Built-in scenario

azure/sample_azure_storage_plan.json

Azure Storage Exposure Demo

Analyzed sample_azure_storage_plan.json with 3 normalized resources and 1 trust boundaries.

Analyze another plan

Active findings

7

Trust boundaries

1

Resources

3

Observations

0
High 2
Medium 5
Low 0

Analysis coverage

Audit trail for this run

Terraform resources 4
Unsupported 1
Enabled rules 94
Unresolved refs 0

Resource coverage

Provider resources considered
4
Normalized resources
3
  • azurerm_storage_share1

Rule coverage

Registered rules
94
Disabled rules
0
  • azure-storage-container-public-access1
  • azure-storage-account-nested-public-access-enabled1
  • azure-storage-account-shared-key-enabled1
  • azure-storage-account-minimum-tls-below-1-21
  • azure-storage-account-public-network-unrestricted1
  • azure-storage-account-missing-private-endpoint1
  • azure-diagnostic-settings-missing1

Findings

Severity bands

High

2

Azure Storage account permits Shared Key authorization

azure-storage-account-shared-key-enabled

azurerm_storage_account.assets permits Shared Key authorization. Account keys provide broad data-plane authority and are harder to constrain and attribute than Microsoft Entra ID identities.

Category
Elevation of Privilege
Boundary
not-applicable
Resources
azurerm_storage_account.assets
Evidence
  • authorization posture: shared_access_key_enabled is true

Azure Storage account permits nested public blob access

azure-storage-account-nested-public-access-enabled

azurerm_storage_account.assets permits containers and blobs to opt into anonymous public access. This account-level setting allows a subordinate container configuration to expose stored data.

Category
Information Disclosure
Boundary
not-applicable
Resources
azurerm_storage_account.assets
Evidence
  • public access posture: allow_nested_items_to_be_public is true

Medium

5

Azure Storage account allows TLS below 1.2

azure-storage-account-minimum-tls-below-1-2

azurerm_storage_account.assets accepts `TLS1_1` as its minimum protocol version. Deprecated TLS versions weaken transport protection for storage data-plane requests.

Category
Information Disclosure
Boundary
not-applicable
Resources
azurerm_storage_account.assets
Evidence
  • transport posture: min_tls_version is TLS1_1

Azure Storage account allows unrestricted public network access

azure-storage-account-public-network-unrestricted

azurerm_storage_account.assets enables its public network endpoint with an effective `Allow` default action. Storage data-plane endpoints are reachable without a default-deny network boundary.

Category
Information Disclosure
Boundary
internet-to-service:internet->azurerm_storage_account.assets
Resources
azurerm_storage_account.assets
Evidence
  • network posture: public_network_access_enabled is true; effective default_action is Allow; network rule source is azurerm_storage_account_network_rules.assets

Azure Storage account lacks resolved private endpoint coverage

azure-storage-account-missing-private-endpoint

azurerm_storage_account.assets does not have a resolved private endpoint and may remain reachable through public Azure Storage data-plane endpoints. Network rules can reduce exposure, but they are not equivalent to private-endpoint-only access unless public network fallback is disabled.

Category
Information Disclosure
Boundary
not-applicable
Resources
azurerm_storage_account.assets
Evidence
  • target resource: address=azurerm_storage_account.assets; type=azurerm_storage_account
  • public network fallback: public_network_fallback_state=enabled; public_network_access_enabled is true
  • private endpoint coverage: no resolved private endpoint targets this resource
  • network acl posture: effective default_action is Allow; network rule source is azurerm_storage_account_network_rules.assets

Azure Storage container is publicly accessible

azure-storage-container-public-access

azurerm_storage_container.public_assets permits anonymous `blob` access through a storage account that allows nested public access and unrestricted public network reachability.

Category
Information Disclosure
Boundary
internet-to-service:internet->azurerm_storage_account.assets
Resources
azurerm_storage_account.assets, azurerm_storage_container.public_assets
Evidence
  • public exposure reasons: container_access_type is blob; azurerm_storage_account.assets allows nested items to be public; azurerm_storage_account.assets is reachable through its public network endpoint

Azure resource lacks diagnostic settings

azure-diagnostic-settings-missing

azurerm_storage_account.assets has no resolved Azure Monitor diagnostic setting in this Terraform plan. Security-relevant data-plane, control-plane, or platform logs may not be routed to a retained logging destination for investigation and alerting.

Category
Repudiation
Boundary
not-applicable
Resources
azurerm_storage_account.assets
Evidence
  • target resource: address=azurerm_storage_account.assets; type=azurerm_storage_account; name=tfstridepublicassets; identifier=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridepublicassets
  • diagnostic coverage: no resolved azurerm_monitor_diagnostic_setting targets this resource

Low

0

No low findings.

