Active findings
7Built-in scenario
azure/sample_azure_storage_plan.jsonAzure Storage Exposure Demo
Analyzed sample_azure_storage_plan.json with 3 normalized resources and 1 trust boundaries.
Trust boundaries
1Resources
3Observations
0Analysis coverage
Audit trail for this run
Resource coverage
- Provider resources considered
- 4
- Normalized resources
- 3
- azurerm_storage_share1
Rule coverage
- Registered rules
- 94
- Disabled rules
- 0
- azure-storage-container-public-access1
- azure-storage-account-nested-public-access-enabled1
- azure-storage-account-shared-key-enabled1
- azure-storage-account-minimum-tls-below-1-21
- azure-storage-account-public-network-unrestricted1
- azure-storage-account-missing-private-endpoint1
- azure-diagnostic-settings-missing1
Findings
Severity bands
High
2Azure Storage account permits Shared Key authorization
azure-storage-account-shared-key-enabledazurerm_storage_account.assets permits Shared Key authorization. Account keys provide broad data-plane authority and are harder to constrain and attribute than Microsoft Entra ID identities.
- Category
- Elevation of Privilege
- Boundary
- not-applicable
- Resources
- azurerm_storage_account.assets
Evidence
- authorization posture: shared_access_key_enabled is true
Azure Storage account permits nested public blob access
azure-storage-account-nested-public-access-enabledazurerm_storage_account.assets permits containers and blobs to opt into anonymous public access. This account-level setting allows a subordinate container configuration to expose stored data.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- azurerm_storage_account.assets
Evidence
- public access posture: allow_nested_items_to_be_public is true
Medium
5Azure Storage account allows TLS below 1.2
azure-storage-account-minimum-tls-below-1-2azurerm_storage_account.assets accepts `TLS1_1` as its minimum protocol version. Deprecated TLS versions weaken transport protection for storage data-plane requests.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- azurerm_storage_account.assets
Evidence
- transport posture: min_tls_version is TLS1_1
Azure Storage account allows unrestricted public network access
azure-storage-account-public-network-unrestrictedazurerm_storage_account.assets enables its public network endpoint with an effective `Allow` default action. Storage data-plane endpoints are reachable without a default-deny network boundary.
- Category
- Information Disclosure
- Boundary
- internet-to-service:internet->azurerm_storage_account.assets
- Resources
- azurerm_storage_account.assets
Evidence
- network posture: public_network_access_enabled is true; effective default_action is Allow; network rule source is azurerm_storage_account_network_rules.assets
Azure Storage account lacks resolved private endpoint coverage
azure-storage-account-missing-private-endpointazurerm_storage_account.assets does not have a resolved private endpoint and may remain reachable through public Azure Storage data-plane endpoints. Network rules can reduce exposure, but they are not equivalent to private-endpoint-only access unless public network fallback is disabled.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- azurerm_storage_account.assets
Evidence
- target resource: address=azurerm_storage_account.assets; type=azurerm_storage_account
- public network fallback: public_network_fallback_state=enabled; public_network_access_enabled is true
- private endpoint coverage: no resolved private endpoint targets this resource
- network acl posture: effective default_action is Allow; network rule source is azurerm_storage_account_network_rules.assets
Azure Storage container is publicly accessible
azure-storage-container-public-accessazurerm_storage_container.public_assets permits anonymous `blob` access through a storage account that allows nested public access and unrestricted public network reachability.
- Category
- Information Disclosure
- Boundary
- internet-to-service:internet->azurerm_storage_account.assets
- Resources
- azurerm_storage_account.assets, azurerm_storage_container.public_assets
Evidence
- public exposure reasons: container_access_type is blob; azurerm_storage_account.assets allows nested items to be public; azurerm_storage_account.assets is reachable through its public network endpoint
Azure resource lacks diagnostic settings
azure-diagnostic-settings-missingazurerm_storage_account.assets has no resolved Azure Monitor diagnostic setting in this Terraform plan. Security-relevant data-plane, control-plane, or platform logs may not be routed to a retained logging destination for investigation and alerting.
- Category
- Repudiation
- Boundary
- not-applicable
- Resources
- azurerm_storage_account.assets
Evidence
- target resource: address=azurerm_storage_account.assets; type=azurerm_storage_account; name=tfstridepublicassets; identifier=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridepublicassets
- diagnostic coverage: no resolved azurerm_monitor_diagnostic_setting targets this resource
Low
0No low findings.
