Active findings
5Built-in scenario
gcp/sample_gcp_baseline_plan.jsonBaseline GCP Plan Demo
Analyzed sample_gcp_baseline_plan.json with 9 normalized resources and 1 trust boundaries.
Trust boundaries
1Resources
9Observations
0Analysis coverage
Audit trail for this run
Resource coverage
- Provider resources considered
- 9
- Normalized resources
- 9
No unsupported GCP resource types were encountered.
Rule coverage
- Registered rules
- 78
- Disabled rules
- 0
- gcp-cloud-sql-point-in-time-recovery-disabled1
- gcp-cloud-sql-zonal-availability1
- gcp-subnetwork-flow-logs-not-configured1
- gcp-project-iam-privileged-role1
- gcp-inherited-iam-blast-radius1
Findings
Severity bands
High
2GCP project IAM binding grants a high-privilege role
gcp-project-iam-privileged-rolegoogle_project_iam_member.deploy_admin grants the high-impact GCP role `projects/tfstride-demo/roles/deployAdmin` to `group:deploy@example.com` at project scope. That role enables custom role includes high-impact permissions: iam.serviceAccounts.actAs and can materially expand control-plane blast radius if the principal is compromised or mis-scoped.
- Category
- Elevation of Privilege
- Boundary
- not-applicable
- Resources
- google_project_iam_member.deploy_admin
Evidence
- iam binding: member=group:deploy@example.com; role=projects/tfstride-demo/roles/deployAdmin
- role risk: custom role includes high-impact permissions: iam.serviceAccounts.actAs
- custom role permissions: iam.serviceAccounts.actAs
Inherited GCP IAM grant expands descendant blast radius
gcp-inherited-iam-blast-radiusgoogle_project_iam_member.deploy_admin grants `projects/tfstride-demo/roles/deployAdmin` to `group:deploy@example.com` at project scope `tfstride-demo`, and that inherited grant applies to 7 concrete descendant resource(s). A high-level IAM grant with broad, external, or high-impact access increases control-plane blast radius because compromise or misuse can affect resources below the inherited scope.
- Category
- Elevation of Privilege
- Boundary
- not-applicable
- Resources
- google_project_iam_member.deploy_admin, google_compute_instance.web, google_compute_network.main, google_compute_subnetwork.app, google_project_iam_custom_role.deploy_admin, google_service_account.web, google_sql_database_instance.app, google_storage_bucket.logs
Evidence
- iam binding: source=google_project_iam_member.deploy_admin; scope=project:tfstride-demo; member=group:deploy@example.com; role=projects/tfstride-demo/roles/deployAdmin
- role risk: custom role includes high-impact permissions: iam.serviceAccounts.actAs
- descendant scope: scope=project:tfstride-demo; descendant_count=7; resource_type_count=7; projects=tfstride-demo
- descendant resource types: google_compute_instance: 1; google_compute_network: 1; google_compute_subnetwork: 1; google_project_iam_custom_role: 1; google_service_account: 1; google_sql_database_instance: 1; google_storage_bucket: 1
- descendant resources: google_compute_instance.web; google_compute_network.main; google_compute_subnetwork.app; google_project_iam_custom_role.deploy_admin; google_service_account.web; google_sql_database_instance.app; google_storage_bucket.logs
- custom role permissions: iam.serviceAccounts.actAs
Medium
3Cloud SQL instance uses zonal availability
gcp-cloud-sql-zonal-availabilitygoogle_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.
- Category
- Denial of Service
- Boundary
- not-applicable
- Resources
- google_sql_database_instance.app
Evidence
- availability posture: availability_type=ZONAL; engine=POSTGRES_15
Cloud SQL point-in-time recovery is disabled
gcp-cloud-sql-point-in-time-recovery-disabledgoogle_sql_database_instance.app has automated backups enabled but point-in-time recovery disabled. That narrows recovery options after accidental writes, destructive migrations, or credential misuse.
- Category
- Denial of Service
- Boundary
- not-applicable
- Resources
- google_sql_database_instance.app
Evidence
- backup posture: backup_configuration.enabled is true; point_in_time_recovery_enabled is false; engine is POSTGRES_15
GCP subnetwork Flow Logs are not configured
gcp-subnetwork-flow-logs-not-configuredgoogle_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.
- Category
- Repudiation
- Boundary
- not-applicable
- Resources
- google_compute_subnetwork.app
Evidence
- subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo
Low
0No low findings.
Observations
Controls and mitigating signals
No observations were recorded for this plan.
