Built-in scenario

aws/sample_aws_baseline_plan.json

Baseline Plan Demo

Analyzed sample_aws_baseline_plan.json with 26 normalized resources and 7 trust boundaries.

Analyze another plan

Active findings

6

Trust boundaries

7

Resources

26

Observations

2
High 0
Medium 5
Low 1

Analysis coverage

Audit trail for this run

Terraform resources 26
Unsupported 0
Enabled rules 83
Unresolved refs 0

Resource coverage

Provider resources considered
26
Normalized resources
26

No unsupported AWS resource types were encountered.

Rule coverage

Registered rules
83
Disabled rules
0
  • aws-public-alb-waf-missing1
  • aws-rds-cloudwatch-log-exports-missing1
  • aws-workload-s3-vpc-endpoint-missing1
  • aws-vpc-flow-logs-not-configured1
  • aws-iam-wildcard-permissions1
  • aws-private-data-transitive-exposure1

Findings

Severity bands

High

0

No high findings.

Medium

5

IAM policy grants wildcard privileges

aws-iam-wildcard-permissions

aws_iam_policy.observability contains allow statements with wildcard actions or resources. That makes the resulting access difficult to reason about and expands blast radius.

Category
Elevation of Privilege
Boundary
not-applicable
Resources
aws_iam_policy.observability
Evidence
  • iam actions: logs:*
  • iam resources: *
  • policy statements: Allow actions=[logs:*] resources=[*]

Public Application Load Balancer is not associated with a WAF Web ACL

aws-public-alb-waf-missing

aws_lb.web is an internet-facing Application Load Balancer, but the Terraform plan does not show a deterministic AWS WAFv2 Web ACL association targeting it. Public edge traffic can reach the ALB without a modeled WAF or edge protection policy.

Category
Tampering
Boundary
not-applicable
Resources
aws_lb.web
Evidence
  • target load balancer: address=aws_lb.web; type=aws_lb; arn=arn:aws:elasticloadbalancing:us-east-1:222233334444:loadbalancer/app/safe-web/123456; load_balancer_type=application; public_exposure=true; load balancer is internet-facing and attached security groups allow internet ingress
  • waf association coverage: target_resource_arn=arn:aws:elasticloadbalancing:us-east-1:222233334444:loadbalancer/app/safe-web/123456; resolved_web_acl_association_count=0; modeled_web_acl_association_count=0

Sensitive data tier is transitively reachable from an internet-exposed path

aws-private-data-transitive-exposure

aws_db_instance.app is not directly public, but internet traffic can first reach aws_lb.web, move through aws_lb.web can reach aws_instance.app, and then cross into the private data tier through aws_instance.app. That creates a quieter transitive exposure path than a directly public data store.

Category
Information Disclosure
Boundary
workload-to-data-store:aws_instance.app->aws_db_instance.app
Resources
aws_lb.web, aws_instance.app, aws_db_instance.app, aws_security_group.app
Evidence
  • network path: internet reaches aws_lb.web; aws_lb.web reaches aws_instance.app; aws_instance.app reaches aws_db_instance.app
  • security group rules: aws_security_group.app ingress tcp 8080 from sg-safe-lb-001 (App traffic from ALB)
  • subnet posture: aws_lb.web sits in public subnet aws_subnet.public_edge with an internet route; aws_instance.app sits in private subnet aws_subnet.private_app with NAT-backed egress
  • data tier posture: aws_db_instance.app is not directly public; database has no direct internet ingress path
  • boundary rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.

VPC Flow Logs are not configured for a modeled VPC

aws-vpc-flow-logs-not-configured

aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.

Category
Repudiation
Boundary
not-applicable
Resources
aws_vpc.main
Evidence
  • target vpc: address=aws_vpc.main; type=aws_vpc; identifier=vpc-safe-001; cidr_block=10.10.0.0/16
  • flow log coverage: target_vpc_id=vpc-safe-001; resolved_vpc_flow_log_count=0; aws_flow_log resources are not modeled

Workload uses S3 without a VPC endpoint

aws-workload-s3-vpc-endpoint-missing

aws_lambda_function.processor runs in VPC `vpc-safe-001` and inherits S3 data-plane permissions from aws_iam_role.workload, but the Terraform plan does not show an S3 VPC endpoint for that VPC. S3 access may therefore depend on public AWS service endpoints, NAT, or another egress path; this does not imply the bucket itself is public.

Category
Information Disclosure
Boundary
not-applicable
Resources
aws_lambda_function.processor, aws_iam_role.workload
Evidence
  • target workload: address=aws_lambda_function.processor; type=aws_lambda_function; vpc_id=vpc-safe-001; subnet_ids=[subnet-safe-private-app-001]; security_group_ids=[sg-safe-app-001]
  • sensitive service dependency: service=s3; role=aws_iam_role.workload; actions=[s3:GetObject]; resources=[arn:aws:s3:::safe-artifacts/*]
  • vpc endpoint coverage: vpc_id=vpc-safe-001; service=s3; expected_endpoint_type=gateway_or_interface; vpc_endpoint_coverage=missing
  • policy statements: Allow actions=[s3:GetObject] resources=[arn:aws:s3:::safe-artifacts/*]

Low

1

RDS database does not export engine CloudWatch logs

aws-rds-cloudwatch-log-exports-missing

aws_db_instance.app (engine `postgres`) does not export any of the baseline CloudWatch Logs expected for its engine family (postgresql). Without these log exports the database lacks the basic observability posture needed to investigate errors, slow queries, and audit activity from CloudWatch.

Category
Repudiation
Boundary
not-applicable
Resources
aws_db_instance.app
Evidence
  • target resource: address=aws_db_instance.app; type=aws_db_instance; identifier=db-safe-001; engine=postgres
  • log export posture: enabled_cloudwatch_logs_exports=[]; expected_log_exports=['postgresql']; engine-family baseline log exports are absent

Observations

Controls and mitigating signals

RDS instance is private and storage encrypted

aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.

aws_db_instance.app

S3 public access is reduced by a public access block

aws_s3_bucket.artifacts includes public-looking ACL or policy signals, but an attached public access block materially reduces that exposure.

aws_s3_bucket.artifacts, aws_s3_bucket_public_access_block.artifacts

Trust boundaries

Crossings that drive the model

admin-to-workload-plane

aws_iam_role.workload -> aws_lambda_function.processor

IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.

internet-to-service

internet -> aws_lb.web

The resource is directly reachable or intentionally exposed to unauthenticated network clients.

public-subnet-to-private-subnet

aws_subnet.public_edge -> aws_subnet.private_app

The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.

public-subnet-to-private-subnet

aws_subnet.public_edge -> aws_subnet.private_data

The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.

workload-to-data-store

aws_instance.app -> aws_db_instance.app

Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.

workload-to-data-store

aws_lambda_function.processor -> aws_db_instance.app

Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.

workload-to-data-store

aws_lambda_function.processor -> aws_s3_bucket.artifacts

Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject.