Observations
Controls and mitigating signals
No observations were recorded for this plan.
Trust boundaries
Crossings that drive the model
internet-to-service
internet -> azurerm_storage_account.assets
The resource is directly reachable or intentionally exposed to unauthenticated network clients.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "tfstride-report",
"version": "1.1",
"tool": {
"name": "tfstride",
"version": "0.4.23"
},
"title": "Azure Storage Exposure Demo",
"analyzed_file": "sample_azure_storage_plan.json",
"analyzed_path": "sample_azure_storage_plan.json",
"summary": {
"normalized_resources": 3,
"unsupported_resources": 1,
"trust_boundaries": 1,
"active_findings": 7,
"total_findings": 7,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 2,
"medium": 5,
"low": 0
}
},
"filtering": {
"total_findings": 7,
"active_findings": 7,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"analysis_coverage": {
"resources": {
"total_resources": 4,
"provider_resources": 4,
"normalized_resources": 3,
"unsupported_resources": 1,
"unsupported_resource_types": {
"azurerm_storage_share": 1
}
},
"rules": {
"registered_rule_count": 94,
"enabled_rules": [
"azure-public-compute-broad-ingress",
"azure-load-balancer-public-frontend",
"azure-application-gateway-public-listener",
"azure-public-application-gateway-waf-missing",
"azure-nsg-flow-logs-not-configured",
"azure-nsg-flow-log-disabled",
"azure-nsg-flow-log-destination-missing",
"azure-nsg-flow-log-retention-insufficient",
"azure-storage-container-public-access",
"azure-storage-account-nested-public-access-enabled",
"azure-storage-account-shared-key-enabled",
"azure-storage-account-minimum-tls-below-1-2",
"azure-storage-account-public-network-unrestricted",
"azure-storage-account-customer-managed-key-missing",
"azure-storage-account-infrastructure-encryption-not-enabled",
"azure-storage-account-blob-versioning-disabled",
"azure-storage-account-blob-soft-delete-insufficient",
"azure-storage-account-container-soft-delete-insufficient",
"azure-storage-account-point-in-time-restore-missing",
"azure-storage-account-missing-private-endpoint",
"azure-service-bus-public-network-access-not-disabled",
"azure-service-bus-minimum-tls-below-1-2",
"azure-service-bus-minimum-tls-unknown",
"azure-service-bus-local-auth-enabled",
"azure-service-bus-customer-managed-key-missing",
"azure-service-bus-missing-private-endpoint",
"azure-container-registry-public-network-access-not-disabled",
"azure-container-registry-admin-account-enabled",
"azure-container-registry-anonymous-pull-enabled",
"azure-container-registry-customer-managed-key-missing",
"azure-container-registry-missing-private-endpoint",
"azure-key-vault-public-network-access",
"azure-key-vault-missing-private-endpoint",
"azure-key-vault-privileged-access",
"azure-key-vault-purge-protection-disabled",
"azure-key-vault-secret-certificate-lifecycle-incomplete",
"azure-key-vault-key-strength-weak",
"azure-key-vault-key-rotation-policy-incomplete",
"azure-custom-role-wildcard-management-plane",
"azure-custom-role-authorization-management",
"azure-custom-role-broad-management-plane",
"azure-custom-role-broad-data-plane",
"azure-custom-role-subscription-assignable-scope",
"azure-custom-role-assignment-blast-radius",
"azure-rbac-privileged-assignment",
"azure-managed-identity-broad-rbac",
"azure-federated-identity-privileged-access",
"azure-public-workload-sensitive-resource-access",
"azure-app-service-public-network-access-not-disabled",
"azure-app-service-platform-authentication-disabled",
"azure-app-service-anonymous-platform-access-allowed",
"azure-app-service-minimum-tls-below-1-2",
"azure-app-service-minimum-tls-unknown",
"azure-app-service-managed-identity-missing",
"azure-app-service-vnet-integration-missing",
"azure-app-service-access-restrictions-not-default-deny",
"azure-app-service-broad-access-restriction-allow",
"azure-app-service-scm-access-unrestricted",
"azure-app-service-image-not-digest-pinned",
"azure-app-service-can-modify-image-repository",
"azure-public-app-service-storage-mutation-access",
"azure-public-app-service-service-bus-mutation-access",
"azure-app-service-sensitive-app-setting-inline",
"azure-app-service-key-vault-reference-identity-not-configured",
"azure-app-service-key-vault-secret-access-overprivileged",