Trust boundaries
Crossings that drive the model
workload-to-data-store
google_compute_instance.web -> google_sql_database_instance.app
Application or function workloads cross into a higher-sensitivity data plane when they share a VPC with the database and the plan does not provide tighter security-group evidence.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "tfstride-report",
"version": "1.1",
"tool": {
"name": "tfstride",
"version": "0.4.23"
},
"title": "Baseline GCP Plan Demo",
"analyzed_file": "sample_gcp_baseline_plan.json",
"analyzed_path": "sample_gcp_baseline_plan.json",
"summary": {
"normalized_resources": 9,
"unsupported_resources": 0,
"trust_boundaries": 1,
"active_findings": 5,
"total_findings": 5,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 2,
"medium": 3,
"low": 0
}
},
"filtering": {
"total_findings": 5,
"active_findings": 5,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"analysis_coverage": {
"resources": {
"total_resources": 9,
"provider_resources": 9,
"normalized_resources": 9,
"unsupported_resources": 0,
"unsupported_resource_types": {}
},
"rules": {
"registered_rule_count": 78,
"enabled_rules": [
"gcp-sensitive-resource-iam-external-access",
"gcp-pubsub-public-access",
"gcp-pubsub-topic-customer-managed-encryption-missing",
"gcp-pubsub-message-retention-insufficient",
"gcp-pubsub-subscription-dead-letter-policy-missing",
"gcp-bigquery-public-access",
"gcp-cloud-sql-public-authorized-network",
"gcp-cloud-sql-backup-disabled",
"gcp-cloud-sql-public-ip-without-private-network",
"gcp-cloud-sql-ssl-not-required",
"gcp-cloud-sql-point-in-time-recovery-disabled",
"gcp-cloud-sql-deletion-protection-disabled",
"gcp-cloud-sql-zonal-availability",
"gcp-cloud-sql-query-insights-disabled",
"gcp-cloud-sql-connector-enforcement-not-required",
"gcp-cloud-sql-private-connectivity-not-modeled",
"gcp-private-workload-private-google-access-disabled",
"gcp-gcs-public-access",
"gcp-gcs-uniform-bucket-level-access-disabled",
"gcp-gcs-public-access-prevention-not-enforced",
"gcp-gcs-versioning-disabled",
"gcp-gcs-customer-managed-encryption-missing",
"gcp-gcs-retention-policy-insufficient",
"gcp-artifact-registry-docker-tags-mutable",
"gcp-artifact-registry-customer-managed-encryption-missing",
"gcp-artifact-registry-vulnerability-scanning-disabled",
"gcp-secret-manager-customer-managed-encryption-missing",
"gcp-secret-manager-lifecycle-posture-incomplete",
"gcp-kms-key-rotation-not-configured-or-too-long",
"gcp-kms-key-destroy-scheduled-duration-too-short",
"gcp-public-compute-broad-ingress",
"gcp-public-load-balanced-workload",
"gcp-load-balancer-http-public-proxy",
"gcp-load-balancer-ssl-policy-missing-or-weak",
"gcp-public-load-balancer-cloud-armor-missing",
"gcp-compute-os-login-disabled",
"gcp-gke-public-control-plane",
"gcp-gke-broad-authorized-networks",
"gcp-gke-workload-identity-disabled",
"gcp-gke-legacy-metadata-endpoints-enabled",
"gcp-gke-broad-node-service-account",
"gcp-gke-control-plane-logging-incomplete",
"gcp-scc-asset-discovery-disabled",
"gcp-logging-exclusion-drops-audit-security-logs",
"gcp-logging-sink-audit-export-incomplete",
"gcp-central-audit-sink-not-modeled",
"gcp-subnetwork-flow-logs-not-configured",
"gcp-subnetwork-flow-log-capture-incomplete",
"gcp-gke-network-policy-disabled",
"gcp-gke-secrets-encryption-not-configured",
"gcp-gke-legacy-abac-enabled-or-unknown",
"gcp-gke-client-certificate-auth-enabled-or-unknown",
"gcp-gke-shielded-nodes-disabled-or-unknown",
"gcp-gke-binary-authorization-not-enabled",
"gcp-cloud-run-public-invoker",
"gcp-cloud-functions-public-invoker",
"gcp-cloud-run-image-not-digest-pinned",
"gcp-cloud-run-artifact-registry-mutable-tag",
"gcp-cloud-run-can-modify-image-repository",
"gcp-cloud-run-sensitive-environment-value-inline",
"gcp-cloud-run-secret-access-blast-radius",
"gcp-public-cloud-run-gcs-mutation-access",
"gcp-public-cloud-run-pubsub-mutation-access",
"gcp-service-account-iam-broad-principal",
"gcp-service-account-iam-privileged-role",
"gcp-service-account-key-hygiene",
"gcp-service-account-key-effective-access",
"gcp-workload-identity-pool-wide-impersonation",
"gcp-workload-identity-provider-unconditioned-broad-trust",
"gcp-workload-identity-privileged-service-account-access",
"gcp-org-folder-iam-broad-principal",
"gcp-org-folder-iam-privileged-role",
"gcp-project-iam-broad-principal",
"gcp-project-iam-privileged-role",