Raw outputs

Stable contract and markdown

JSON report
{
  "kind": "tfstride-report",
  "version": "1.1",
  "tool": {
    "name": "tfstride",
    "version": "0.4.23"
  },
  "title": "Baseline Plan Demo",
  "analyzed_file": "sample_aws_baseline_plan.json",
  "analyzed_path": "sample_aws_baseline_plan.json",
  "summary": {
    "normalized_resources": 26,
    "unsupported_resources": 0,
    "trust_boundaries": 7,
    "active_findings": 6,
    "total_findings": 6,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "severity_counts": {
      "high": 0,
      "medium": 5,
      "low": 1
    }
  },
  "filtering": {
    "total_findings": 6,
    "active_findings": 6,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "suppressions_path": null,
    "baseline_path": null
  },
  "analysis_coverage": {
    "resources": {
      "total_resources": 26,
      "provider_resources": 26,
      "normalized_resources": 26,
      "unsupported_resources": 0,
      "unsupported_resource_types": {}
    },
    "rules": {
      "registered_rule_count": 83,
      "enabled_rules": [
        "aws-public-compute-broad-ingress",
        "aws-lambda-public-invocation",
        "aws-load-balancer-http-public-listener",
        "aws-load-balancer-listener-tls-certificate-missing",
        "aws-load-balancer-listener-ssl-policy-weak-or-unknown",
        "aws-public-alb-waf-missing",
        "aws-cloudfront-viewer-http-allowed",
        "aws-cloudfront-viewer-tls-policy-weak-or-unknown",
        "aws-cloudfront-access-logging-not-configured",
        "aws-public-cloudfront-waf-missing",
        "aws-api-gateway-cors-permissive",
        "aws-public-api-gateway-waf-missing",
        "aws-api-gateway-public-route-authorization-none",
        "aws-api-gateway-stage-access-logs-missing",
        "aws-cloudtrail-multi-region-disabled",
        "aws-cloudtrail-log-file-validation-disabled",
        "aws-cloudtrail-management-events-disabled",
        "aws-cloudtrail-data-events-not-modeled",
        "aws-cloudtrail-insight-selectors-missing",
        "aws-guardduty-detector-disabled-or-missing",
        "aws-securityhub-account-missing",
        "aws-config-recorder-disabled-or-missing",
        "aws-config-delivery-channel-missing",
        "aws-access-analyzer-not-configured",
        "aws-macie-not-enabled-for-sensitive-storage",
        "aws-rds-storage-encryption-disabled",
        "aws-rds-public-endpoint-enabled",
        "aws-rds-backup-retention-insufficient",
        "aws-rds-deletion-protection-disabled",
        "aws-rds-customer-managed-kms-key-missing",
        "aws-rds-multi-az-disabled",
        "aws-rds-performance-insights-disabled",
        "aws-rds-cloudwatch-log-exports-missing",
        "aws-rds-iam-auth-disabled",
        "aws-s3-public-access",
        "aws-s3-customer-managed-encryption-missing",
        "aws-s3-versioning-disabled",
        "aws-s3-object-lock-retention-missing",
        "aws-s3-lifecycle-noncurrent-retention-insufficient",
        "aws-ecr-image-tag-mutability-enabled",
        "aws-ecr-customer-managed-encryption-missing",
        "aws-ecr-repository-scanning-disabled",
        "aws-workload-image-not-digest-pinned",
        "aws-workload-ecr-mutable-tag",
        "aws-workload-can-modify-image-repository",
        "aws-ecs-sensitive-environment-value-inline",
        "aws-ecs-secret-access-blast-radius",
        "aws-public-ecs-secret-access",
        "aws-public-ecs-s3-mutation-access",
        "aws-public-ecs-messaging-mutation-access",
        "aws-sns-customer-managed-encryption-missing",
        "aws-sqs-customer-managed-encryption-missing",
        "aws-sqs-message-retention-insufficient",
        "aws-sqs-dead-letter-queue-not-configured",
        "aws-secretsmanager-customer-managed-kms-key-missing",
        "aws-secretsmanager-recovery-window-too-short",
        "aws-secretsmanager-rotation-not-configured-or-too-long",
        "aws-kms-key-rotation-disabled-or-unknown",
        "aws-kms-key-deletion-window-too-short",
        "aws-workload-secretsmanager-vpc-endpoint-missing",
        "aws-workload-kms-vpc-endpoint-missing",
        "aws-workload-s3-vpc-endpoint-missing",
        "aws-vpc-endpoint-policy-broad-access",
        "aws-vpc-flow-logs-not-configured",
        "aws-vpc-flow-log-traffic-type-incomplete",
        "aws-vpc-flow-log-destination-missing",
        "aws-eks-api-endpoint-public-unrestricted",
        "aws-eks-private-endpoint-not-enabled",
        "aws-eks-secrets-encryption-not-configured",
        "aws-eks-control-plane-logging-incomplete",
        "aws-eks-authentication-mode-weak-or-unknown",
        "aws-eks-vpc-cni-network-policy-not-enabled",
        "aws-database-permissive-ingress",
        "aws-missing-tier-segmentation",
        "aws-sensitive-resource-policy-external-access",
        "aws-service-resource-policy-external-access",
        "aws-iam-wildcard-permissions",
        "aws-iam-privileged-role-assignment",
        "aws-workload-role-sensitive-permissions",
        "aws-private-data-transitive-exposure",
        "aws-control-plane-sensitive-workload-chain",
        "aws-role-trust-expansion",
        "aws-role-trust-missing-narrowing"
      ],
      "disabled_rules": [],
      "severity_overrides": {},
      "finding_counts_by_rule": {
        "aws-public-compute-broad-ingress": 0,
        "aws-lambda-public-invocation": 0,
        "aws-load-balancer-http-public-listener": 0,
        "aws-load-balancer-listener-tls-certificate-missing": 0,
        "aws-load-balancer-listener-ssl-policy-weak-or-unknown": 0,
        "aws-public-alb-waf-missing": 1,
        "aws-cloudfront-viewer-http-allowed": 0,
        "aws-cloudfront-viewer-tls-policy-weak-or-unknown": 0,
        "aws-cloudfront-access-logging-not-configured": 0,
        "aws-public-cloudfront-waf-missing": 0,
        "aws-api-gateway-cors-permissive": 0,
        "aws-public-api-gateway-waf-missing": 0,
        "aws-api-gateway-public-route-authorization-none": 0,
        "aws-api-gateway-stage-access-logs-missing": 0,
        "aws-cloudtrail-multi-region-disabled": 0,
        "aws-cloudtrail-log-file-validation-disabled": 0,
        "aws-cloudtrail-management-events-disabled": 0,
        "aws-cloudtrail-data-events-not-modeled": 0,
        "aws-cloudtrail-insight-selectors-missing": 0,
        "aws-guardduty-detector-disabled-or-missing": 0,
        "aws-securityhub-account-missing": 0,
        "aws-config-recorder-disabled-or-missing": 0,
        "aws-config-delivery-channel-missing": 0,
        "aws-access-analyzer-not-configured": 0,
        "aws-macie-not-enabled-for-sensitive-storage": 0,
        "aws-rds-storage-encryption-disabled": 0,
        "aws-rds-public-endpoint-enabled": 0,
        "aws-rds-backup-retention-insufficient": 0,
        "aws-rds-deletion-protection-disabled": 0,
        "aws-rds-customer-managed-kms-key-missing": 0,
        "aws-rds-multi-az-disabled": 0,
        "aws-rds-performance-insights-disabled": 0,
        "aws-rds-cloudwatch-log-exports-missing": 1,
        "aws-rds-iam-auth-disabled": 0,
        "aws-s3-public-access": 0,
        "aws-s3-customer-managed-encryption-missing": 0,
        "aws-s3-versioning-disabled": 0,
        "aws-s3-object-lock-retention-missing": 0,
        "aws-s3-lifecycle-noncurrent-retention-insufficient": 0,
        "aws-ecr-image-tag-mutability-enabled": 0,
        "aws-ecr-customer-managed-encryption-missing": 0,
        "aws-ecr-repository-scanning-disabled": 0,
        "aws-workload-image-not-digest-pinned": 0,
        "aws-workload-ecr-mutable-tag": 0,
        "aws-workload-can-modify-image-repository": 0,
        "aws-ecs-sensitive-environment-value-inline": 0,
        "aws-ecs-secret-access-blast-radius": 0,
        "aws-public-ecs-secret-access": 0,
        "aws-public-ecs-s3-mutation-access": 0,
        "aws-public-ecs-messaging-mutation-access": 0,
        "aws-sns-customer-managed-encryption-missing": 0,
        "aws-sqs-customer-managed-encryption-missing": 0,
        "aws-sqs-message-retention-insufficient": 0,
        "aws-sqs-dead-letter-queue-not-configured": 0,
        "aws-secretsmanager-customer-managed-kms-key-missing": 0,
        "aws-secretsmanager-recovery-window-too-short": 0,
        "aws-secretsmanager-rotation-not-configured-or-too-long": 0,
        "aws-kms-key-rotation-disabled-or-unknown": 0,
        "aws-kms-key-deletion-window-too-short": 0,
        "aws-workload-secretsmanager-vpc-endpoint-missing": 0,
        "aws-workload-kms-vpc-endpoint-missing": 0,
        "aws-workload-s3-vpc-endpoint-missing": 1,
        "aws-vpc-endpoint-policy-broad-access": 0,
        "aws-vpc-flow-logs-not-configured": 1,
        "aws-vpc-flow-log-traffic-type-incomplete": 0,
        "aws-vpc-flow-log-destination-missing": 0,
        "aws-eks-api-endpoint-public-unrestricted": 0,
        "aws-eks-private-endpoint-not-enabled": 0,
        "aws-eks-secrets-encryption-not-configured": 0,
        "aws-eks-control-plane-logging-incomplete": 0,
        "aws-eks-authentication-mode-weak-or-unknown": 0,
        "aws-eks-vpc-cni-network-policy-not-enabled": 0,
        "aws-database-permissive-ingress": 0,
        "aws-missing-tier-segmentation": 0,
        "aws-sensitive-resource-policy-external-access": 0,
        "aws-service-resource-policy-external-access": 0,
        "aws-iam-wildcard-permissions": 1,
        "aws-iam-privileged-role-assignment": 0,
        "aws-workload-role-sensitive-permissions": 0,
        "aws-private-data-transitive-exposure": 1,