Observations

Controls and mitigating signals

No observations were recorded for this plan.

Trust boundaries

Crossings that drive the model

internet-to-service

internet -> azurerm_storage_account.assets

The resource is directly reachable or intentionally exposed to unauthenticated network clients.

Raw outputs

Stable contract and markdown

JSON report
{
  "kind": "tfstride-report",
  "version": "1.1",
  "tool": {
    "name": "tfstride",
    "version": "0.4.23"
  },
  "title": "Azure Storage Exposure Demo",
  "analyzed_file": "sample_azure_storage_plan.json",
  "analyzed_path": "sample_azure_storage_plan.json",
  "summary": {
    "normalized_resources": 3,
    "unsupported_resources": 1,
    "trust_boundaries": 1,
    "active_findings": 7,
    "total_findings": 7,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "severity_counts": {
      "high": 2,
      "medium": 5,
      "low": 0
    }
  },
  "filtering": {
    "total_findings": 7,
    "active_findings": 7,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "suppressions_path": null,
    "baseline_path": null
  },
  "analysis_coverage": {
    "resources": {
      "total_resources": 4,
      "provider_resources": 4,
      "normalized_resources": 3,
      "unsupported_resources": 1,
      "unsupported_resource_types": {
        "azurerm_storage_share": 1
      }
    },
    "rules": {
      "registered_rule_count": 94,
      "enabled_rules": [
        "azure-public-compute-broad-ingress",
        "azure-load-balancer-public-frontend",
        "azure-application-gateway-public-listener",
        "azure-public-application-gateway-waf-missing",
        "azure-nsg-flow-logs-not-configured",
        "azure-nsg-flow-log-disabled",
        "azure-nsg-flow-log-destination-missing",
        "azure-nsg-flow-log-retention-insufficient",
        "azure-storage-container-public-access",
        "azure-storage-account-nested-public-access-enabled",
        "azure-storage-account-shared-key-enabled",
        "azure-storage-account-minimum-tls-below-1-2",
        "azure-storage-account-public-network-unrestricted",
        "azure-storage-account-customer-managed-key-missing",
        "azure-storage-account-infrastructure-encryption-not-enabled",
        "azure-storage-account-blob-versioning-disabled",
        "azure-storage-account-blob-soft-delete-insufficient",
        "azure-storage-account-container-soft-delete-insufficient",
        "azure-storage-account-point-in-time-restore-missing",
        "azure-storage-account-missing-private-endpoint",
        "azure-service-bus-public-network-access-not-disabled",
        "azure-service-bus-minimum-tls-below-1-2",
        "azure-service-bus-minimum-tls-unknown",
        "azure-service-bus-local-auth-enabled",
        "azure-service-bus-customer-managed-key-missing",
        "azure-service-bus-missing-private-endpoint",
        "azure-container-registry-public-network-access-not-disabled",
        "azure-container-registry-admin-account-enabled",
        "azure-container-registry-anonymous-pull-enabled",
        "azure-container-registry-customer-managed-key-missing",
        "azure-container-registry-missing-private-endpoint",
        "azure-key-vault-public-network-access",
        "azure-key-vault-missing-private-endpoint",
        "azure-key-vault-privileged-access",
        "azure-key-vault-purge-protection-disabled",
        "azure-key-vault-secret-certificate-lifecycle-incomplete",
        "azure-key-vault-key-strength-weak",
        "azure-key-vault-key-rotation-policy-incomplete",
        "azure-custom-role-wildcard-management-plane",
        "azure-custom-role-authorization-management",
        "azure-custom-role-broad-management-plane",
        "azure-custom-role-broad-data-plane",
        "azure-custom-role-subscription-assignable-scope",
        "azure-custom-role-assignment-blast-radius",
        "azure-rbac-privileged-assignment",
        "azure-managed-identity-broad-rbac",
        "azure-federated-identity-privileged-access",
        "azure-public-workload-sensitive-resource-access",
        "azure-app-service-public-network-access-not-disabled",
        "azure-app-service-platform-authentication-disabled",
        "azure-app-service-anonymous-platform-access-allowed",
        "azure-app-service-minimum-tls-below-1-2",
        "azure-app-service-minimum-tls-unknown",
        "azure-app-service-managed-identity-missing",
        "azure-app-service-vnet-integration-missing",
        "azure-app-service-access-restrictions-not-default-deny",
        "azure-app-service-broad-access-restriction-allow",
        "azure-app-service-scm-access-unrestricted",
        "azure-app-service-image-not-digest-pinned",
        "azure-app-service-can-modify-image-repository",
        "azure-public-app-service-storage-mutation-access",
        "azure-public-app-service-service-bus-mutation-access",
        "azure-app-service-sensitive-app-setting-inline",
        "azure-app-service-key-vault-reference-identity-not-configured",
        "azure-app-service-key-vault-secret-access-overprivileged",
        "azure-diagnostic-settings-missing",
        "azure-diagnostic-setting-no-log-destination",
        "azure-diagnostic-setting-audit-logs-incomplete",
        "azure-defender-pricing-tier-not-standard",
        "azure-security-center-auto-provisioning-disabled",
        "azure-aks-api-server-public-unrestricted",
        "azure-aks-private-cluster-not-enabled",
        "azure-aks-local-accounts-not-disabled",
        "azure-aks-rbac-posture-weak",
        "azure-aks-network-policy-missing",
        "azure-aks-workload-identity-not-enabled",
        "azure-aks-key-management-service-not-configured",