"gcp-iam-privileged-assignment",
"gcp-inherited-iam-sensitive-resource-access",
"gcp-inherited-iam-blast-radius",
"gcp-public-workload-sensitive-data-access"
],
"disabled_rules": [],
"severity_overrides": {},
"finding_counts_by_rule": {
"gcp-sensitive-resource-iam-external-access": 0,
"gcp-pubsub-public-access": 0,
"gcp-pubsub-topic-customer-managed-encryption-missing": 0,
"gcp-pubsub-message-retention-insufficient": 0,
"gcp-pubsub-subscription-dead-letter-policy-missing": 0,
"gcp-bigquery-public-access": 0,
"gcp-cloud-sql-public-authorized-network": 0,
"gcp-cloud-sql-backup-disabled": 0,
"gcp-cloud-sql-public-ip-without-private-network": 0,
"gcp-cloud-sql-ssl-not-required": 0,
"gcp-cloud-sql-point-in-time-recovery-disabled": 1,
"gcp-cloud-sql-deletion-protection-disabled": 0,
"gcp-cloud-sql-zonal-availability": 1,
"gcp-cloud-sql-query-insights-disabled": 0,
"gcp-cloud-sql-connector-enforcement-not-required": 0,
"gcp-cloud-sql-private-connectivity-not-modeled": 0,
"gcp-private-workload-private-google-access-disabled": 0,
"gcp-gcs-public-access": 0,
"gcp-gcs-uniform-bucket-level-access-disabled": 0,
"gcp-gcs-public-access-prevention-not-enforced": 0,
"gcp-gcs-versioning-disabled": 0,
"gcp-gcs-customer-managed-encryption-missing": 0,
"gcp-gcs-retention-policy-insufficient": 0,
"gcp-artifact-registry-docker-tags-mutable": 0,
"gcp-artifact-registry-customer-managed-encryption-missing": 0,
"gcp-artifact-registry-vulnerability-scanning-disabled": 0,
"gcp-secret-manager-customer-managed-encryption-missing": 0,
"gcp-secret-manager-lifecycle-posture-incomplete": 0,
"gcp-kms-key-rotation-not-configured-or-too-long": 0,
"gcp-kms-key-destroy-scheduled-duration-too-short": 0,
"gcp-public-compute-broad-ingress": 0,
"gcp-public-load-balanced-workload": 0,
"gcp-load-balancer-http-public-proxy": 0,
"gcp-load-balancer-ssl-policy-missing-or-weak": 0,
"gcp-public-load-balancer-cloud-armor-missing": 0,
"gcp-compute-os-login-disabled": 0,
"gcp-gke-public-control-plane": 0,
"gcp-gke-broad-authorized-networks": 0,
"gcp-gke-workload-identity-disabled": 0,
"gcp-gke-legacy-metadata-endpoints-enabled": 0,
"gcp-gke-broad-node-service-account": 0,
"gcp-gke-control-plane-logging-incomplete": 0,
"gcp-scc-asset-discovery-disabled": 0,
"gcp-logging-exclusion-drops-audit-security-logs": 0,
"gcp-logging-sink-audit-export-incomplete": 0,
"gcp-central-audit-sink-not-modeled": 0,
"gcp-subnetwork-flow-logs-not-configured": 1,
"gcp-subnetwork-flow-log-capture-incomplete": 0,
"gcp-gke-network-policy-disabled": 0,
"gcp-gke-secrets-encryption-not-configured": 0,
"gcp-gke-legacy-abac-enabled-or-unknown": 0,
"gcp-gke-client-certificate-auth-enabled-or-unknown": 0,
"gcp-gke-shielded-nodes-disabled-or-unknown": 0,
"gcp-gke-binary-authorization-not-enabled": 0,
"gcp-cloud-run-public-invoker": 0,
"gcp-cloud-functions-public-invoker": 0,
"gcp-cloud-run-image-not-digest-pinned": 0,
"gcp-cloud-run-artifact-registry-mutable-tag": 0,
"gcp-cloud-run-can-modify-image-repository": 0,
"gcp-cloud-run-sensitive-environment-value-inline": 0,
"gcp-cloud-run-secret-access-blast-radius": 0,
"gcp-public-cloud-run-gcs-mutation-access": 0,
"gcp-public-cloud-run-pubsub-mutation-access": 0,
"gcp-service-account-iam-broad-principal": 0,
"gcp-service-account-iam-privileged-role": 0,
"gcp-service-account-key-hygiene": 0,
"gcp-service-account-key-effective-access": 0,
"gcp-workload-identity-pool-wide-impersonation": 0,
"gcp-workload-identity-provider-unconditioned-broad-trust": 0,
"gcp-workload-identity-privileged-service-account-access": 0,
"gcp-org-folder-iam-broad-principal": 0,
"gcp-org-folder-iam-privileged-role": 0,
"gcp-project-iam-broad-principal": 0,
"gcp-project-iam-privileged-role": 1,
"gcp-iam-privileged-assignment": 0,
"gcp-inherited-iam-sensitive-resource-access": 0,
"gcp-inherited-iam-blast-radius": 1,
"gcp-public-workload-sensitive-data-access": 0
}
},
"references": {
"unresolved_reference_count": 0,
"unresolved_references": []
}
},
"inventory": {
"provider": "gcp",
"unsupported_resources": [],
"metadata": {
"supported_resource_types": [
"google_artifact_registry_repository",
"google_artifact_registry_repository_iam_binding",
"google_artifact_registry_repository_iam_member",
"google_artifact_registry_repository_iam_policy",
"google_bigquery_dataset",
"google_bigquery_dataset_iam_binding",
"google_bigquery_dataset_iam_member",
"google_bigquery_dataset_iam_policy",