        "aws-control-plane-sensitive-workload-chain": 0,
        "aws-role-trust-expansion": 0,
        "aws-role-trust-missing-narrowing": 0
      }
    },
    "references": {
      "unresolved_reference_count": 0,
      "unresolved_references": []
    }
  },
  "inventory": {
    "provider": "aws",
    "unsupported_resources": [],
    "metadata": {
      "primary_account_id": "222233334444",
      "supported_resource_types": [
        "aws_accessanalyzer_analyzer",
        "aws_api_gateway_authorizer",
        "aws_api_gateway_method",
        "aws_api_gateway_rest_api",
        "aws_api_gateway_stage",
        "aws_apigatewayv2_api",
        "aws_apigatewayv2_route",
        "aws_apigatewayv2_stage",
        "aws_cloudfront_distribution",
        "aws_cloudtrail",
        "aws_config_configuration_recorder",
        "aws_config_configuration_recorder_status",
        "aws_config_delivery_channel",
        "aws_db_instance",
        "aws_ecr_registry_scanning_configuration",
        "aws_ecr_repository",
        "aws_ecs_cluster",
        "aws_ecs_service",
        "aws_ecs_task_definition",
        "aws_eks_addon",
        "aws_eks_cluster",
        "aws_flow_log",
        "aws_guardduty_detector",
        "aws_iam_instance_profile",
        "aws_iam_openid_connect_provider",
        "aws_iam_policy",
        "aws_iam_role",
        "aws_iam_role_policy",
        "aws_iam_role_policy_attachment",
        "aws_instance",
        "aws_internet_gateway",
        "aws_kms_key",
        "aws_lambda_function",
        "aws_lambda_function_url",
        "aws_lambda_permission",
        "aws_lb",
        "aws_lb_listener",
        "aws_lb_listener_rule",
        "aws_lb_target_group",
        "aws_macie2_account",
        "aws_nat_gateway",
        "aws_route_table",
        "aws_route_table_association",
        "aws_s3_bucket",
        "aws_s3_bucket_lifecycle_configuration",
        "aws_s3_bucket_object_lock_configuration",
        "aws_s3_bucket_policy",
        "aws_s3_bucket_public_access_block",
        "aws_s3_bucket_server_side_encryption_configuration",
        "aws_s3_bucket_versioning",
        "aws_secretsmanager_secret",
        "aws_secretsmanager_secret_policy",
        "aws_secretsmanager_secret_rotation",
        "aws_security_group",
        "aws_security_group_rule",
        "aws_securityhub_account",
        "aws_sns_topic",
        "aws_sqs_queue",
        "aws_sqs_queue_redrive_policy",
        "aws_subnet",
        "aws_vpc",
        "aws_vpc_endpoint",
        "aws_wafv2_web_acl",
        "aws_wafv2_web_acl_association"
      ],
      "total_input_resources": 26,
      "provider_resource_count": 26,
      "normalized_resource_count": 26,
      "unsupported_resource_types": {}
    },
    "resources": [
      {
        "address": "aws_db_instance.app",
        "provider": "aws",
        "resource_type": "aws_db_instance",
        "name": "app",
        "category": "data",
        "identifier": "db-safe-001",
        "arn": "arn:aws:rds:us-east-1:222233334444:db:safe-customer-db",
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [],
        "security_group_ids": [
          "sg-safe-db-001"
        ],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "engine": "postgres",
          "rds_publicly_accessible_state": "disabled",
          "rds_backup_retention_period": 14,
          "rds_deletion_protection_state": "enabled",
          "rds_multi_az_state": "unknown",
          "rds_kms_key_id": "arn:aws:kms:us-east-1:222233334444:key/rds",
          "rds_performance_insights_enabled_state": "unknown",
          "rds_enabled_cloudwatch_logs_exports": [],
          "rds_iam_database_authentication_enabled_state": "unknown",
          "rds_posture_uncertainties": [],
          "db_subnet_group_name": "safe-private-data",
          "publicly_accessible": false,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "storage_encrypted": true,
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_iam_policy.artifact_read",
        "provider": "aws",
        "resource_type": "aws_iam_policy",
        "name": "artifact_read",
        "category": "iam",
        "identifier": "safe-artifact-read",
        "arn": "arn:aws:iam::222233334444:policy/safe-artifact-read",
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [
          {
            "effect": "Allow",
            "actions": [
              "s3:GetObject"
            ],
            "resources": [
              "arn:aws:s3:::safe-artifacts/*"
            ],
            "principals": [],
            "principal_entries": [],
            "conditions": []
          }
        ],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "policy_document": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": [
                  "s3:GetObject"
                ],
                "Resource": [
                  "arn:aws:s3:::safe-artifacts/*"
                ]
              }
            ]
          },
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_iam_policy.observability",
        "provider": "aws",
        "resource_type": "aws_iam_policy",
        "name": "observability",
        "category": "iam",
        "identifier": "safe-observability",
        "arn": "arn:aws:iam::222233334444:policy/safe-observability",
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [
          {
            "effect": "Allow",
            "actions": [
              "logs:*"
            ],
            "resources": [
              "*"
            ],
            "principals": [],
            "principal_entries": [],
            "conditions": []
          }
        ],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "policy_document": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": [
                  "logs:*"
                ],
                "Resource": "*"
              }
            ]
          },
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_iam_role.workload",
        "provider": "aws",
        "resource_type": "aws_iam_role",
        "name": "workload",
        "category": "iam",
        "identifier": "safe-workload-role",
        "arn": "arn:aws:iam::222233334444:role/safe-workload-role",
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [
          {
            "effect": "Allow",
            "actions": [
              "s3:GetObject"
            ],
            "resources": [
              "arn:aws:s3:::safe-artifacts/*"
            ],
            "principals": [],
            "principal_entries": [],
            "conditions": []
          }
        ],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "assume_role_policy": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Principal": {
                  "Service": "lambda.amazonaws.com"
                }
              }
            ]
          },
          "trust_principals": [
            "lambda.amazonaws.com"
          ],
          "trust_statements": [
            {
              "principals": [
                "lambda.amazonaws.com"
              ],
              "principal_entries": [
                {
                  "kind": "Service",
                  "value": "lambda.amazonaws.com"
                }
              ],
              "narrowing_condition_keys": [],
              "narrowing_conditions": [],
              "has_narrowing_conditions": false
            }
          ],
          "inline_policy_names": [],
          "attached_policy_arns": [
            "arn:aws:iam::222233334444:policy/safe-artifact-read"
          ],
          "attached_policy_addresses": [
            "aws_iam_policy.artifact_read"
          ],
          "privileged_access_grants": [],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_iam_role_policy_attachment.workload_artifact_read",
        "provider": "aws",
        "resource_type": "aws_iam_role_policy_attachment",
        "name": "workload_artifact_read",
        "category": "iam",
        "identifier": "safe-workload-artifact-read",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "role": "safe-workload-role",
          "policy_arn": "arn:aws:iam::222233334444:policy/safe-artifact-read",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_instance.app",
        "provider": "aws",
        "resource_type": "aws_instance",
        "name": "app",
        "category": "compute",
        "identifier": "i-safe-001",
        "arn": "arn:aws:ec2:us-east-1:222233334444:instance/i-safe-001",
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [
          "subnet-safe-private-app-001"
        ],
        "security_group_ids": [
          "sg-safe-app-001"
        ],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "ami": "ami-safe-123456",
          "instance_type": "t3.small",
          "associate_public_ip_address": false,
          "iam_instance_profile": null,
          "tags": {
            "Tier": "app"
          },
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": true,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_internet_gateway.main",
        "provider": "aws",
        "resource_type": "aws_internet_gateway",
        "name": "main",
        "category": "network",
        "identifier": "igw-safe-001",
        "arn": null,
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_lambda_function.processor",
        "provider": "aws",
        "resource_type": "aws_lambda_function",
        "name": "processor",
        "category": "compute",
        "identifier": "safe-processor",
        "arn": "arn:aws:lambda:us-east-1:222233334444:function:safe-processor",