        "azure-aks-monitoring-agent-not-enabled",
        "azure-aks-defender-not-enabled",
        "azure-aks-azure-policy-not-enabled",
        "azure-sql-public-network-access-enabled",
        "azure-sql-missing-private-endpoint",
        "azure-sql-firewall-broad-public-access",
        "azure-sql-minimum-tls-below-1-2",
        "azure-sql-security-alert-policy-disabled",
        "azure-sql-short-term-backup-retention-insufficient",
        "azure-sql-long-term-backup-retention-not-configured",
        "azure-sql-backup-geo-redundancy-not-enabled",
        "azure-private-endpoint-public-fallback",
        "azure-private-endpoint-dns-posture-incomplete",
        "azure-postgresql-public-network-access-enabled",
        "azure-postgresql-firewall-broad-public-access",
        "azure-postgresql-weak-tls-or-ssl",
        "azure-postgresql-geo-backup-disabled"
      ],
      "disabled_rules": [],
      "severity_overrides": {},
      "finding_counts_by_rule": {
        "azure-public-compute-broad-ingress": 0,
        "azure-load-balancer-public-frontend": 0,
        "azure-application-gateway-public-listener": 0,
        "azure-public-application-gateway-waf-missing": 0,
        "azure-nsg-flow-logs-not-configured": 0,
        "azure-nsg-flow-log-disabled": 0,
        "azure-nsg-flow-log-destination-missing": 0,
        "azure-nsg-flow-log-retention-insufficient": 0,
        "azure-storage-container-public-access": 1,
        "azure-storage-account-nested-public-access-enabled": 1,
        "azure-storage-account-shared-key-enabled": 1,
        "azure-storage-account-minimum-tls-below-1-2": 1,
        "azure-storage-account-public-network-unrestricted": 1,
        "azure-storage-account-customer-managed-key-missing": 0,
        "azure-storage-account-infrastructure-encryption-not-enabled": 0,
        "azure-storage-account-blob-versioning-disabled": 0,
        "azure-storage-account-blob-soft-delete-insufficient": 0,
        "azure-storage-account-container-soft-delete-insufficient": 0,
        "azure-storage-account-point-in-time-restore-missing": 0,
        "azure-storage-account-missing-private-endpoint": 1,
        "azure-service-bus-public-network-access-not-disabled": 0,
        "azure-service-bus-minimum-tls-below-1-2": 0,
        "azure-service-bus-minimum-tls-unknown": 0,
        "azure-service-bus-local-auth-enabled": 0,
        "azure-service-bus-customer-managed-key-missing": 0,
        "azure-service-bus-missing-private-endpoint": 0,
        "azure-container-registry-public-network-access-not-disabled": 0,
        "azure-container-registry-admin-account-enabled": 0,
        "azure-container-registry-anonymous-pull-enabled": 0,
        "azure-container-registry-customer-managed-key-missing": 0,
        "azure-container-registry-missing-private-endpoint": 0,
        "azure-key-vault-public-network-access": 0,
        "azure-key-vault-missing-private-endpoint": 0,
        "azure-key-vault-privileged-access": 0,
        "azure-key-vault-purge-protection-disabled": 0,
        "azure-key-vault-secret-certificate-lifecycle-incomplete": 0,
        "azure-key-vault-key-strength-weak": 0,
        "azure-key-vault-key-rotation-policy-incomplete": 0,
        "azure-custom-role-wildcard-management-plane": 0,
        "azure-custom-role-authorization-management": 0,
        "azure-custom-role-broad-management-plane": 0,
        "azure-custom-role-broad-data-plane": 0,
        "azure-custom-role-subscription-assignable-scope": 0,
        "azure-custom-role-assignment-blast-radius": 0,
        "azure-rbac-privileged-assignment": 0,
        "azure-managed-identity-broad-rbac": 0,
        "azure-federated-identity-privileged-access": 0,
        "azure-public-workload-sensitive-resource-access": 0,
        "azure-app-service-public-network-access-not-disabled": 0,
        "azure-app-service-platform-authentication-disabled": 0,
        "azure-app-service-anonymous-platform-access-allowed": 0,
        "azure-app-service-minimum-tls-below-1-2": 0,
        "azure-app-service-minimum-tls-unknown": 0,
        "azure-app-service-managed-identity-missing": 0,
        "azure-app-service-vnet-integration-missing": 0,
        "azure-app-service-access-restrictions-not-default-deny": 0,
        "azure-app-service-broad-access-restriction-allow": 0,
        "azure-app-service-scm-access-unrestricted": 0,
        "azure-app-service-image-not-digest-pinned": 0,
        "azure-app-service-can-modify-image-repository": 0,
        "azure-public-app-service-storage-mutation-access": 0,
        "azure-public-app-service-service-bus-mutation-access": 0,
        "azure-app-service-sensitive-app-setting-inline": 0,
        "azure-app-service-key-vault-reference-identity-not-configured": 0,
        "azure-app-service-key-vault-secret-access-overprivileged": 0,
        "azure-diagnostic-settings-missing": 1,
        "azure-diagnostic-setting-no-log-destination": 0,
        "azure-diagnostic-setting-audit-logs-incomplete": 0,
        "azure-defender-pricing-tier-not-standard": 0,
        "azure-security-center-auto-provisioning-disabled": 0,
        "azure-aks-api-server-public-unrestricted": 0,
        "azure-aks-private-cluster-not-enabled": 0,
        "azure-aks-local-accounts-not-disabled": 0,
        "azure-aks-rbac-posture-weak": 0,
        "azure-aks-network-policy-missing": 0,
        "azure-aks-workload-identity-not-enabled": 0,
        "azure-aks-key-management-service-not-configured": 0,
        "azure-aks-monitoring-agent-not-enabled": 0,
        "azure-aks-defender-not-enabled": 0,
        "azure-aks-azure-policy-not-enabled": 0,
        "azure-sql-public-network-access-enabled": 0,
        "azure-sql-missing-private-endpoint": 0,