"google_bigquery_table",
"google_bigquery_table_iam_binding",
"google_bigquery_table_iam_member",
"google_bigquery_table_iam_policy",
"google_cloud_run_service",
"google_cloud_run_service_iam_binding",
"google_cloud_run_service_iam_member",
"google_cloud_run_service_iam_policy",
"google_cloud_run_v2_service",
"google_cloud_run_v2_service_iam_binding",
"google_cloud_run_v2_service_iam_member",
"google_cloud_run_v2_service_iam_policy",
"google_cloudfunctions2_function",
"google_cloudfunctions2_function_iam_binding",
"google_cloudfunctions2_function_iam_member",
"google_cloudfunctions2_function_iam_policy",
"google_cloudfunctions_function",
"google_cloudfunctions_function_iam_binding",
"google_cloudfunctions_function_iam_member",
"google_cloudfunctions_function_iam_policy",
"google_compute_backend_bucket",
"google_compute_backend_service",
"google_compute_firewall",
"google_compute_firewall_policy",
"google_compute_firewall_policy_association",
"google_compute_firewall_policy_rule",
"google_compute_forwarding_rule",
"google_compute_global_address",
"google_compute_global_forwarding_rule",
"google_compute_instance",
"google_compute_managed_ssl_certificate",
"google_compute_network",
"google_compute_network_endpoint_group",
"google_compute_region_backend_service",
"google_compute_region_network_endpoint_group",
"google_compute_region_security_policy",
"google_compute_region_target_http_proxy",
"google_compute_region_target_https_proxy",
"google_compute_region_url_map",
"google_compute_route",
"google_compute_router",
"google_compute_router_nat",
"google_compute_security_policy",
"google_compute_service_attachment",
"google_compute_ssl_policy",
"google_compute_subnetwork",
"google_compute_target_http_proxy",
"google_compute_target_https_proxy",
"google_compute_url_map",
"google_container_cluster",
"google_container_node_pool",
"google_folder_iam_binding",
"google_folder_iam_member",
"google_folder_iam_policy",
"google_folder_organization_policy",
"google_iam_workload_identity_pool",
"google_iam_workload_identity_pool_provider",
"google_kms_crypto_key",
"google_kms_crypto_key_iam_binding",
"google_kms_crypto_key_iam_member",
"google_kms_crypto_key_iam_policy",
"google_kms_key_ring_iam_binding",
"google_kms_key_ring_iam_member",
"google_kms_key_ring_iam_policy",
"google_logging_organization_exclusion",
"google_logging_organization_sink",
"google_logging_project_exclusion",
"google_logging_project_sink",
"google_network_connectivity_service_connection_policy",
"google_org_policy_policy",
"google_organization_iam_binding",
"google_organization_iam_custom_role",
"google_organization_iam_member",
"google_organization_iam_policy",
"google_organization_policy",
"google_project_iam_binding",
"google_project_iam_custom_role",
"google_project_iam_member",
"google_project_iam_policy",
"google_project_organization_policy",
"google_pubsub_subscription",
"google_pubsub_subscription_iam_binding",
"google_pubsub_subscription_iam_member",
"google_pubsub_subscription_iam_policy",
"google_pubsub_topic",
"google_pubsub_topic_iam_binding",
"google_pubsub_topic_iam_member",
"google_pubsub_topic_iam_policy",
"google_scc_organization_settings",
"google_secret_manager_secret",
"google_secret_manager_secret_iam_binding",
"google_secret_manager_secret_iam_member",
"google_secret_manager_secret_iam_policy",
"google_service_account",
"google_service_account_iam_binding",
"google_service_account_iam_member",
"google_service_account_iam_policy",
"google_service_account_key",
"google_service_networking_connection",
"google_sql_database_instance",
"google_storage_bucket",
"google_storage_bucket_iam_binding",
"google_storage_bucket_iam_member",
"google_storage_bucket_iam_policy"
],
"total_input_resources": 9,
"provider_resource_count": 9,
"normalized_resource_count": 9,
"unsupported_resource_types": {}
},
"resources": [
{
"address": "google_compute_instance.web",
"provider": "gcp",
"resource_type": "google_compute_instance",
"name": "web",
"category": "compute",
"identifier": "tfstride-web",
"arn": null,
"vpc_id": "google_compute_network.main.id",
"subnet_ids": [
"google_compute_subnetwork.app.id"
],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-web",
"project": "tfstride-demo",
"zone": "us-central1-a",
"machine_type": "e2-medium",
"network_tags": [
"web"
],
"network_interfaces": [
{
"subnetwork": "google_compute_subnetwork.app.id"
}
],
"service_accounts": [
