Active findings
26Built-in scenario
gcp/sample_gcp_plan.jsonGCP Inventory Demo
Analyzed sample_gcp_plan.json with 23 normalized resources and 4 trust boundaries.
Trust boundaries
4Resources
23Observations
0Analysis coverage
Audit trail for this run
Resource coverage
- Provider resources considered
- 23
- Normalized resources
- 23
No unsupported GCP resource types were encountered.
Rule coverage
- Registered rules
- 78
- Disabled rules
- 0
- gcp-sensitive-resource-iam-external-access2
- gcp-pubsub-public-access1
- gcp-pubsub-topic-customer-managed-encryption-missing1
- gcp-pubsub-subscription-dead-letter-policy-missing1
- gcp-bigquery-public-access1
- gcp-cloud-sql-public-authorized-network1
- gcp-cloud-sql-backup-disabled1
- gcp-cloud-sql-public-ip-without-private-network1
- gcp-cloud-sql-ssl-not-required1
- gcp-cloud-sql-deletion-protection-disabled1
- gcp-cloud-sql-zonal-availability1
- gcp-gcs-public-access1
- gcp-gcs-public-access-prevention-not-enforced1
- gcp-gcs-versioning-disabled1
- gcp-gcs-customer-managed-encryption-missing1
- gcp-gcs-retention-policy-insufficient1
- gcp-secret-manager-customer-managed-encryption-missing1
- gcp-secret-manager-lifecycle-posture-incomplete1
- gcp-public-compute-broad-ingress1
- gcp-compute-os-login-disabled1
- gcp-subnetwork-flow-logs-not-configured1
- gcp-service-account-key-hygiene1
- gcp-service-account-key-effective-access1
- gcp-inherited-iam-blast-radius1
- gcp-public-workload-sensitive-data-access1
Findings
Severity bands
High
6BigQuery IAM binding allows public or broad data access
gcp-bigquery-public-accessgoogle_bigquery_dataset.analytics grants `roles/bigquery.dataViewer` to `allUsers` through BigQuery IAM. Public or broad principals can read or modify analytical data outside the expected project trust boundary.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- google_bigquery_dataset.analytics, google_bigquery_dataset_iam_binding.analytics_viewers
Evidence
- iam binding: source=google_bigquery_dataset_iam_binding.analytics_viewers; role=roles/bigquery.dataViewer; member=allUsers
- trust scope: member is public GCP principal `allUsers`
- resource policy sources: google_bigquery_dataset_iam_binding.analytics_viewers
Cloud SQL instance accepts public authorized network access
gcp-cloud-sql-public-authorized-networkgoogle_sql_database_instance.app has a public Cloud SQL IPv4 endpoint and an authorized network that allows internet-wide client sources. That weakens the database trust boundary even when database authentication is still required.
- Category
- Information Disclosure
- Boundary
- internet-to-service:internet->google_sql_database_instance.app
- Resources
- google_sql_database_instance.app
Evidence
- authorized networks: anywhere (0.0.0.0/0)
- public exposure reasons: authorized network `anywhere` allows 0.0.0.0/0
GCP service account key can exercise sensitive or privileged access
gcp-service-account-key-effective-accessgoogle_service_account_key.web creates portable credentials for `google_service_account.web`, and that service account has sensitive data access or high-impact IAM grants. A copied key can exercise those effective permissions outside the intended workload boundary.
- Category
- Elevation of Privilege
- Boundary
- not-applicable
- Resources
- google_service_account.web, google_service_account_key.web, google_bigquery_dataset.analytics, google_bigquery_dataset_iam_binding.analytics_viewers
Evidence
- key context: source=google_service_account_key.web; service_account_reference=google_service_account.web.email; resolved_service_account=google_service_account.web
- service account principals: serviceAccount:tfstride-web@example.iam.gserviceaccount.com; tfstride-web@example.iam.gserviceaccount.com
- effective access: resource=google_bigquery_dataset.analytics; source=google_bigquery_dataset_iam_binding.analytics_viewers; scope=BigQuery dataset IAM; role=roles/bigquery.dataViewer; member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com; risk=BigQuery dataset IAM grants roles/bigquery.dataViewer
Internet-exposed GCP workload can access sensitive data services
gcp-public-workload-sensitive-data-accessgoogle_compute_instance.web is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-web@example.iam.gserviceaccount.com. That identity can access google_bigquery_dataset.analytics. A compromise of the public workload can therefore become direct access to sensitive GCP data services.