        "azure-sql-firewall-broad-public-access": 0,
        "azure-sql-minimum-tls-below-1-2": 0,
        "azure-sql-security-alert-policy-disabled": 0,
        "azure-sql-short-term-backup-retention-insufficient": 0,
        "azure-sql-long-term-backup-retention-not-configured": 0,
        "azure-sql-backup-geo-redundancy-not-enabled": 0,
        "azure-private-endpoint-public-fallback": 0,
        "azure-private-endpoint-dns-posture-incomplete": 0,
        "azure-postgresql-public-network-access-enabled": 0,
        "azure-postgresql-firewall-broad-public-access": 0,
        "azure-postgresql-weak-tls-or-ssl": 0,
        "azure-postgresql-geo-backup-disabled": 0
      }
    },
    "references": {
      "unresolved_reference_count": 0,
      "unresolved_references": []
    }
  },
  "inventory": {
    "provider": "azure",
    "unsupported_resources": [
      "azurerm_storage_share.legacy"
    ],
    "metadata": {
      "supported_resource_types": [
        "azurerm_advanced_threat_protection",
        "azurerm_application_gateway",
        "azurerm_container_registry",
        "azurerm_federated_identity_credential",
        "azurerm_function_app",
        "azurerm_key_vault",
        "azurerm_key_vault_access_policy",
        "azurerm_key_vault_certificate",
        "azurerm_key_vault_key",
        "azurerm_key_vault_secret",
        "azurerm_kubernetes_cluster",
        "azurerm_lb",
        "azurerm_linux_function_app",
        "azurerm_linux_virtual_machine",
        "azurerm_linux_web_app",
        "azurerm_monitor_diagnostic_setting",
        "azurerm_mssql_database",
        "azurerm_mssql_firewall_rule",
        "azurerm_mssql_server",
        "azurerm_mssql_server_security_alert_policy",
        "azurerm_mssql_virtual_network_rule",
        "azurerm_network_interface",
        "azurerm_network_interface_security_group_association",
        "azurerm_network_security_group",
        "azurerm_network_security_rule",
        "azurerm_network_watcher_flow_log",
        "azurerm_postgresql_flexible_server",
        "azurerm_postgresql_flexible_server_configuration",
        "azurerm_postgresql_flexible_server_database",
        "azurerm_postgresql_flexible_server_firewall_rule",
        "azurerm_private_dns_zone",
        "azurerm_private_dns_zone_virtual_network_link",
        "azurerm_private_endpoint",
        "azurerm_public_ip",
        "azurerm_role_assignment",
        "azurerm_role_definition",
        "azurerm_security_center_auto_provisioning",
        "azurerm_security_center_contact",
        "azurerm_security_center_setting",
        "azurerm_security_center_subscription_pricing",
        "azurerm_security_center_workspace",
        "azurerm_servicebus_namespace",
        "azurerm_servicebus_namespace_customer_managed_key",
        "azurerm_servicebus_namespace_network_rule_set",
        "azurerm_servicebus_queue",
        "azurerm_servicebus_subscription",
        "azurerm_servicebus_topic",
        "azurerm_storage_account",
        "azurerm_storage_account_network_rules",
        "azurerm_storage_container",
        "azurerm_subnet",
        "azurerm_subnet_network_security_group_association",
        "azurerm_user_assigned_identity",
        "azurerm_virtual_network",
        "azurerm_windows_function_app",
        "azurerm_windows_virtual_machine",
        "azurerm_windows_web_app"
      ],
      "total_input_resources": 4,
      "provider_resource_count": 4,
      "normalized_resource_count": 3,
      "unsupported_resource_types": {
        "azurerm_storage_share": 1
      }
    },
    "resources": [
      {
        "address": "azurerm_storage_account.assets",
        "provider": "azure",
        "resource_type": "azurerm_storage_account",
        "name": "assets",
        "category": "data",
        "identifier": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridepublicassets",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": true,
        "public_exposure": true,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "tfstridepublicassets",
          "storage_account_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridepublicassets",
          "network_default_action": "Allow",
          "allow_nested_items_to_be_public": true,
          "shared_access_key_enabled": true,
          "storage_infrastructure_encryption_enabled": true,
          "storage_customer_managed_key_id": "azurerm_key_vault_key.storage.id",
          "storage_customer_managed_key_identity_id": "azurerm_user_assigned_identity.storage.id",
          "storage_blob_versioning_enabled": true,
          "storage_blob_delete_retention_days": 30,
          "storage_container_delete_retention_days": 14,
          "storage_blob_restore_policy_days": 7,
          "public_network_fallback_state": "enabled",
          "public_network_access_enabled": true,
          "min_tls_version": "TLS1_1",
          "storage_encrypted": true,
          "network_rule_source_address": "azurerm_storage_account_network_rules.assets",
          "direct_internet_reachable": true,
          "internet_ingress_capable": true,
          "public_access_reasons": [
            "public_network_access_enabled is true",
            "effective network default_action is Allow"
          ],
          "internet_ingress_reasons": [
            "public_network_access_enabled is true",
            "effective network default_action is Allow"
          ],
          "public_container_addresses": [
            "azurerm_storage_container.public_assets"
          ],
          "publicly_accessible": true,
          "public_exposure_reasons": [
            "container_access_type is blob",