{
"email": "tfstride-web@example.iam.gserviceaccount.com",
"scopes": [
"https://www.googleapis.com/auth/logging.write"
]
}
],
"labels": {},
"metadata": {
"enable-oslogin": "true"
},
"can_ip_forward": false,
"os_login_enabled": true,
"public_access_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"has_public_route": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"internet_ingress_firewalls": [],
"direct_internet_reachable": false
}
},
{
"address": "google_compute_network.main",
"provider": "gcp",
"resource_type": "google_compute_network",
"name": "main",
"category": "network",
"identifier": "tfstride-main",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-main",
"project": "tfstride-demo",
"auto_create_subnetworks": false,
"routing_mode": "REGIONAL",
"description": null
}
},
{
"address": "google_compute_subnetwork.app",
"provider": "gcp",
"resource_type": "google_compute_subnetwork",
"name": "app",
"category": "network",
"identifier": "tfstride-app",
"arn": null,
"vpc_id": "google_compute_network.main.id",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-app",
"project": "tfstride-demo",
"region": "us-central1",
"network": "google_compute_network.main.id",
"cidr_range": "10.10.1.0/24",
"private_ip_google_access": true,
"purpose": null,
"stack_type": null,
"secondary_ip_ranges": [],
"subnetwork_flow_log_state": "not_configured",
"subnetwork_flow_log_config": {},
"subnetwork_flow_log_metadata_fields": [],
"network_telemetry_posture_uncertainties": [],
"has_public_route": false,
"is_public_subnet": false,
"has_nat_gateway_egress": false
}
},
{
"address": "google_project_iam_custom_role.deploy_admin",
"provider": "gcp",
"resource_type": "google_project_iam_custom_role",
"name": "deploy_admin",
"category": "iam",
"identifier": "projects/tfstride-demo/roles/deployAdmin",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "projects/tfstride-demo/roles/deployAdmin",
"project": "tfstride-demo",
"custom_role_id": "deployAdmin",
"custom_role_permissions": [
"iam.serviceAccounts.actAs"
],
"custom_role_stage": "GA",
"title": "Deploy Admin",
"description": null,
"deleted": false
}
},
{
"address": "google_project_iam_member.deploy_admin",
"provider": "gcp",
"resource_type": "google_project_iam_member",
"name": "deploy_admin",
"category": "iam",
"identifier": "projects/tfstride-demo/roles/deployAdmin:group:deploy@example.com",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"project": "tfstride-demo",
"iam_role": "projects/tfstride-demo/roles/deployAdmin",
"iam_member": "group:deploy@example.com",
"iam_members": [
"group:deploy@example.com"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "projects/tfstride-demo/roles/deployAdmin",
"members": [
"group:deploy@example.com"
]
}
],
"privileged_access_grants": [
{
"provider": "gcp",
"principal_type": "group",
"principal_identifier": "group:deploy@example.com",
"principal_display_name": "group:deploy@example.com",
"principal_source_address": "google_project_iam_member.deploy_admin",
"scope_kind": "project",
"scope_value": "tfstride-demo",
"scope_source_address": null,
"privilege_categories": [
"privilege-escalation"
],
"confidence": "high",
"assignment_source_address": "google_project_iam_member.deploy_admin",
"role_name": "projects/tfstride-demo/roles/deployAdmin",
"role_id": "projects/tfstride-demo/roles/deployAdmin",
"permission_patterns": [
"iam.serviceAccounts.actAs"
],
"evidence": [
"source=google_project_iam_member.deploy_admin",
"role=projects/tfstride-demo/roles/deployAdmin",
"member=group:deploy@example.com",
"scope_kind=project",
"scope_value=tfstride-demo"
],
"uncertainties": []
}
]
}
},
{
"address": "google_service_account.web",
"provider": "gcp",
"resource_type": "google_service_account",
"name": "web",
"category": "iam",
"identifier": "tfstride-web@example.iam.gserviceaccount.com",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "projects/tfstride-demo/serviceAccounts/tfstride-web@example.iam.gserviceaccount.com",
"project": "tfstride-demo",
"service_account_account_id": "tfstride-web",
"service_account_email": "tfstride-web@example.iam.gserviceaccount.com",
"service_account_member": "serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
"service_account_unique_id": "100000000000000000001",
"service_account_disabled": false,
"display_name": "tfSTRIDE web workload",
"description": "Service account used by the sample web workload."