- Category
- Information Disclosure
- Boundary
- workload-to-data-store:google_compute_instance.web->google_bigquery_dataset.analytics
- Resources
- google_compute_instance.web, google_bigquery_dataset.analytics, google_bigquery_dataset_iam_binding.analytics_viewers
Evidence
- public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress
- workload identity: serviceAccount:tfstride-web@example.iam.gserviceaccount.com
- workload identity scopes: cloud-platform
- data access path: google_compute_instance.web reaches google_bigquery_dataset.analytics
- boundary rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com.
- resource policy sources: google_bigquery_dataset_iam_binding.analytics_viewers
Pub/Sub IAM binding allows public or broad data access
gcp-pubsub-public-accessgoogle_pubsub_topic.events grants `roles/pubsub.publisher` to `allAuthenticatedUsers` through Pub/Sub IAM. Public or broad principals can publish, consume, or administer event streams outside the expected service boundary.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- google_pubsub_topic.events, google_pubsub_topic_iam_member.public_publisher
Evidence
- iam binding: source=google_pubsub_topic_iam_member.public_publisher; role=roles/pubsub.publisher; member=allAuthenticatedUsers
- trust scope: member is public GCP principal `allAuthenticatedUsers`
- resource policy sources: google_pubsub_topic_iam_member.public_publisher
Sensitive GCP resource IAM binding allows broad or external access
gcp-sensitive-resource-iam-external-accessgoogle_secret_manager_secret.api_key grants `roles/secretmanager.secretAccessor` to `allAuthenticatedUsers` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- google_secret_manager_secret.api_key, google_secret_manager_secret_iam_member.public_accessor
Evidence
- iam binding: source=google_secret_manager_secret_iam_member.public_accessor; role=roles/secretmanager.secretAccessor; member=allAuthenticatedUsers
- trust scope: member is public GCP principal `allAuthenticatedUsers`
- resource policy sources: google_secret_manager_secret_iam_member.public_accessor
Medium
20Cloud SQL automated backups are disabled
gcp-cloud-sql-backup-disabledgoogle_sql_database_instance.app does not have Cloud SQL automated backups enabled. A destructive change, operator error, or data corruption event would have fewer managed recovery points.
- Category
- Denial of Service
- Boundary
- not-applicable
- Resources
- google_sql_database_instance.app
Evidence
- backup posture: backup_configuration.enabled is false; point_in_time_recovery_enabled is false; engine is POSTGRES_15
Cloud SQL deletion protection is disabled
gcp-cloud-sql-deletion-protection-disabledgoogle_sql_database_instance.app has Cloud SQL deletion protection disabled. Accidental or unauthorized infrastructure changes could destroy the managed database instance without this provider-level guardrail.
- Category
- Denial of Service
- Boundary
- not-applicable
- Resources
- google_sql_database_instance.app
Evidence
- lifecycle posture: deletion_protection is false
Cloud SQL instance uses zonal availability
gcp-cloud-sql-zonal-availabilitygoogle_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.
- Category
- Denial of Service
- Boundary
- not-applicable
- Resources
- google_sql_database_instance.app
Evidence
- availability posture: availability_type=ZONAL; engine=POSTGRES_15
Cloud SQL public IPv4 is enabled without private network access
gcp-cloud-sql-public-ip-without-private-networkgoogle_sql_database_instance.app has Cloud SQL public IPv4 enabled without a private network attachment. That keeps database client access on a public endpoint instead of an internal VPC path.