"azure-diagnostic-settings-missing",
"azure-diagnostic-setting-no-log-destination",
"azure-diagnostic-setting-audit-logs-incomplete",
"azure-defender-pricing-tier-not-standard",
"azure-security-center-auto-provisioning-disabled",
"azure-aks-api-server-public-unrestricted",
"azure-aks-private-cluster-not-enabled",
"azure-aks-local-accounts-not-disabled",
"azure-aks-rbac-posture-weak",
"azure-aks-network-policy-missing",
"azure-aks-workload-identity-not-enabled",
"azure-aks-key-management-service-not-configured",
"azure-aks-monitoring-agent-not-enabled",
"azure-aks-defender-not-enabled",
"azure-aks-azure-policy-not-enabled",
"azure-sql-public-network-access-enabled",
"azure-sql-missing-private-endpoint",
"azure-sql-firewall-broad-public-access",
"azure-sql-minimum-tls-below-1-2",
"azure-sql-security-alert-policy-disabled",
"azure-sql-short-term-backup-retention-insufficient",
"azure-sql-long-term-backup-retention-not-configured",
"azure-sql-backup-geo-redundancy-not-enabled",
"azure-private-endpoint-public-fallback",
"azure-private-endpoint-dns-posture-incomplete",
"azure-postgresql-public-network-access-enabled",
"azure-postgresql-firewall-broad-public-access",
"azure-postgresql-weak-tls-or-ssl",
"azure-postgresql-geo-backup-disabled"
],
"disabled_rules": [],
"severity_overrides": {},
"finding_counts_by_rule": {
"azure-public-compute-broad-ingress": 0,
"azure-load-balancer-public-frontend": 0,
"azure-application-gateway-public-listener": 0,
"azure-public-application-gateway-waf-missing": 0,
"azure-nsg-flow-logs-not-configured": 0,
"azure-nsg-flow-log-disabled": 0,
"azure-nsg-flow-log-destination-missing": 0,
"azure-nsg-flow-log-retention-insufficient": 0,
"azure-storage-container-public-access": 1,
"azure-storage-account-nested-public-access-enabled": 1,
"azure-storage-account-shared-key-enabled": 1,
"azure-storage-account-minimum-tls-below-1-2": 1,
"azure-storage-account-public-network-unrestricted": 1,
"azure-storage-account-customer-managed-key-missing": 0,
"azure-storage-account-infrastructure-encryption-not-enabled": 0,
"azure-storage-account-blob-versioning-disabled": 0,
"azure-storage-account-blob-soft-delete-insufficient": 0,
"azure-storage-account-container-soft-delete-insufficient": 0,
"azure-storage-account-point-in-time-restore-missing": 0,
"azure-storage-account-missing-private-endpoint": 1,
"azure-service-bus-public-network-access-not-disabled": 0,
"azure-service-bus-minimum-tls-below-1-2": 0,
"azure-service-bus-minimum-tls-unknown": 0,
"azure-service-bus-local-auth-enabled": 0,
"azure-service-bus-customer-managed-key-missing": 0,
"azure-service-bus-missing-private-endpoint": 0,
"azure-container-registry-public-network-access-not-disabled": 0,
"azure-container-registry-admin-account-enabled": 0,
"azure-container-registry-anonymous-pull-enabled": 0,
"azure-container-registry-customer-managed-key-missing": 0,
"azure-container-registry-missing-private-endpoint": 0,
"azure-key-vault-public-network-access": 0,
"azure-key-vault-missing-private-endpoint": 0,
"azure-key-vault-privileged-access": 0,
"azure-key-vault-purge-protection-disabled": 0,
"azure-key-vault-secret-certificate-lifecycle-incomplete": 0,
"azure-key-vault-key-strength-weak": 0,
"azure-key-vault-key-rotation-policy-incomplete": 0,
"azure-custom-role-wildcard-management-plane": 0,
"azure-custom-role-authorization-management": 0,
"azure-custom-role-broad-management-plane": 0,
"azure-custom-role-broad-data-plane": 0,
"azure-custom-role-subscription-assignable-scope": 0,
"azure-custom-role-assignment-blast-radius": 0,
"azure-rbac-privileged-assignment": 0,
"azure-managed-identity-broad-rbac": 0,
"azure-federated-identity-privileged-access": 0,
"azure-public-workload-sensitive-resource-access": 0,
"azure-app-service-public-network-access-not-disabled": 0,
"azure-app-service-platform-authentication-disabled": 0,
"azure-app-service-anonymous-platform-access-allowed": 0,
"azure-app-service-minimum-tls-below-1-2": 0,
"azure-app-service-minimum-tls-unknown": 0,
"azure-app-service-managed-identity-missing": 0,
"azure-app-service-vnet-integration-missing": 0,
"azure-app-service-access-restrictions-not-default-deny": 0,
"azure-app-service-broad-access-restriction-allow": 0,
"azure-app-service-scm-access-unrestricted": 0,
"azure-app-service-image-not-digest-pinned": 0,