            "azurerm_storage_account.assets allows nested items to be public",
            "azurerm_storage_account.assets is reachable through its public network endpoint"
          ]
        }
      },
      {
        "address": "azurerm_storage_account_network_rules.assets",
        "provider": "azure",
        "resource_type": "azurerm_storage_account_network_rules",
        "name": "assets",
        "category": "network",
        "identifier": "azurerm_storage_account.assets.id",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "storage_account_reference": "azurerm_storage_account.assets.id",
          "network_rule_source_address": "azurerm_storage_account_network_rules.assets",
          "network_default_action": "Allow",
          "resolved_storage_account_address": "azurerm_storage_account.assets"
        }
      },
      {
        "address": "azurerm_storage_container.public_assets",
        "provider": "azure",
        "resource_type": "azurerm_storage_container",
        "name": "public_assets",
        "category": "data",
        "identifier": "public-assets",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": true,
        "public_exposure": true,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "public-assets",
          "storage_account_reference": "azurerm_storage_account.assets.id",
          "container_access_type": "blob",
          "storage_encrypted": true,
          "resolved_storage_account_address": "azurerm_storage_account.assets",
          "publicly_accessible": true,
          "direct_internet_reachable": true,
          "public_access_reasons": [
            "container_access_type is blob",
            "azurerm_storage_account.assets allows nested items to be public",
            "azurerm_storage_account.assets is reachable through its public network endpoint"
          ],
          "public_exposure_reasons": [
            "container_access_type is blob",
            "azurerm_storage_account.assets allows nested items to be public",
            "azurerm_storage_account.assets is reachable through its public network endpoint"
          ]
        }
      }
    ]
  },
  "trust_boundaries": [
    {
      "identifier": "internet-to-service:internet->azurerm_storage_account.assets",
      "boundary_type": "internet-to-service",
      "source": "internet",
      "target": "azurerm_storage_account.assets",
      "description": "Traffic can cross from the public internet to azurerm_storage_account.assets.",
      "rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
    }
  ],
  "findings": [
    {
      "fingerprint": "sha256:38ff20b84ecb7ec38889185c288ca2e4e4aafb85fcef59af77181dc441bb1030",
      "title": "Azure Storage account permits Shared Key authorization",
      "rule_id": "azure-storage-account-shared-key-enabled",
      "category": "Elevation of Privilege",
      "severity": "high",
      "affected_resources": [
        "azurerm_storage_account.assets"
      ],
      "trust_boundary_id": null,
      "rationale": "azurerm_storage_account.assets permits Shared Key authorization. Account keys provide broad data-plane authority and are harder to constrain and attribute than Microsoft Entra ID identities.",
      "recommended_mitigation": "Disable Shared Key authorization where supported, use Microsoft Entra ID and managed identities, and configure the AzureRM provider to use Azure AD for storage operations.",
      "evidence": [
        {
          "key": "authorization_posture",
          "values": [
            "shared_access_key_enabled is true"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 2,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 7,
        "severity": "high",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:f8512afe7c260af46cdaa7109b886f034ebb082a479abcb96b9aea005af65c53",
      "title": "Azure Storage account permits nested public blob access",
      "rule_id": "azure-storage-account-nested-public-access-enabled",
      "category": "Information Disclosure",
      "severity": "high",
      "affected_resources": [
        "azurerm_storage_account.assets"
      ],
      "trust_boundary_id": null,
      "rationale": "azurerm_storage_account.assets permits containers and blobs to opt into anonymous public access. This account-level setting allows a subordinate container configuration to expose stored data.",
      "recommended_mitigation": "Set `allow_nested_items_to_be_public` to `false` so containers and blobs cannot opt into anonymous public access.",
      "evidence": [
        {
          "key": "public_access_posture",
          "values": [
            "allow_nested_items_to_be_public is true"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 1,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 6,
        "severity": "high",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:5364af5982121950ea863a12942d2f288e55d46485f339c79d6fe45149c013a5",
      "title": "Azure Storage account allows TLS below 1.2",
      "rule_id": "azure-storage-account-minimum-tls-below-1-2",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "azurerm_storage_account.assets"
      ],
      "trust_boundary_id": null,
      "rationale": "azurerm_storage_account.assets accepts `TLS1_1` as its minimum protocol version. Deprecated TLS versions weaken transport protection for storage data-plane requests.",
      "recommended_mitigation": "Set `min_tls_version` to `TLS1_2` and remove clients that require deprecated TLS versions.",
      "evidence": [
        {
          "key": "transport_posture",
          "values": [
            "min_tls_version is TLS1_1"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:9386189375f80a7cd2576d28213d6162e220662df2e16817b0e7cf97244b1175",