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [
          "subnet-safe-private-app-001"
        ],
        "security_group_ids": [
          "sg-safe-app-001"
        ],
        "attached_role_arns": [
          "arn:aws:iam::222233334444:role/safe-workload-role"
        ],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "runtime": "python3.12",
          "handler": "handler.main",
          "vpc_enabled": true,
          "container_image_references": [],
          "container_image_posture_uncertainties": [],
          "ecr_write_paths": [],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": true,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_lb.web",
        "provider": "aws",
        "resource_type": "aws_lb",
        "name": "web",
        "category": "edge",
        "identifier": "alb-safe-001",
        "arn": "arn:aws:elasticloadbalancing:us-east-1:222233334444:loadbalancer/app/safe-web/123456",
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [
          "subnet-safe-public-001"
        ],
        "security_group_ids": [
          "sg-safe-lb-001"
        ],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": true,
        "public_exposure": true,
        "data_sensitivity": "standard",
        "metadata": {
          "internal": false,
          "load_balancer_type": "application",
          "public_access_reasons": [
            "load balancer is configured as internet-facing"
          ],
          "public_exposure_reasons": [
            "load balancer is internet-facing and attached security groups allow internet ingress"
          ],
          "public_access_configured": true,
          "internet_ingress": true,
          "internet_ingress_capable": true,
          "internet_ingress_reasons": [
            "aws_security_group.lb ingress tcp 443 from 0.0.0.0/0 (HTTPS from internet)"
          ],
          "in_public_subnet": true,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": true
        }
      },
      {
        "address": "aws_nat_gateway.main",
        "provider": "aws",
        "resource_type": "aws_nat_gateway",
        "name": "main",
        "category": "network",
        "identifier": "nat-safe-001",
        "arn": null,
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [
          "subnet-safe-public-001"
        ],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "allocation_id": "eipalloc-safe-001",
          "connectivity_type": "public",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": true,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table.private",
        "provider": "aws",
        "resource_type": "aws_route_table",
        "name": "private",
        "category": "network",
        "identifier": "rtb-safe-private-001",
        "arn": null,
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "routes": [
            {
              "cidr_block": "0.0.0.0/0",
              "nat_gateway_id": "nat-safe-001"
            }
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table.public",
        "provider": "aws",
        "resource_type": "aws_route_table",
        "name": "public",
        "category": "network",
        "identifier": "rtb-safe-001",
        "arn": null,
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "routes": [
            {
              "cidr_block": "0.0.0.0/0",
              "gateway_id": "igw-safe-001"
            }
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table_association.private_app",
        "provider": "aws",
        "resource_type": "aws_route_table_association",
        "name": "private_app",
        "category": "network",
        "identifier": "rtassoc-safe-private-app-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "route_table_id": "rtb-safe-private-001",
          "subnet_id": "subnet-safe-private-app-001",
          "gateway_id": null,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table_association.private_data",
        "provider": "aws",
        "resource_type": "aws_route_table_association",
        "name": "private_data",
        "category": "network",
        "identifier": "rtassoc-safe-private-data-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "route_table_id": "rtb-safe-private-001",
          "subnet_id": "subnet-safe-private-data-001",
          "gateway_id": null,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table_association.public_edge",
        "provider": "aws",
        "resource_type": "aws_route_table_association",
        "name": "public_edge",
        "category": "network",
        "identifier": "rtassoc-safe-public-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "route_table_id": "rtb-safe-001",
          "subnet_id": "subnet-safe-public-001",
          "gateway_id": null,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_s3_bucket.artifacts",
        "provider": "aws",
        "resource_type": "aws_s3_bucket",
        "name": "artifacts",
        "category": "data",
        "identifier": "safe-artifacts",
        "arn": "arn:aws:s3:::safe-artifacts",
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [
          {
            "effect": "Allow",
            "actions": [
              "s3:GetObject"
            ],
            "resources": [
              "arn:aws:s3:::safe-artifacts/*"
            ],
            "principals": [
              "*"
            ],
            "principal_entries": [
              {
                "kind": "unknown",
                "value": "*"
              }
            ],
            "conditions": []
          }
        ],
        "public_access_configured": true,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "bucket": "safe-artifacts",
          "acl": "public-read",
          "policy_document": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                  "s3:GetObject"
                ],
                "Resource": "arn:aws:s3:::safe-artifacts/*"
              }
            ]
          },
          "public_access_reasons": [
            "bucket ACL `public-read` grants public access",
            "bucket policy allows anonymous access"
          ],
          "public_exposure_reasons": [],
          "public_access_block": {
            "block_public_acls": true,
            "block_public_policy": true,
            "ignore_public_acls": true,
            "restrict_public_buckets": true
          },
          "public_access_configured": true,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_s3_bucket_public_access_block.artifacts",
        "provider": "aws",
        "resource_type": "aws_s3_bucket_public_access_block",
        "name": "artifacts",
        "category": "data",
        "identifier": "safe-artifacts-public-block",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "bucket": "safe-artifacts",
          "block_public_acls": true,
          "block_public_policy": true,
          "ignore_public_acls": true,
          "restrict_public_buckets": true,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group.app",
        "provider": "aws",
        "resource_type": "aws_security_group",
        "name": "app",
        "category": "network",
        "identifier": "sg-safe-app-001",
        "arn": null,
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "egress",
            "protocol": "-1",
            "from_port": 0,
            "to_port": 0,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": null
          },
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 8080,
            "to_port": 8080,
            "cidr_blocks": [],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [
              "sg-safe-lb-001"
            ],
            "description": "App traffic from ALB"
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "description": "Application tier only reachable from the load balancer",
          "group_name": "safe-app-sg",
          "standalone_rule_addresses": [
            "aws_security_group_rule.app_from_lb"
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group.db",
        "provider": "aws",
        "resource_type": "aws_security_group",
        "name": "db",
        "category": "network",
        "identifier": "sg-safe-db-001",
        "arn": null,
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "egress",
            "protocol": "-1",
            "from_port": 0,
            "to_port": 0,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": null
          },
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 5432,
            "to_port": 5432,
            "cidr_blocks": [],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [
              "sg-safe-app-001"
            ],
            "description": "Postgres from app tier"
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "description": "Database ingress only from the app tier",
          "group_name": "safe-db-sg",
          "standalone_rule_addresses": [
            "aws_security_group_rule.db_from_app"
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group.lb",
        "provider": "aws",
        "resource_type": "aws_security_group",
        "name": "lb",
        "category": "network",
        "identifier": "sg-safe-lb-001",
        "arn": null,
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 443,
            "to_port": 443,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": "HTTPS from internet"
          },
          {
            "direction": "egress",
            "protocol": "-1",
            "from_port": 0,