"azure-app-service-can-modify-image-repository": 0,
"azure-public-app-service-storage-mutation-access": 0,
"azure-public-app-service-service-bus-mutation-access": 0,
"azure-app-service-sensitive-app-setting-inline": 0,
"azure-app-service-key-vault-reference-identity-not-configured": 0,
"azure-app-service-key-vault-secret-access-overprivileged": 0,
"azure-diagnostic-settings-missing": 1,
"azure-diagnostic-setting-no-log-destination": 0,
"azure-diagnostic-setting-audit-logs-incomplete": 0,
"azure-defender-pricing-tier-not-standard": 0,
"azure-security-center-auto-provisioning-disabled": 0,
"azure-aks-api-server-public-unrestricted": 0,
"azure-aks-private-cluster-not-enabled": 0,
"azure-aks-local-accounts-not-disabled": 0,
"azure-aks-rbac-posture-weak": 0,
"azure-aks-network-policy-missing": 0,
"azure-aks-workload-identity-not-enabled": 0,
"azure-aks-key-management-service-not-configured": 0,
"azure-aks-monitoring-agent-not-enabled": 0,
"azure-aks-defender-not-enabled": 0,
"azure-aks-azure-policy-not-enabled": 0,
"azure-sql-public-network-access-enabled": 0,
"azure-sql-missing-private-endpoint": 0,
"azure-sql-firewall-broad-public-access": 0,
"azure-sql-minimum-tls-below-1-2": 0,
"azure-sql-security-alert-policy-disabled": 0,
"azure-sql-short-term-backup-retention-insufficient": 0,
"azure-sql-long-term-backup-retention-not-configured": 0,
"azure-sql-backup-geo-redundancy-not-enabled": 0,
"azure-private-endpoint-public-fallback": 0,
"azure-private-endpoint-dns-posture-incomplete": 0,
"azure-postgresql-public-network-access-enabled": 0,
"azure-postgresql-firewall-broad-public-access": 0,
"azure-postgresql-weak-tls-or-ssl": 0,
"azure-postgresql-geo-backup-disabled": 0
}
},
"references": {
"unresolved_reference_count": 0,
"unresolved_references": []
}
},
"inventory": {
"provider": "azure",
"unsupported_resources": [
"azurerm_storage_share.legacy"
],
"metadata": {
"supported_resource_types": [
"azurerm_advanced_threat_protection",
"azurerm_application_gateway",
"azurerm_container_registry",
"azurerm_federated_identity_credential",
"azurerm_function_app",
"azurerm_key_vault",
"azurerm_key_vault_access_policy",
"azurerm_key_vault_certificate",
"azurerm_key_vault_key",
"azurerm_key_vault_secret",
"azurerm_kubernetes_cluster",
"azurerm_lb",
"azurerm_linux_function_app",
"azurerm_linux_virtual_machine",
"azurerm_linux_web_app",
"azurerm_monitor_diagnostic_setting",
"azurerm_mssql_database",
"azurerm_mssql_firewall_rule",
"azurerm_mssql_server",
"azurerm_mssql_server_security_alert_policy",
"azurerm_mssql_virtual_network_rule",
"azurerm_network_interface",
"azurerm_network_interface_security_group_association",
"azurerm_network_security_group",
"azurerm_network_security_rule",
"azurerm_network_watcher_flow_log",
"azurerm_postgresql_flexible_server",
"azurerm_postgresql_flexible_server_configuration",
"azurerm_postgresql_flexible_server_database",
"azurerm_postgresql_flexible_server_firewall_rule",
"azurerm_private_dns_zone",
"azurerm_private_dns_zone_virtual_network_link",
"azurerm_private_endpoint",
"azurerm_public_ip",
"azurerm_role_assignment",
"azurerm_role_definition",
"azurerm_security_center_auto_provisioning",
"azurerm_security_center_contact",
"azurerm_security_center_setting",
"azurerm_security_center_subscription_pricing",
"azurerm_security_center_workspace",
"azurerm_servicebus_namespace",
"azurerm_servicebus_namespace_customer_managed_key",
"azurerm_servicebus_namespace_network_rule_set",
"azurerm_servicebus_queue",
"azurerm_servicebus_subscription",
"azurerm_servicebus_topic",
"azurerm_storage_account",
"azurerm_storage_account_network_rules",
"azurerm_storage_container",
"azurerm_subnet",
"azurerm_subnet_network_security_group_association",
"azurerm_user_assigned_identity",
"azurerm_virtual_network",
"azurerm_windows_function_app",
"azurerm_windows_virtual_machine",
"azurerm_windows_web_app"
],
"total_input_resources": 4,
"provider_resource_count": 4,
"normalized_resource_count": 3,
"unsupported_resource_types": {
"azurerm_storage_share": 1
}
},
"resources": [
{
"address": "azurerm_storage_account.assets",
"provider": "azure",
"resource_type": "azurerm_storage_account",
"name": "assets",
"category": "data",
"identifier": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridepublicassets",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": true,