      "title": "Azure Storage account allows unrestricted public network access",
      "rule_id": "azure-storage-account-public-network-unrestricted",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "azurerm_storage_account.assets"
      ],
      "trust_boundary_id": "internet-to-service:internet->azurerm_storage_account.assets",
      "rationale": "azurerm_storage_account.assets enables its public network endpoint with an effective `Allow` default action. Storage data-plane endpoints are reachable without a default-deny network boundary.",
      "recommended_mitigation": "Disable public network access where possible, or set the effective storage network default action to `Deny` and allow only reviewed subnets, IP ranges, or private endpoints.",
      "evidence": [
        {
          "key": "network_posture",
          "values": [
            "public_network_access_enabled is true",
            "effective default_action is Allow",
            "network rule source is azurerm_storage_account_network_rules.assets"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:cc94468815c3958879d703f07c80cee7ee2a4ece0011f82b8b52b448fd0bfdf4",
      "title": "Azure Storage account lacks resolved private endpoint coverage",
      "rule_id": "azure-storage-account-missing-private-endpoint",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "azurerm_storage_account.assets"
      ],
      "trust_boundary_id": null,
      "rationale": "azurerm_storage_account.assets does not have a resolved private endpoint and may remain reachable through public Azure Storage data-plane endpoints. Network rules can reduce exposure, but they are not equivalent to private-endpoint-only access unless public network fallback is disabled.",
      "recommended_mitigation": "Add a Private Endpoint for the required storage subresources, verify clients use private paths, and explicitly disable public network access where possible.",
      "evidence": [
        {
          "key": "target_resource",
          "values": [
            "address=azurerm_storage_account.assets",
            "type=azurerm_storage_account"
          ]
        },
        {
          "key": "public_network_fallback",
          "values": [
            "public_network_fallback_state=enabled",
            "public_network_access_enabled is true"
          ]
        },
        {
          "key": "private_endpoint_coverage",
          "values": [
            "no resolved private endpoint targets this resource"
          ]
        },
        {
          "key": "network_acl_posture",
          "values": [
            "effective default_action is Allow",
            "network rule source is azurerm_storage_account_network_rules.assets"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:a5ea8f2ff975bdf58d293ce387f4578b2c5dcafef2eb26a77c9f1091ea95ecce",
      "title": "Azure Storage container is publicly accessible",
      "rule_id": "azure-storage-container-public-access",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "azurerm_storage_account.assets",
        "azurerm_storage_container.public_assets"
      ],
      "trust_boundary_id": "internet-to-service:internet->azurerm_storage_account.assets",
      "rationale": "azurerm_storage_container.public_assets permits anonymous `blob` access through a storage account that allows nested public access and unrestricted public network reachability.",
      "recommended_mitigation": "Set the container access type to `private`, disable nested public access on the storage account, and use scoped identities or time-limited access mechanisms for intentional object sharing.",
      "evidence": [
        {
          "key": "public_exposure_reasons",
          "values": [
            "container_access_type is blob",
            "azurerm_storage_account.assets allows nested items to be public",
            "azurerm_storage_account.assets is reachable through its public network endpoint"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:07111d0129658172fd2bfbdf975c7e4efed1fd569c653f22546347fa66e71d05",
      "title": "Azure resource lacks diagnostic settings",
      "rule_id": "azure-diagnostic-settings-missing",
      "category": "Repudiation",
      "severity": "medium",
      "affected_resources": [
        "azurerm_storage_account.assets"
      ],
      "trust_boundary_id": null,
      "rationale": "azurerm_storage_account.assets has no resolved Azure Monitor diagnostic setting in this Terraform plan. Security-relevant data-plane, control-plane, or platform logs may not be routed to a retained logging destination for investigation and alerting.",
      "recommended_mitigation": "Add an Azure Monitor diagnostic setting for the resource and route security-relevant logs and metrics to a retained Log Analytics workspace, storage account, Event Hub, or approved partner destination.",
      "evidence": [
        {
          "key": "target_resource",
          "values": [
            "address=azurerm_storage_account.assets",
            "type=azurerm_storage_account",
            "name=tfstridepublicassets",
            "identifier=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridepublicassets"
          ]
        },
        {
          "key": "diagnostic_coverage",
          "values": [
            "no resolved azurerm_monitor_diagnostic_setting targets this resource"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    }
  ],
  "suppressed_findings": [],
  "baselined_findings": [],
  "observations": [],
  "limitations": [
    "Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.",
    "The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
  ]
}
Markdown report
# Azure Storage Exposure Demo