            "to_port": 0,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": null
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "description": "Public load balancer ingress only",
          "group_name": "safe-lb-sg",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group_rule.app_from_lb",
        "provider": "aws",
        "resource_type": "aws_security_group_rule",
        "name": "app_from_lb",
        "category": "network",
        "identifier": "sgrule-safe-app-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 8080,
            "to_port": 8080,
            "cidr_blocks": [],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [
              "sg-safe-lb-001"
            ],
            "description": "App traffic from ALB"
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "security_group_id": "sg-safe-app-001",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group_rule.db_from_app",
        "provider": "aws",
        "resource_type": "aws_security_group_rule",
        "name": "db_from_app",
        "category": "network",
        "identifier": "sgrule-safe-db-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 5432,
            "to_port": 5432,
            "cidr_blocks": [],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [
              "sg-safe-app-001"
            ],
            "description": "Postgres from app tier"
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "security_group_id": "sg-safe-db-001",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_subnet.private_app",
        "provider": "aws",
        "resource_type": "aws_subnet",
        "name": "private_app",
        "category": "network",
        "identifier": "subnet-safe-private-app-001",
        "arn": null,
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.10.2.0/24",
          "availability_zone": "us-east-1a",
          "map_public_ip_on_launch": false,
          "tags": {
            "Tier": "app"
          },
          "is_public_subnet": false,
          "route_table_ids": [
            "rtb-safe-private-001"
          ],
          "has_public_route": false,
          "has_nat_gateway_egress": true,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_subnet.private_data",
        "provider": "aws",
        "resource_type": "aws_subnet",
        "name": "private_data",
        "category": "network",
        "identifier": "subnet-safe-private-data-001",
        "arn": null,
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.10.3.0/24",
          "availability_zone": "us-east-1a",
          "map_public_ip_on_launch": false,
          "tags": {
            "Tier": "data"
          },
          "is_public_subnet": false,
          "route_table_ids": [
            "rtb-safe-private-001"
          ],
          "has_public_route": false,
          "has_nat_gateway_egress": true,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_subnet.public_edge",
        "provider": "aws",
        "resource_type": "aws_subnet",
        "name": "public_edge",
        "category": "network",
        "identifier": "subnet-safe-public-001",
        "arn": null,
        "vpc_id": "vpc-safe-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.10.1.0/24",
          "availability_zone": "us-east-1a",
          "map_public_ip_on_launch": true,
          "tags": {
            "Tier": "edge"
          },
          "is_public_subnet": true,
          "route_table_ids": [
            "rtb-safe-001"
          ],
          "has_public_route": true,
          "has_nat_gateway_egress": false,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_vpc.main",
        "provider": "aws",
        "resource_type": "aws_vpc",
        "name": "main",
        "category": "network",
        "identifier": "vpc-safe-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.10.0.0/16",
          "tags": {
            "Name": "safe-main"
          },
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      }
    ]
  },
  "trust_boundaries": [
    {
      "identifier": "admin-to-workload-plane:aws_iam_role.workload->aws_lambda_function.processor",
      "boundary_type": "admin-to-workload-plane",
      "source": "aws_iam_role.workload",
      "target": "aws_lambda_function.processor",
      "description": "aws_iam_role.workload governs actions performed by aws_lambda_function.processor.",
      "rationale": "IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries."
    },
    {
      "identifier": "internet-to-service:internet->aws_lb.web",
      "boundary_type": "internet-to-service",
      "source": "internet",
      "target": "aws_lb.web",
      "description": "Traffic can cross from the public internet to aws_lb.web.",
      "rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
    },
    {
      "identifier": "public-subnet-to-private-subnet:aws_subnet.public_edge->aws_subnet.private_app",
      "boundary_type": "public-subnet-to-private-subnet",
      "source": "aws_subnet.public_edge",
      "target": "aws_subnet.private_app",
      "description": "Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.",
      "rationale": "The VPC contains both publicly routable and private network segments that should be treated as separate trust zones."
    },
    {
      "identifier": "public-subnet-to-private-subnet:aws_subnet.public_edge->aws_subnet.private_data",
      "boundary_type": "public-subnet-to-private-subnet",
      "source": "aws_subnet.public_edge",
      "target": "aws_subnet.private_data",
      "description": "Traffic can move from aws_subnet.public_edge toward aws_subnet.private_data.",
      "rationale": "The VPC contains both publicly routable and private network segments that should be treated as separate trust zones."
    },
    {
      "identifier": "workload-to-data-store:aws_instance.app->aws_db_instance.app",
      "boundary_type": "workload-to-data-store",
      "source": "aws_instance.app",
      "target": "aws_db_instance.app",
      "description": "aws_instance.app can interact with aws_db_instance.app.",
      "rationale": "Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group."
    },
    {
      "identifier": "workload-to-data-store:aws_lambda_function.processor->aws_db_instance.app",
      "boundary_type": "workload-to-data-store",
      "source": "aws_lambda_function.processor",
      "target": "aws_db_instance.app",
      "description": "aws_lambda_function.processor can interact with aws_db_instance.app.",
      "rationale": "Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group."
    },
    {
      "identifier": "workload-to-data-store:aws_lambda_function.processor->aws_s3_bucket.artifacts",
      "boundary_type": "workload-to-data-store",
      "source": "aws_lambda_function.processor",
      "target": "aws_s3_bucket.artifacts",
      "description": "aws_lambda_function.processor can interact with aws_s3_bucket.artifacts.",
      "rationale": "Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject."
    }
  ],
  "findings": [
    {
      "fingerprint": "sha256:0065aef67737b4347c712bd214de6d7dba8d633a31091f366071dfe4248f2347",
      "title": "IAM policy grants wildcard privileges",
      "rule_id": "aws-iam-wildcard-permissions",
      "category": "Elevation of Privilege",
      "severity": "medium",
      "affected_resources": [
        "aws_iam_policy.observability"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_iam_policy.observability contains allow statements with wildcard actions or resources. That makes the resulting access difficult to reason about and expands blast radius.",
      "recommended_mitigation": "Replace wildcard actions and resources with narrowly scoped permissions tied to the exact services, APIs, and ARNs required by the workload.",
      "evidence": [
        {
          "key": "iam_actions",
          "values": [
            "logs:*"
          ]
        },
        {
          "key": "iam_resources",
          "values": [
            "*"
          ]
        },
        {
          "key": "policy_statements",
          "values": [
            "Allow actions=[logs:*] resources=[*]"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 2,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:7764e4c5514d2c0f6130714b1c5bb65fd64fb857cf3124a77d42b7d718d0ac33",
      "title": "Public Application Load Balancer is not associated with a WAF Web ACL",
      "rule_id": "aws-public-alb-waf-missing",
      "category": "Tampering",
      "severity": "medium",
      "affected_resources": [
        "aws_lb.web"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_lb.web is an internet-facing Application Load Balancer, but the Terraform plan does not show a deterministic AWS WAFv2 Web ACL association targeting it. Public edge traffic can reach the ALB without a modeled WAF or edge protection policy.",
      "recommended_mitigation": "Associate an AWS WAFv2 Web ACL with internet-facing Application Load Balancers and keep the association modeled in Terraform so public edge protection is reviewable before deployment.",
      "evidence": [
        {
          "key": "target_load_balancer",
          "values": [
            "address=aws_lb.web",
            "type=aws_lb",
            "arn=arn:aws:elasticloadbalancing:us-east-1:222233334444:loadbalancer/app/safe-web/123456",
            "load_balancer_type=application",
            "public_exposure=true",
            "load balancer is internet-facing and attached security groups allow internet ingress"
          ]
        },
        {
          "key": "waf_association_coverage",