"public_exposure": true,
"data_sensitivity": "sensitive",
"metadata": {
"name": "tfstridepublicassets",
"storage_account_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridepublicassets",
"network_default_action": "Allow",
"allow_nested_items_to_be_public": true,
"shared_access_key_enabled": true,
"storage_infrastructure_encryption_enabled": true,
"storage_customer_managed_key_id": "azurerm_key_vault_key.storage.id",
"storage_customer_managed_key_identity_id": "azurerm_user_assigned_identity.storage.id",
"storage_blob_versioning_enabled": true,
"storage_blob_delete_retention_days": 30,
"storage_container_delete_retention_days": 14,
"storage_blob_restore_policy_days": 7,
"public_network_fallback_state": "enabled",
"public_network_access_enabled": true,
"min_tls_version": "TLS1_1",
"storage_encrypted": true,
"network_rule_source_address": "azurerm_storage_account_network_rules.assets",
"direct_internet_reachable": true,
"internet_ingress_capable": true,
"public_access_reasons": [
"public_network_access_enabled is true",
"effective network default_action is Allow"
],
"internet_ingress_reasons": [
"public_network_access_enabled is true",
"effective network default_action is Allow"
],
"public_container_addresses": [
"azurerm_storage_container.public_assets"
],
"publicly_accessible": true,
"public_exposure_reasons": [
"container_access_type is blob",
"azurerm_storage_account.assets allows nested items to be public",
"azurerm_storage_account.assets is reachable through its public network endpoint"
]
}
},
{
"address": "azurerm_storage_account_network_rules.assets",
"provider": "azure",
"resource_type": "azurerm_storage_account_network_rules",
"name": "assets",
"category": "network",
"identifier": "azurerm_storage_account.assets.id",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"storage_account_reference": "azurerm_storage_account.assets.id",
"network_rule_source_address": "azurerm_storage_account_network_rules.assets",
"network_default_action": "Allow",
"resolved_storage_account_address": "azurerm_storage_account.assets"
}
},
{
"address": "azurerm_storage_container.public_assets",
"provider": "azure",
"resource_type": "azurerm_storage_container",
"name": "public_assets",
"category": "data",
"identifier": "public-assets",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": true,
"public_exposure": true,
"data_sensitivity": "sensitive",
"metadata": {
"name": "public-assets",
"storage_account_reference": "azurerm_storage_account.assets.id",
"container_access_type": "blob",
"storage_encrypted": true,
"resolved_storage_account_address": "azurerm_storage_account.assets",
"publicly_accessible": true,
"direct_internet_reachable": true,
"public_access_reasons": [
"container_access_type is blob",
"azurerm_storage_account.assets allows nested items to be public",
"azurerm_storage_account.assets is reachable through its public network endpoint"
],
"public_exposure_reasons": [
"container_access_type is blob",
"azurerm_storage_account.assets allows nested items to be public",
"azurerm_storage_account.assets is reachable through its public network endpoint"
]
}
}
]
},
"trust_boundaries": [
{
"identifier": "internet-to-service:internet->azurerm_storage_account.assets",
"boundary_type": "internet-to-service",
"source": "internet",
"target": "azurerm_storage_account.assets",
"description": "Traffic can cross from the public internet to azurerm_storage_account.assets.",
"rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
}
],
"findings": [
{
"fingerprint": "sha256:38ff20b84ecb7ec38889185c288ca2e4e4aafb85fcef59af77181dc441bb1030",
"title": "Azure Storage account permits Shared Key authorization",
"rule_id": "azure-storage-account-shared-key-enabled",
"category": "Elevation of Privilege",
"severity": "high",
"affected_resources": [
"azurerm_storage_account.assets"
],
"trust_boundary_id": null,
"rationale": "azurerm_storage_account.assets permits Shared Key authorization. Account keys provide broad data-plane authority and are harder to constrain and attribute than Microsoft Entra ID identities.",
"recommended_mitigation": "Disable Shared Key authorization where supported, use Microsoft Entra ID and managed identities, and configure the AzureRM provider to use Azure AD for storage operations.",
"evidence": [
{
"key": "authorization_posture",