}
},
{
"address": "google_service_networking_connection.private_services",
"provider": "gcp",
"resource_type": "google_service_networking_connection",
"name": "private_services",
"category": "network",
"identifier": "servicenetworking-googleapis-com",
"arn": null,
"vpc_id": "google_compute_network.main.id",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "private_services",
"network": "google_compute_network.main.id",
"private_connectivity_service": "servicenetworking.googleapis.com",
"private_connectivity_reserved_ranges": [
"private-services-range"
],
"private_connectivity_peering": "servicenetworking-googleapis-com",
"deletion_policy": null,
"private_connectivity_uncertainties": []
}
},
{
"address": "google_sql_database_instance.app",
"provider": "gcp",
"resource_type": "google_sql_database_instance",
"name": "app",
"category": "data",
"identifier": "tfstride-app-db",
"arn": null,
"vpc_id": "google_compute_network.main.id",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "tfstride-app-db",
"project": "tfstride-demo",
"region": "us-central1",
"database_version": "POSTGRES_15",
"cloud_sql_private_network": "google_compute_network.main.id",
"availability_type": "ZONAL",
"cloud_sql_query_insights_state": "not_configured",
"cloud_sql_insights_config": {},
"cloud_sql_deletion_protection_state": "unknown",
"cloud_sql_posture_uncertainties": [],
"cloud_sql_ipv4_enabled": false,
"cloud_sql_backup_enabled": true,
"cloud_sql_point_in_time_recovery_enabled": false,
"cloud_sql_require_ssl": true,
"cloud_sql_authorized_networks": [],
"cloud_sql_backup_configuration": {
"enabled": true,
"point_in_time_recovery_enabled": false
},
"cloud_sql_ip_configuration": {
"ipv4_enabled": false,
"require_ssl": true,
"authorized_networks": [],
"private_network": "google_compute_network.main.id"
},
"deletion_protection": true,
"labels": {},
"tier": "db-f1-micro",
"disk_type": "PD_SSD",
"disk_size": 20,
"public_access_reasons": [],
"direct_internet_reachable": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"public_exposure_reasons": [],
"publicly_accessible": false,
"storage_encrypted": true
}
},
{
"address": "google_storage_bucket.logs",
"provider": "gcp",
"resource_type": "google_storage_bucket",
"name": "logs",
"category": "data",
"identifier": "tfstride-logs",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "tfstride-logs",
"bucket": "tfstride-logs",
"project": "tfstride-demo",
"labels": {},
"uniform_bucket_level_access": true,
"public_access_prevention": "enforced",
"gcs_versioning_enabled": true,
"gcs_versioning_configuration": {
"enabled": true
},
"gcs_default_kms_key_name": "projects/tfstride-demo/locations/global/keyRings/tfstride-app/cryptoKeys/tfstride-gcs",
"gcs_encryption_configuration": {
"default_kms_key_name": "projects/tfstride-demo/locations/global/keyRings/tfstride-app/cryptoKeys/tfstride-gcs"
},
"gcs_retention_period_seconds": 2592000,
"gcs_retention_policy_locked": true,
"gcs_retention_policy_configuration": {
"retention_period": 2592000,
"is_locked": true
},
"gcs_retention_policy_uncertainties": [],
"location": "US",
"storage_class": null,
"force_destroy": false,
"customer_managed_encryption": true,
"storage_encrypted": true,
"public_access_reasons": [],
"direct_internet_reachable": false
}
}
]
},
"trust_boundaries": [
{
"identifier": "workload-to-data-store:google_compute_instance.web->google_sql_database_instance.app",
"boundary_type": "workload-to-data-store",
"source": "google_compute_instance.web",
"target": "google_sql_database_instance.app",
"description": "google_compute_instance.web can interact with google_sql_database_instance.app.",
"rationale": "Application or function workloads cross into a higher-sensitivity data plane when they share a VPC with the database and the plan does not provide tighter security-group evidence."
}
],
"findings": [
{
"fingerprint": "sha256:3a177ec38c810288a66ec4ab6e5696f595eb7f58562be4637800847fc8b81a91",
"title": "GCP project IAM binding grants a high-privilege role",
"rule_id": "gcp-project-iam-privileged-role",
"category": "Elevation of Privilege",
"severity": "high",
"affected_resources": [
"google_project_iam_member.deploy_admin"
],
"trust_boundary_id": null,
"rationale": "google_project_iam_member.deploy_admin grants the high-impact GCP role `projects/tfstride-demo/roles/deployAdmin` to `group:deploy@example.com` at project scope. That role enables custom role includes high-impact permissions: iam.serviceAccounts.actAs and can materially expand control-plane blast radius if the principal is compromised or mis-scoped.",
"recommended_mitigation": "Replace Owner, Editor, IAM admin, service-account impersonation, and admin-class project roles with narrowly scoped predefined or custom roles assigned to specific groups or service accounts.",
"evidence": [
{
"key": "iam_binding",
"values": [
"member=group:deploy@example.com",
"role=projects/tfstride-demo/roles/deployAdmin"
]
},
{
"key": "role_risk",
"values": [
"custom role includes high-impact permissions: iam.serviceAccounts.actAs"
]
},
{
"key": "custom_role_permissions",
"values": [
"iam.serviceAccounts.actAs"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 2,
"data_sensitivity": 0,
"lateral_movement": 2,
"blast_radius": 2,
"final_score": 6,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:f4767f5edb4c8f29629d015bf30c3398e598d3fe11ec3f954394a8ae9ff30734",
"title": "Inherited GCP IAM grant expands descendant blast radius",