          "values": [
            "target_resource_arn=arn:aws:elasticloadbalancing:us-east-1:222233334444:loadbalancer/app/safe-web/123456",
            "resolved_web_acl_association_count=0",
            "modeled_web_acl_association_count=0"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 4,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:878d7f51554b80571305b48b2d814a70df80e28ee3b2bf44a8feb9bd1d5c3e47",
      "title": "Sensitive data tier is transitively reachable from an internet-exposed path",
      "rule_id": "aws-private-data-transitive-exposure",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "aws_lb.web",
        "aws_instance.app",
        "aws_db_instance.app",
        "aws_security_group.app"
      ],
      "trust_boundary_id": "workload-to-data-store:aws_instance.app->aws_db_instance.app",
      "rationale": "aws_db_instance.app is not directly public, but internet traffic can first reach aws_lb.web, move through aws_lb.web can reach aws_instance.app, and then cross into the private data tier through aws_instance.app. That creates a quieter transitive exposure path than a directly public data store.",
      "recommended_mitigation": "Keep internet-adjacent entry points from chaining into workloads that retain database or secret access, narrow edge-to-workload and workload-to-workload trust, and isolate sensitive data access behind more deliberate service boundaries.",
      "evidence": [
        {
          "key": "network_path",
          "values": [
            "internet reaches aws_lb.web",
            "aws_lb.web reaches aws_instance.app",
            "aws_instance.app reaches aws_db_instance.app"
          ]
        },
        {
          "key": "security_group_rules",
          "values": [
            "aws_security_group.app ingress tcp 8080 from sg-safe-lb-001 (App traffic from ALB)"
          ]
        },
        {
          "key": "subnet_posture",
          "values": [
            "aws_lb.web sits in public subnet aws_subnet.public_edge with an internet route",
            "aws_instance.app sits in private subnet aws_subnet.private_app with NAT-backed egress"
          ]
        },
        {
          "key": "data_tier_posture",
          "values": [
            "aws_db_instance.app is not directly public",
            "database has no direct internet ingress path"
          ]
        },
        {
          "key": "boundary_rationale",
          "values": [
            "Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group."
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 2,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:c2dad77f15c57ff9b288847015b64eb1504039f1eeae0aa0312b748ec4410f40",
      "title": "VPC Flow Logs are not configured for a modeled VPC",
      "rule_id": "aws-vpc-flow-logs-not-configured",
      "category": "Repudiation",
      "severity": "medium",
      "affected_resources": [
        "aws_vpc.main"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.",
      "recommended_mitigation": "Enable VPC Flow Logs for production VPCs, route them to a retained CloudWatch Logs, S3, or Firehose destination, and manage Flow Log resources in Terraform so network telemetry posture is reviewable.",
      "evidence": [
        {
          "key": "target_vpc",
          "values": [
            "address=aws_vpc.main",
            "type=aws_vpc",
            "identifier=vpc-safe-001",
            "cidr_block=10.10.0.0/16"
          ]
        },
        {
          "key": "flow_log_coverage",
          "values": [
            "target_vpc_id=vpc-safe-001",
            "resolved_vpc_flow_log_count=0",
            "aws_flow_log resources are not modeled"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:c8c0123dab1ec20cd7076d79f31e87909bac0834230e0eb68ce28e8dae222383",
      "title": "Workload uses S3 without a VPC endpoint",
      "rule_id": "aws-workload-s3-vpc-endpoint-missing",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "aws_lambda_function.processor",
        "aws_iam_role.workload"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_lambda_function.processor runs in VPC `vpc-safe-001` and inherits S3 data-plane permissions from aws_iam_role.workload, but the Terraform plan does not show an S3 VPC endpoint for that VPC. S3 access may therefore depend on public AWS service endpoints, NAT, or another egress path; this does not imply the bucket itself is public.",
      "recommended_mitigation": "Add an S3 gateway or interface VPC endpoint for VPC workloads that access S3, route expected private subnets through it, and use endpoint policies where possible.",
      "evidence": [
        {
          "key": "target_workload",
          "values": [
            "address=aws_lambda_function.processor",
            "type=aws_lambda_function",
            "vpc_id=vpc-safe-001",
            "subnet_ids=[subnet-safe-private-app-001]",
            "security_group_ids=[sg-safe-app-001]"
          ]
        },
        {
          "key": "sensitive_service_dependency",
          "values": [
            "service=s3",
            "role=aws_iam_role.workload",
            "actions=[s3:GetObject]",
            "resources=[arn:aws:s3:::safe-artifacts/*]"
          ]
        },
        {
          "key": "vpc_endpoint_coverage",
          "values": [
            "vpc_id=vpc-safe-001",
            "service=s3",
            "expected_endpoint_type=gateway_or_interface",
            "vpc_endpoint_coverage=missing"
          ]
        },
        {
          "key": "policy_statements",
          "values": [
            "Allow actions=[s3:GetObject] resources=[arn:aws:s3:::safe-artifacts/*]"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 1,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 4,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:ff9a1b4b0b11630f912c75371010b2df22e43179e7a2112f290cdf09014ab55e",
      "title": "RDS database does not export engine CloudWatch logs",
      "rule_id": "aws-rds-cloudwatch-log-exports-missing",
      "category": "Repudiation",
      "severity": "low",
      "affected_resources": [
        "aws_db_instance.app"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_db_instance.app (engine `postgres`) does not export any of the baseline CloudWatch Logs expected for its engine family (postgresql). Without these log exports the database lacks the basic observability posture needed to investigate errors, slow queries, and audit activity from CloudWatch.",
      "recommended_mitigation": "Enable the CloudWatch Logs exports expected for the RDS engine family (for example `postgresql` for PostgreSQL, `error` and `slowquery` for MySQL/MariaDB) so errors, slow queries, and audit activity are captured for investigation.",
      "evidence": [
        {
          "key": "target_resource",
          "values": [
            "address=aws_db_instance.app",
            "type=aws_db_instance",
            "identifier=db-safe-001",
            "engine=postgres"
          ]
        },
        {
          "key": "log_export_posture",
          "values": [
            "enabled_cloudwatch_logs_exports=[]",
            "expected_log_exports=['postgresql']",
            "engine-family baseline log exports are absent"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 1,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 2,
        "severity": "low",
        "computed_severity": null
      }
    }
  ],
  "suppressed_findings": [],
  "baselined_findings": [],
  "observations": [
    {
      "title": "RDS instance is private and storage encrypted",
      "observation_id": "aws-rds-private-encrypted",
      "affected_resources": [
        "aws_db_instance.app"
      ],
      "rationale": "aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.",
      "category": "data-protection",
      "evidence": [
        {
          "key": "database_posture",
          "values": [
            "publicly_accessible is false",
            "storage_encrypted is true",
            "no attached security group allows internet ingress",
            "engine is postgres"
          ]
        }
      ]
    },
    {
      "title": "S3 public access is reduced by a public access block",
      "observation_id": "aws-s3-public-access-block-observed",
      "affected_resources": [
        "aws_s3_bucket.artifacts",
        "aws_s3_bucket_public_access_block.artifacts"
      ],
      "rationale": "aws_s3_bucket.artifacts includes public-looking ACL or policy signals, but an attached public access block materially reduces that exposure.",
      "category": "data-protection",
      "evidence": [
        {
          "key": "mitigated_public_access",
          "values": [
            "bucket ACL `public-read` would otherwise grant public access",
            "bucket policy would otherwise allow anonymous access"
          ]
        },
        {
          "key": "control_posture",
          "values": [
            "block_public_acls is true",
            "block_public_policy is true",
            "ignore_public_acls is true",
            "restrict_public_buckets is true"
          ]
        }
      ]
    }
  ],
  "limitations": [
    "AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
    "Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
    "IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
    "Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
    "The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
  ]
}
Markdown report
# Baseline Plan Demo