"values": [
"shared_access_key_enabled is true"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 2,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 7,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:f8512afe7c260af46cdaa7109b886f034ebb082a479abcb96b9aea005af65c53",
"title": "Azure Storage account permits nested public blob access",
"rule_id": "azure-storage-account-nested-public-access-enabled",
"category": "Information Disclosure",
"severity": "high",
"affected_resources": [
"azurerm_storage_account.assets"
],
"trust_boundary_id": null,
"rationale": "azurerm_storage_account.assets permits containers and blobs to opt into anonymous public access. This account-level setting allows a subordinate container configuration to expose stored data.",
"recommended_mitigation": "Set `allow_nested_items_to_be_public` to `false` so containers and blobs cannot opt into anonymous public access.",
"evidence": [
{
"key": "public_access_posture",
"values": [
"allow_nested_items_to_be_public is true"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 1,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 6,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:5364af5982121950ea863a12942d2f288e55d46485f339c79d6fe45149c013a5",
"title": "Azure Storage account allows TLS below 1.2",
"rule_id": "azure-storage-account-minimum-tls-below-1-2",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"azurerm_storage_account.assets"
],
"trust_boundary_id": null,
"rationale": "azurerm_storage_account.assets accepts `TLS1_1` as its minimum protocol version. Deprecated TLS versions weaken transport protection for storage data-plane requests.",
"recommended_mitigation": "Set `min_tls_version` to `TLS1_2` and remove clients that require deprecated TLS versions.",
"evidence": [
{
"key": "transport_posture",
"values": [
"min_tls_version is TLS1_1"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:9386189375f80a7cd2576d28213d6162e220662df2e16817b0e7cf97244b1175",
"title": "Azure Storage account allows unrestricted public network access",
"rule_id": "azure-storage-account-public-network-unrestricted",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"azurerm_storage_account.assets"
],
"trust_boundary_id": "internet-to-service:internet->azurerm_storage_account.assets",
"rationale": "azurerm_storage_account.assets enables its public network endpoint with an effective `Allow` default action. Storage data-plane endpoints are reachable without a default-deny network boundary.",
"recommended_mitigation": "Disable public network access where possible, or set the effective storage network default action to `Deny` and allow only reviewed subnets, IP ranges, or private endpoints.",
"evidence": [
{
"key": "network_posture",
"values": [
"public_network_access_enabled is true",
"effective default_action is Allow",
"network rule source is azurerm_storage_account_network_rules.assets"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:cc94468815c3958879d703f07c80cee7ee2a4ece0011f82b8b52b448fd0bfdf4",
"title": "Azure Storage account lacks resolved private endpoint coverage",
"rule_id": "azure-storage-account-missing-private-endpoint",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"azurerm_storage_account.assets"
],
"trust_boundary_id": null,
"rationale": "azurerm_storage_account.assets does not have a resolved private endpoint and may remain reachable through public Azure Storage data-plane endpoints. Network rules can reduce exposure, but they are not equivalent to private-endpoint-only access unless public network fallback is disabled.",
"recommended_mitigation": "Add a Private Endpoint for the required storage subresources, verify clients use private paths, and explicitly disable public network access where possible.",
"evidence": [
{
"key": "target_resource",
"values": [
"address=azurerm_storage_account.assets",
"type=azurerm_storage_account"
]
},
{
"key": "public_network_fallback",
"values": [
"public_network_fallback_state=enabled",
"public_network_access_enabled is true"
]
},
{
"key": "private_endpoint_coverage",
"values": [
"no resolved private endpoint targets this resource"
]
},
{
"key": "network_acl_posture",
"values": [
"effective default_action is Allow",