"rule_id": "gcp-inherited-iam-blast-radius",
"category": "Elevation of Privilege",
"severity": "high",
"affected_resources": [
"google_project_iam_member.deploy_admin",
"google_compute_instance.web",
"google_compute_network.main",
"google_compute_subnetwork.app",
"google_project_iam_custom_role.deploy_admin",
"google_service_account.web",
"google_sql_database_instance.app",
"google_storage_bucket.logs"
],
"trust_boundary_id": null,
"rationale": "google_project_iam_member.deploy_admin grants `projects/tfstride-demo/roles/deployAdmin` to `group:deploy@example.com` at project scope `tfstride-demo`, and that inherited grant applies to 7 concrete descendant resource(s). A high-level IAM grant with broad, external, or high-impact access increases control-plane blast radius because compromise or misuse can affect resources below the inherited scope.",
"recommended_mitigation": "Avoid broad or high-impact IAM grants at organization, folder, and project scope when narrower resource-level or workload-specific bindings are possible; split inherited roles by service and review descendant resources before assigning public, external, or administrator principals.",
"evidence": [
{
"key": "iam_binding",
"values": [
"source=google_project_iam_member.deploy_admin",
"scope=project:tfstride-demo",
"member=group:deploy@example.com",
"role=projects/tfstride-demo/roles/deployAdmin"
]
},
{
"key": "role_risk",
"values": [
"custom role includes high-impact permissions: iam.serviceAccounts.actAs"
]
},
{
"key": "descendant_scope",
"values": [
"scope=project:tfstride-demo",
"descendant_count=7",
"resource_type_count=7",
"projects=tfstride-demo"
]
},
{
"key": "descendant_resource_types",
"values": [
"google_compute_instance: 1",
"google_compute_network: 1",
"google_compute_subnetwork: 1",
"google_project_iam_custom_role: 1",
"google_service_account: 1",
"google_sql_database_instance: 1",
"google_storage_bucket: 1"
]
},
{
"key": "descendant_resources",
"values": [
"google_compute_instance.web",
"google_compute_network.main",
"google_compute_subnetwork.app",
"google_project_iam_custom_role.deploy_admin",
"google_service_account.web",
"google_sql_database_instance.app",
"google_storage_bucket.logs"
]
},
{
"key": "custom_role_permissions",
"values": [
"iam.serviceAccounts.actAs"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 2,
"data_sensitivity": 2,
"lateral_movement": 2,
"blast_radius": 2,
"final_score": 8,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:a9a311adbcdee8161de2e4e8e8247dee5c199db0555e662a89c4626bb18a2a24",
"title": "Cloud SQL instance uses zonal availability",
"rule_id": "gcp-cloud-sql-zonal-availability",
"category": "Denial of Service",
"severity": "medium",
"affected_resources": [
"google_sql_database_instance.app"
],
"trust_boundary_id": null,
"rationale": "google_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.",
"recommended_mitigation": "Use `REGIONAL` availability for production Cloud SQL instances that require higher availability, then validate application failover behavior and recovery objectives.",
"evidence": [
{
"key": "availability_posture",
"values": [
"availability_type=ZONAL",
"engine=POSTGRES_15"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:7f2d36b5a36ebcaa29681a04a5a3a0e7a764f5744e7df33e8290597ed94bfd35",
"title": "Cloud SQL point-in-time recovery is disabled",
"rule_id": "gcp-cloud-sql-point-in-time-recovery-disabled",
"category": "Denial of Service",
"severity": "medium",
"affected_resources": [
"google_sql_database_instance.app"
],
"trust_boundary_id": null,
"rationale": "google_sql_database_instance.app has automated backups enabled but point-in-time recovery disabled. That narrows recovery options after accidental writes, destructive migrations, or credential misuse.",
"recommended_mitigation": "Enable point-in-time recovery for Cloud SQL engines that support it, tune retention to recovery objectives, and test restore workflows for destructive-write scenarios.",
"evidence": [
{
"key": "backup_posture",
"values": [
"backup_configuration.enabled is true",
"point_in_time_recovery_enabled is false",
"engine is POSTGRES_15"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:d7380b4b3e19c2f29c68019a1757075b9455a4465c9cf613a0fd4a3a2d8dc9e9",
"title": "GCP subnetwork Flow Logs are not configured",
"rule_id": "gcp-subnetwork-flow-logs-not-configured",
"category": "Repudiation",
"severity": "medium",
"affected_resources": [
"google_compute_subnetwork.app"
],
"trust_boundary_id": null,
"rationale": "google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.",
"recommended_mitigation": "Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.",
"evidence": [
{
"key": "subnetwork_flow_log_posture",
"values": [
"address=google_compute_subnetwork.app",
"type=google_compute_subnetwork",
"name=app",
"identifier=tfstride-app",
"flow_log_state=not_configured",
"network=google_compute_network.main.id",
"project=tfstride-demo"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 0,
"lateral_movement": 2,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
}
],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [],
"limitations": [
"GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}
Markdown report
# Baseline GCP Plan Demo
- Analyzed file: `sample_gcp_baseline_plan.json`
- Provider: `gcp`
- Normalized resources: `9`
- Unsupported resources: `0`
## Summary
This run identified **1 trust boundaries** and **5 findings** across **9 normalized resources**.