- Analyzed file: `sample_aws_baseline_plan.json`
- Provider: `aws`
- Normalized resources: `26`
- Unsupported resources: `0`

## Summary

This run identified **7 trust boundaries** and **6 findings** across **26 normalized resources**.

- High severity findings: `0`
- Medium severity findings: `5`
- Low severity findings: `1`

## Analysis Coverage

- Terraform resources seen: `26`
- Provider resources considered: `26`
- Normalized resources: `26`
- Unsupported resources: `0`
- Registered provider rules (AWS): `83`
- Enabled provider rules (AWS): `83`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
  - `aws-public-alb-waf-missing`: `1`
  - `aws-rds-cloudwatch-log-exports-missing`: `1`
  - `aws-workload-s3-vpc-endpoint-missing`: `1`
  - `aws-vpc-flow-logs-not-configured`: `1`
  - `aws-iam-wildcard-permissions`: `1`
  - `aws-private-data-transitive-exposure`: `1`

## Discovered Trust Boundaries

### `internet-to-service`

- Source: `internet`
- Target: `aws_lb.web`
- Description: Traffic can cross from the public internet to aws_lb.web.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.

### `public-subnet-to-private-subnet`

- Source: `aws_subnet.public_edge`
- Target: `aws_subnet.private_app`
- Description: Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.
- Rationale: The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.

### `public-subnet-to-private-subnet`

- Source: `aws_subnet.public_edge`
- Target: `aws_subnet.private_data`
- Description: Traffic can move from aws_subnet.public_edge toward aws_subnet.private_data.
- Rationale: The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.

### `workload-to-data-store`

- Source: `aws_instance.app`
- Target: `aws_db_instance.app`
- Description: aws_instance.app can interact with aws_db_instance.app.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.

### `workload-to-data-store`

- Source: `aws_lambda_function.processor`
- Target: `aws_db_instance.app`
- Description: aws_lambda_function.processor can interact with aws_db_instance.app.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.

### `workload-to-data-store`

- Source: `aws_lambda_function.processor`
- Target: `aws_s3_bucket.artifacts`
- Description: aws_lambda_function.processor can interact with aws_s3_bucket.artifacts.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject.

### `admin-to-workload-plane`

- Source: `aws_iam_role.workload`
- Target: `aws_lambda_function.processor`
- Description: aws_iam_role.workload governs actions performed by aws_lambda_function.processor.
- Rationale: IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.

## Findings

### High

No findings in this severity band.