"network rule source is azurerm_storage_account_network_rules.assets"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:a5ea8f2ff975bdf58d293ce387f4578b2c5dcafef2eb26a77c9f1091ea95ecce",
"title": "Azure Storage container is publicly accessible",
"rule_id": "azure-storage-container-public-access",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"azurerm_storage_account.assets",
"azurerm_storage_container.public_assets"
],
"trust_boundary_id": "internet-to-service:internet->azurerm_storage_account.assets",
"rationale": "azurerm_storage_container.public_assets permits anonymous `blob` access through a storage account that allows nested public access and unrestricted public network reachability.",
"recommended_mitigation": "Set the container access type to `private`, disable nested public access on the storage account, and use scoped identities or time-limited access mechanisms for intentional object sharing.",
"evidence": [
{
"key": "public_exposure_reasons",
"values": [
"container_access_type is blob",
"azurerm_storage_account.assets allows nested items to be public",
"azurerm_storage_account.assets is reachable through its public network endpoint"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:07111d0129658172fd2bfbdf975c7e4efed1fd569c653f22546347fa66e71d05",
"title": "Azure resource lacks diagnostic settings",
"rule_id": "azure-diagnostic-settings-missing",
"category": "Repudiation",
"severity": "medium",
"affected_resources": [
"azurerm_storage_account.assets"
],
"trust_boundary_id": null,
"rationale": "azurerm_storage_account.assets has no resolved Azure Monitor diagnostic setting in this Terraform plan. Security-relevant data-plane, control-plane, or platform logs may not be routed to a retained logging destination for investigation and alerting.",
"recommended_mitigation": "Add an Azure Monitor diagnostic setting for the resource and route security-relevant logs and metrics to a retained Log Analytics workspace, storage account, Event Hub, or approved partner destination.",
"evidence": [
{
"key": "target_resource",
"values": [
"address=azurerm_storage_account.assets",
"type=azurerm_storage_account",
"name=tfstridepublicassets",
"identifier=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridepublicassets"
]
},
{
"key": "diagnostic_coverage",
"values": [
"no resolved azurerm_monitor_diagnostic_setting targets this resource"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
}
],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [],
"limitations": [
"Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}
Markdown report
# Azure Storage Exposure Demo
- Analyzed file: `sample_azure_storage_plan.json`
- Provider: `azure`
- Normalized resources: `3`
- Unsupported resources: `1`
## Summary
This run identified **1 trust boundaries** and **7 findings** across **3 normalized resources**.
- High severity findings: `2`
- Medium severity findings: `5`
- Low severity findings: `0`
## Analysis Coverage
- Terraform resources seen: `4`
- Provider resources considered: `4`
- Normalized resources: `3`
- Unsupported resources: `1`
- Registered provider rules (Azure): `94`
- Enabled provider rules (Azure): `94`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Unsupported resource types:
- `azurerm_storage_share`: `1`
- Findings by rule:
- `azure-storage-container-public-access`: `1`
- `azure-storage-account-nested-public-access-enabled`: `1`
- `azure-storage-account-shared-key-enabled`: `1`
- `azure-storage-account-minimum-tls-below-1-2`: `1`
- `azure-storage-account-public-network-unrestricted`: `1`
- `azure-storage-account-missing-private-endpoint`: `1`
- `azure-diagnostic-settings-missing`: `1`
## Discovered Trust Boundaries
### `internet-to-service`
- Source: `internet`
- Target: `azurerm_storage_account.assets`
- Description: Traffic can cross from the public internet to azurerm_storage_account.assets.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.
## Findings
### High
#### Azure Storage account permits Shared Key authorization
- STRIDE category: Elevation of Privilege
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +2, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 7 => high
- Rationale: azurerm_storage_account.assets permits Shared Key authorization. Account keys provide broad data-plane authority and are harder to constrain and attribute than Microsoft Entra ID identities.