- High severity findings: `2`
- Medium severity findings: `3`
- Low severity findings: `0`
## Analysis Coverage
- Terraform resources seen: `9`
- Provider resources considered: `9`
- Normalized resources: `9`
- Unsupported resources: `0`
- Registered provider rules (GCP): `78`
- Enabled provider rules (GCP): `78`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
- `gcp-cloud-sql-point-in-time-recovery-disabled`: `1`
- `gcp-cloud-sql-zonal-availability`: `1`
- `gcp-subnetwork-flow-logs-not-configured`: `1`
- `gcp-project-iam-privileged-role`: `1`
- `gcp-inherited-iam-blast-radius`: `1`
## Discovered Trust Boundaries
### `workload-to-data-store`
- Source: `google_compute_instance.web`
- Target: `google_sql_database_instance.app`
- Description: google_compute_instance.web can interact with google_sql_database_instance.app.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when they share a VPC with the database and the plan does not provide tighter security-group evidence.
## Findings
### High
#### GCP project IAM binding grants a high-privilege role
- STRIDE category: Elevation of Privilege
- Affected resources: `google_project_iam_member.deploy_admin`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +2, data_sensitivity +0, lateral_movement +2, blast_radius +2, final_score 6 => high
- Rationale: google_project_iam_member.deploy_admin grants the high-impact GCP role `projects/tfstride-demo/roles/deployAdmin` to `group:deploy@example.com` at project scope. That role enables custom role includes high-impact permissions: iam.serviceAccounts.actAs and can materially expand control-plane blast radius if the principal is compromised or mis-scoped.
- Recommended mitigation: Replace Owner, Editor, IAM admin, service-account impersonation, and admin-class project roles with narrowly scoped predefined or custom roles assigned to specific groups or service accounts.
- Evidence:
- iam binding: member=group:deploy@example.com; role=projects/tfstride-demo/roles/deployAdmin
- role risk: custom role includes high-impact permissions: iam.serviceAccounts.actAs
- custom role permissions: iam.serviceAccounts.actAs
#### Inherited GCP IAM grant expands descendant blast radius
- STRIDE category: Elevation of Privilege
- Affected resources: `google_project_iam_member.deploy_admin`, `google_compute_instance.web`, `google_compute_network.main`, `google_compute_subnetwork.app`, `google_project_iam_custom_role.deploy_admin`, `google_service_account.web`, `google_sql_database_instance.app`, `google_storage_bucket.logs`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +2, data_sensitivity +2, lateral_movement +2, blast_radius +2, final_score 8 => high
- Rationale: google_project_iam_member.deploy_admin grants `projects/tfstride-demo/roles/deployAdmin` to `group:deploy@example.com` at project scope `tfstride-demo`, and that inherited grant applies to 7 concrete descendant resource(s). A high-level IAM grant with broad, external, or high-impact access increases control-plane blast radius because compromise or misuse can affect resources below the inherited scope.
- Recommended mitigation: Avoid broad or high-impact IAM grants at organization, folder, and project scope when narrower resource-level or workload-specific bindings are possible; split inherited roles by service and review descendant resources before assigning public, external, or administrator principals.
- Evidence:
- iam binding: source=google_project_iam_member.deploy_admin; scope=project:tfstride-demo; member=group:deploy@example.com; role=projects/tfstride-demo/roles/deployAdmin
- role risk: custom role includes high-impact permissions: iam.serviceAccounts.actAs
- descendant scope: scope=project:tfstride-demo; descendant_count=7; resource_type_count=7; projects=tfstride-demo
- descendant resource types: google_compute_instance: 1; google_compute_network: 1; google_compute_subnetwork: 1; google_project_iam_custom_role: 1; google_service_account: 1; google_sql_database_instance: 1; google_storage_bucket: 1
- descendant resources: google_compute_instance.web; google_compute_network.main; google_compute_subnetwork.app; google_project_iam_custom_role.deploy_admin; google_service_account.web; google_sql_database_instance.app; google_storage_bucket.logs
- custom role permissions: iam.serviceAccounts.actAs
### Medium
#### Cloud SQL instance uses zonal availability
- STRIDE category: Denial of Service
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.
- Recommended mitigation: Use `REGIONAL` availability for production Cloud SQL instances that require higher availability, then validate application failover behavior and recovery objectives.
- Evidence:
- availability posture: availability_type=ZONAL; engine=POSTGRES_15
#### Cloud SQL point-in-time recovery is disabled
- STRIDE category: Denial of Service
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_sql_database_instance.app has automated backups enabled but point-in-time recovery disabled. That narrows recovery options after accidental writes, destructive migrations, or credential misuse.
- Recommended mitigation: Enable point-in-time recovery for Cloud SQL engines that support it, tune retention to recovery objectives, and test restore workflows for destructive-write scenarios.
- Evidence:
- backup posture: backup_configuration.enabled is true; point_in_time_recovery_enabled is false; engine is POSTGRES_15
#### GCP subnetwork Flow Logs are not configured
- STRIDE category: Repudiation
- Affected resources: `google_compute_subnetwork.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +0, lateral_movement +2, blast_radius +1, final_score 3 => medium
- Rationale: google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.
- Recommended mitigation: Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.
- Evidence:
- subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo
### Low
No findings in this severity band.
## Limitations / Unsupported Resources
- GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.