: Keep internet-adjacent entry points from chaining into workloads that retain database or secret access, narrow edge-to-workload and workload-to-workload trust, and isolate sensitive data access behind more deliberate service boundaries.
- Evidence:
  - network path: internet reaches aws_lb.web; aws_lb.web reaches aws_instance.app; aws_instance.app reaches aws_db_instance.app
  - security group rules: aws_security_group.app ingress tcp 8080 from sg-web-lb-001 (Application traffic from the ALB)
  - subnet posture: aws_lb.web sits in public subnet aws_subnet.public_edge with an internet route; aws_instance.app sits in private subnet aws_subnet.private_app with NAT-backed egress
  - data tier posture: aws_db_instance.app is not directly public; database has no direct internet ingress path
  - boundary rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.

#### VPC Flow Logs are not configured for a modeled VPC

- STRIDE category: Repudiation
- Affected resources: `aws_vpc.main`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 3 => medium
- Rationale: aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.
- Recommended mitigation: Enable VPC Flow Logs for production VPCs, route them to a retained CloudWatch Logs, S3, or Firehose destination, and manage Flow Log resources in Terraform so network telemetry posture is reviewable.
- Evidence:
  - target vpc: address=aws_vpc.main; type=aws_vpc; identifier=vpc-web-001; cidr_block=10.20.0.0/16
  - flow log coverage: target_vpc_id=vpc-web-001; resolved_vpc_flow_log_count=0; aws_flow_log resources are not modeled

### Low

#### RDS database does not export engine CloudWatch logs

- STRIDE category: Repudiation
- Affected resources: `aws_db_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +1, lateral_movement +0, blast_radius +1, final_score 2 => low
- Rationale: aws_db_instance.app (engine `postgres`) does not export any of the baseline CloudWatch Logs expected for its engine family (postgresql). Without these log exports the database lacks the basic observability posture needed to investigate errors, slow queries, and audit activity from CloudWatch.
- Recommended mitigation: Enable the CloudWatch Logs exports expected for the RDS engine family (for example `postgresql` for PostgreSQL, `error` and `slowquery` for MySQL/MariaDB) so errors, slow queries, and audit activity are captured for investigation.
- Evidence:
  - target resource: address=aws_db_instance.app; type=aws_db_instance; identifier=db-web-001; engine=postgres
  - log export posture: enabled_cloudwatch_logs_exports=[]; expected_log_exports=['postgresql']; engine-family baseline log exports are absent

## Controls Observed

### RDS instance is private and storage encrypted

- Category: `data-protection`
- Affected resources: `aws_db_instance.app`
- Rationale: aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.
- Evidence:
  - database posture: publicly_accessible is false; storage_encrypted is true; no attached security group allows internet ingress; engine is postgres

## Limitations / Unsupported Resources

- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.

Limits

Unsupported or intentionally scoped areas

  • AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
  • Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
  • IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
  • Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
  • The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.