- Recommended mitigation: Disable Shared Key authorization where supported, use Microsoft Entra ID and managed identities, and configure the AzureRM provider to use Azure AD for storage operations.
- Evidence:
- authorization posture: shared_access_key_enabled is true
#### Azure Storage account permits nested public blob access
- STRIDE category: Information Disclosure
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +1, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 6 => high
- Rationale: azurerm_storage_account.assets permits containers and blobs to opt into anonymous public access. This account-level setting allows a subordinate container configuration to expose stored data.
- Recommended mitigation: Set `allow_nested_items_to_be_public` to `false` so containers and blobs cannot opt into anonymous public access.
- Evidence:
- public access posture: allow_nested_items_to_be_public is true
### Medium
#### Azure Storage account allows TLS below 1.2
- STRIDE category: Information Disclosure
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: azurerm_storage_account.assets accepts `TLS1_1` as its minimum protocol version. Deprecated TLS versions weaken transport protection for storage data-plane requests.
- Recommended mitigation: Set `min_tls_version` to `TLS1_2` and remove clients that require deprecated TLS versions.
- Evidence:
- transport posture: min_tls_version is TLS1_1
#### Azure Storage account allows unrestricted public network access
- STRIDE category: Information Disclosure
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `internet-to-service:internet->azurerm_storage_account.assets`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: azurerm_storage_account.assets enables its public network endpoint with an effective `Allow` default action. Storage data-plane endpoints are reachable without a default-deny network boundary.
- Recommended mitigation: Disable public network access where possible, or set the effective storage network default action to `Deny` and allow only reviewed subnets, IP ranges, or private endpoints.
- Evidence:
- network posture: public_network_access_enabled is true; effective default_action is Allow; network rule source is azurerm_storage_account_network_rules.assets
#### Azure Storage account lacks resolved private endpoint coverage
- STRIDE category: Information Disclosure
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: azurerm_storage_account.assets does not have a resolved private endpoint and may remain reachable through public Azure Storage data-plane endpoints. Network rules can reduce exposure, but they are not equivalent to private-endpoint-only access unless public network fallback is disabled.
- Recommended mitigation: Add a Private Endpoint for the required storage subresources, verify clients use private paths, and explicitly disable public network access where possible.
- Evidence:
- target resource: address=azurerm_storage_account.assets; type=azurerm_storage_account
- public network fallback: public_network_fallback_state=enabled; public_network_access_enabled is true
- private endpoint coverage: no resolved private endpoint targets this resource
- network acl posture: effective default_action is Allow; network rule source is azurerm_storage_account_network_rules.assets
#### Azure Storage container is publicly accessible
- STRIDE category: Information Disclosure
- Affected resources: `azurerm_storage_account.assets`, `azurerm_storage_container.public_assets`
- Trust boundary: `internet-to-service:internet->azurerm_storage_account.assets`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: azurerm_storage_container.public_assets permits anonymous `blob` access through a storage account that allows nested public access and unrestricted public network reachability.
- Recommended mitigation: Set the container access type to `private`, disable nested public access on the storage account, and use scoped identities or time-limited access mechanisms for intentional object sharing.
- Evidence:
- public exposure reasons: container_access_type is blob; azurerm_storage_account.assets allows nested items to be public; azurerm_storage_account.assets is reachable through its public network endpoint
#### Azure resource lacks diagnostic settings
- STRIDE category: Repudiation
- Affected resources: `azurerm_storage_account.assets`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: azurerm_storage_account.assets has no resolved Azure Monitor diagnostic setting in this Terraform plan. Security-relevant data-plane, control-plane, or platform logs may not be routed to a retained logging destination for investigation and alerting.
- Recommended mitigation: Add an Azure Monitor diagnostic setting for the resource and route security-relevant logs and metrics to a retained Log Analytics workspace, storage account, Event Hub, or approved partner destination.
- Evidence:
- target resource: address=azurerm_storage_account.assets; type=azurerm_storage_account; name=tfstridepublicassets; identifier=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridepublicassets
- diagnostic coverage: no resolved azurerm_monitor_diagnostic_setting targets this resource
### Low
No findings in this severity band.
## Limitations / Unsupported Resources
- Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
- Unsupported resource skipped: `azurerm_storage_share.legacy`
Limits
Unsupported or intentionally scoped areas
- Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
- Unsupported resource skipped: azurerm_storage_share.legacy