- Analyzed file: `sample_azure_storage_plan.json`
- Provider: `azure`
- Normalized resources: `3`
- Unsupported resources: `1`

## Summary

This run identified **1 trust boundaries** and **7 findings** across **3 normalized resources**.

- High severity findings: `2`
- Medium severity findings: `5`
- Low severity findings: `0`

## Analysis Coverage

- Terraform resources seen: `4`
- Provider resources considered: `4`
- Normalized resources: `3`
- Unsupported resources: `1`
- Registered provider rules (Azure): `94`
- Enabled provider rules (Azure): `94`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Unsupported resource types:
  - `azurerm_storage_share`: `1`
- Findings by rule:
  - `azure-storage-container-public-access`: `1`
  - `azure-storage-account-nested-public-access-enabled`: `1`
  - `azure-storage-account-shared-key-enabled`: `1`
  - `azure-storage-account-minimum-tls-below-1-2`: `1`
  - `azure-storage-account-public-network-unrestricted`: `1`
  - `azure-storage-account-missing-private-endpoint`: `1`
  - `azure-diagnostic-settings-missing`: `1`

## Discovered Trust Boundaries

### `internet-to-service`

- Source: `internet`
- Target: `azurerm_storage_account.assets`
- Description: Traffic can cross from the public internet to azurerm_storage_account.assets.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.