### Medium

#### IAM policy grants wildcard privileges

- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_policy.observability`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +2, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 5 => medium
- Rationale: aws_iam_policy.observability contains allow statements with wildcard actions or resources. That makes the resulting access difficult to reason about and expands blast radius.
- Recommended mitigation: Replace wildcard actions and resources with narrowly scoped permissions tied to the exact services, APIs, and ARNs required by the workload.
- Evidence:
  - iam actions: logs:*
  - iam resources: *
  - policy statements: Allow actions=[logs:*] resources=[*]

#### Public Application Load Balancer is not associated with a WAF Web ACL

- STRIDE category: Tampering
- Affected resources: `aws_lb.web`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +0, lateral_movement +1, blast_radius +1, final_score 4 => medium
- Rationale: aws_lb.web is an internet-facing Application Load Balancer, but the Terraform plan does not show a deterministic AWS WAFv2 Web ACL association targeting it. Public edge traffic can reach the ALB without a modeled WAF or edge protection policy.
- Recommended mitigation: Associate an AWS WAFv2 Web ACL with internet-facing Application Load Balancers and keep the association modeled in Terraform so public edge protection is reviewable before deployment.
- Evidence:
  - target load balancer: address=aws_lb.web; type=aws_lb; arn=arn:aws:elasticloadbalancing:us-east-1:222233334444:loadbalancer/app/safe-web/123456; load_balancer_type=application; public_exposure=true; load balancer is internet-facing and attached security groups allow internet ingress
  - waf association coverage: target_resource_arn=arn:aws:elasticloadbalancing:us-east-1:222233334444:loadbalancer/app/safe-web/123456; resolved_web_acl_association_count=0; modeled_web_acl_association_count=0

#### Sensitive data tier is transitively reachable from an internet-exposed path

- STRIDE category: Information Disclosure
- Affected resources: `aws_lb.web`, `aws_instance.app`, `aws_db_instance.app`, `aws_security_group.app`
- Trust boundary: `workload-to-data-store:aws_instance.app->aws_db_instance.app`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +2, blast_radius +1, final_score 5 => medium
- Rationale: aws_db_instance.app is not directly public, but internet traffic can first reach aws_lb.web, move through aws_lb.web can reach aws_instance.app, and then cross into the private data tier through aws_instance.app. That creates a quieter transitive exposure path than a directly public data store.
- Recommended mitigation: Keep internet-adjacent entry points from chaining into workloads that retain database or secret access, narrow edge-to-workload and workload-to-workload trust, and isolate sensitive data access behind more deliberate service boundaries.
- Evidence:
  - network path: internet reaches aws_lb.web; aws_lb.web reaches aws_instance.app; aws_instance.app reaches aws_db_instance.app
  - security group rules: aws_security_group.app ingress tcp 8080 from sg-safe-lb-001 (App traffic from ALB)
  - subnet posture: aws_lb.web sits in public subnet aws_subnet.public_edge with an internet route; aws_instance.app sits in private subnet aws_subnet.private_app with NAT-backed egress
  - data tier posture: aws_db_instance.app is not directly public; database has no direct internet ingress path
  - boundary rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.

#### VPC Flow Logs are not configured for a modeled VPC

- STRIDE category: Repudiation
- Affected resources: `aws_vpc.main`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 3 => medium
- Rationale: aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.
- Recommended mitigation: Enable VPC Flow Logs for production VPCs, route them to a retained CloudWatch Logs, S3, or Firehose destination, and manage Flow Log resources in Terraform so network telemetry posture is reviewable.
- Evidence:
  - target vpc: address=aws_vpc.main; type=aws_vpc; identifier=vpc-safe-001; cidr_block=10.10.0.0/16
  - flow log coverage: target_vpc_id=vpc-safe-001; resolved_vpc_flow_log_count=0; aws_flow_log resources are not modeled

#### Workload uses S3 without a VPC endpoint

- STRIDE category: Information Disclosure
- Affected resources: `aws_lambda_function.processor`, `aws_iam_role.workload`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +1, lateral_movement +1, blast_radius +1, final_score 4 => medium
- Rationale: aws_lambda_function.processor runs in VPC `vpc-safe-001` and inherits S3 data-plane permissions from aws_iam_role.workload, but the Terraform plan does not show an S3 VPC endpoint for that VPC. S3 access may therefore depend on public AWS service endpoints, NAT, or another egress path; this does not imply the bucket itself is public.
- Recommended mitigation: Add an S3 gateway or interface VPC endpoint for VPC workloads that access S3, route expected private subnets through it, and use endpoint policies where possible.
- Evidence:
  - target workload: address=aws_lambda_function.processor; type=aws_lambda_function; vpc_id=vpc-safe-001; subnet_ids=[subnet-safe-private-app-001]; security_group_ids=[sg-safe-app-001]
  - sensitive service dependency: service=s3; role=aws_iam_role.workload; actions=[s3:GetObject]; resources=[arn:aws:s3:::safe-artifacts/*]
  - vpc endpoint coverage: vpc_id=vpc-safe-001; service=s3; expected_endpoint_type=gateway_or_interface; vpc_endpoint_coverage=missing
  - policy statements: Allow actions=[s3:GetObject] resources=[arn:aws:s3:::safe-artifacts/*]

### Low

#### RDS database does not export engine CloudWatch logs

- STRIDE category: Repudiation
- Affected resources: `aws_db_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +1, lateral_movement +0, blast_radius +1, final_score 2 => low
- Rationale: aws_db_instance.app (engine `postgres`) does not export any of the baseline CloudWatch Logs expected for its engine family (postgresql). Without these log exports the database lacks the basic observability posture needed to investigate errors, slow queries, and audit activity from CloudWatch.
- Recommended mitigation: Enable the CloudWatch Logs exports expected for the RDS engine family (for example `postgresql` for PostgreSQL, `error` and `slowquery` for MySQL/MariaDB) so errors, slow queries, and audit activity are captured for investigation.
- Evidence:
  - target resource: address=aws_db_instance.app; type=aws_db_instance; identifier=db-safe-001; engine=postgres
  - log export posture: enabled_cloudwatch_logs_exports=[]; expected_log_exports=['postgresql']; engine-family baseline log exports are absent

## Controls Observed

### RDS instance is private and storage encrypted

- Category: `data-protection`
- Affected resources: `aws_db_instance.app`
- Rationale: aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.
- Evidence:
  - database posture: publicly_accessible is false; storage_encrypted is true; no attached security group allows internet ingress; engine is postgres

### S3 public access is reduced by a public access block

- Category: `data-protection`
- Affected resources: `aws_s3_bucket.artifacts`, `aws_s3_bucket_public_access_block.artifacts`
- Rationale: aws_s3_bucket.artifacts includes public-looking ACL or policy signals, but an attached public access block materially reduces that exposure.
- Evidence:
  - mitigated public access: bucket ACL `public-read` would otherwise grant public access; bucket policy would otherwise allow anonymous access
  - control posture: block_public_acls is true; block_public_policy is true; ignore_public_acls is true; restrict_public_buckets is true

## Limitations / Unsupported Resources

- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.

Limits

Unsupported or intentionally scoped areas

  • AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
  • Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
  • IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
  • Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
  • The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.