## Findings

### High

#### Azure Storage account permits Shared Key authorization

- STRIDE category: Elevation of Privilege
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +2, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 7 => high
- Rationale: azurerm_storage_account.assets permits Shared Key authorization. Account keys provide broad data-plane authority and are harder to constrain and attribute than Microsoft Entra ID identities.
- Recommended mitigation: Disable Shared Key authorization where supported, use Microsoft Entra ID and managed identities, and configure the AzureRM provider to use Azure AD for storage operations.
- Evidence:
  - authorization posture: shared_access_key_enabled is true

#### Azure Storage account permits nested public blob access

- STRIDE category: Information Disclosure
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +1, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 6 => high
- Rationale: azurerm_storage_account.assets permits containers and blobs to opt into anonymous public access. This account-level setting allows a subordinate container configuration to expose stored data.
- Recommended mitigation: Set `allow_nested_items_to_be_public` to `false` so containers and blobs cannot opt into anonymous public access.
- Evidence:
  - public access posture: allow_nested_items_to_be_public is true

### Medium

#### Azure Storage account allows TLS below 1.2

- STRIDE category: Information Disclosure
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: azurerm_storage_account.assets accepts `TLS1_1` as its minimum protocol version. Deprecated TLS versions weaken transport protection for storage data-plane requests.
- Recommended mitigation: Set `min_tls_version` to `TLS1_2` and remove clients that require deprecated TLS versions.
- Evidence:
  - transport posture: min_tls_version is TLS1_1

#### Azure Storage account allows unrestricted public network access

- STRIDE category: Information Disclosure
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `internet-to-service:internet->azurerm_storage_account.assets`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: azurerm_storage_account.assets enables its public network endpoint with an effective `Allow` default action. Storage data-plane endpoints are reachable without a default-deny network boundary.
- Recommended mitigation: Disable public network access where possible, or set the effective storage network default action to `Deny` and allow only reviewed subnets, IP ranges, or private endpoints.
- Evidence:
  - network posture: public_network_access_enabled is true; effective default_action is Allow; network rule source is azurerm_storage_account_network_rules.assets

#### Azure Storage account lacks resolved private endpoint coverage

- STRIDE category: Information Disclosure
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: azurerm_storage_account.assets does not have a resolved private endpoint and may remain reachable through public Azure Storage data-plane endpoints. Network rules can reduce exposure, but they are not equivalent to private-endpoint-only access unless public network fallback is disabled.
- Recommended mitigation: Add a Private Endpoint for the required storage subresources, verify clients use private paths, and explicitly disable public network access where possible.
- Evidence:
  - target resource: address=azurerm_storage_account.assets; type=azurerm_storage_account
  - public network fallback: public_network_fallback_state=enabled; public_network_access_enabled is true
  - private endpoint coverage: no resolved private endpoint targets this resource
  - network acl posture: effective default_action is Allow; network rule source is azurerm_storage_account_network_rules.assets

#### Azure Storage container is publicly accessible

- STRIDE category: Information Disclosure
- Affected resources: `azurerm_storage_account.assets`, `azurerm_storage_container.public_assets`
- Trust boundary: `internet-to-service:internet->azurerm_storage_account.assets`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: azurerm_storage_container.public_assets permits anonymous `blob` access through a storage account that allows nested public access and unrestricted public network reachability.
- Recommended mitigation: Set the container access type to `private`, disable nested public access on the storage account, and use scoped identities or time-limited access mechanisms for intentional object sharing.
- Evidence:
  - public exposure reasons: container_access_type is blob; azurerm_storage_account.assets allows nested items to be public; azurerm_storage_account.assets is reachable through its public network endpoint

#### Azure resource lacks diagnostic settings

- STRIDE category: Repudiation
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: azurerm_storage_account.assets has no resolved Azure Monitor diagnostic setting in this Terraform plan. Security-relevant data-plane, control-plane, or platform logs may not be routed to a retained logging destination for investigation and alerting.
- Recommended mitigation: Add an Azure Monitor diagnostic setting for the resource and route security-relevant logs and metrics to a retained Log Analytics workspace, storage account, Event Hub, or approved partner destination.
- Evidence:
  - target resource: address=azurerm_storage_account.assets; type=azurerm_storage_account; name=tfstridepublicassets; identifier=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridepublicassets
  - diagnostic coverage: no resolved azurerm_monitor_diagnostic_setting targets this resource

### Low

No findings in this severity band.

## Limitations / Unsupported Resources

- Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
- Unsupported resource skipped: `azurerm_storage_share.legacy`

Limits

Unsupported or intentionally scoped areas

  • Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.
  • The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
  • Unsupported resource skipped: azurerm_storage_share.legacy