- Category
- Information Disclosure
- Boundary
- internet-to-service:internet->google_sql_database_instance.app
- Resources
- google_sql_database_instance.app
Evidence
- network posture: ipv4_enabled is true; private_network is unset; authorized_networks configured: 1
- public access reasons: Cloud SQL public IPv4 access is enabled
Cloud SQL public client access does not require SSL
gcp-cloud-sql-ssl-not-requiredgoogle_sql_database_instance.app allows Cloud SQL public IPv4 client access without requiring encrypted client connections. Credentials and database traffic should not depend on client-side optional TLS behavior.
- Category
- Information Disclosure
- Boundary
- internet-to-service:internet->google_sql_database_instance.app
- Resources
- google_sql_database_instance.app
Evidence
- ssl posture: require_ssl is false; ssl_mode is unset; ipv4_enabled is true
GCP compute instance disables OS Login
gcp-compute-os-login-disabledgoogle_compute_instance.web explicitly disables OS Login. SSH access can therefore fall back to instance or project metadata keys instead of centralized IAM-backed login and audit controls.
- Category
- Elevation of Privilege
- Boundary
- not-applicable
- Resources
- google_compute_instance.web
Evidence
- os login posture: metadata.enable-oslogin is false
- public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress
GCP service account user-managed key lacks rotation hygiene
gcp-service-account-key-hygienegoogle_service_account_key.web creates a user-managed GCP service account key for `google_service_account.web`. User-managed service account keys are portable, long-lived credentials that can be copied outside GCP control, so they need explicit rotation controls or should be replaced with workload identity or impersonation flows.
- Category
- Spoofing
- Boundary
- not-applicable
- Resources
- google_service_account.web, google_service_account_key.web
Evidence
- key context: source=google_service_account_key.web; service_account_reference=google_service_account.web.email; key_algorithm=KEY_ALG_RSA_2048; public_key_type=TYPE_X509_PEM_FILE
- key risk: Terraform manages a user-created service-account key; validity window is 365 days and exceeds 180-day threshold; no Terraform keepers rotation trigger observed
- validity window: valid_after=2026-01-01T00:00:00Z; valid_before=2027-01-01T00:00:00Z; validity_days=365
- rotation control: no Terraform keepers rotation trigger observed
GCP subnetwork Flow Logs are not configured
gcp-subnetwork-flow-logs-not-configuredgoogle_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.
- Category
- Repudiation
- Boundary
- not-applicable
- Resources
- google_compute_subnetwork.app
Evidence
- subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo
GCS bucket does not enforce Public Access Prevention
gcp-gcs-public-access-prevention-not-enforcedgoogle_storage_bucket.logs does not enforce GCS Public Access Prevention. Public principals can still be introduced through bucket IAM unless an organization-level policy blocks them.
- Category
- Information Disclosure
- Boundary
- internet-to-service:internet->google_storage_bucket.logs
- Resources
- google_storage_bucket.logs
Evidence
- access control posture: public_access_prevention is unset
- public exposure reasons: google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers
GCS bucket is publicly accessible
gcp-gcs-public-accessgoogle_storage_bucket.logs is publicly reachable through GCS IAM grants. Public bucket access is a common source of unintended object disclosure.
- Category
- Information Disclosure
- Boundary
- internet-to-service:internet->google_storage_bucket.logs
- Resources
- google_storage_bucket.logs
Evidence
- public exposure reasons: google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers
GCS sensitive bucket does not use customer-managed encryption
gcp-gcs-customer-managed-encryption-missinggoogle_storage_bucket.logs relies on default GCS encryption rather than a customer-managed KMS key. Sensitive buckets lose key ownership, rotation, and separation-of-duties controls that a CMEK can provide.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- google_storage_bucket.logs
Evidence
- encryption posture: default_kms_key_name is unset; customer_managed_encryption is false
GCS sensitive bucket retention policy is insufficient
gcp-gcs-retention-policy-insufficientgoogle_storage_bucket.logs does not have deterministic GCS retention posture that meets the minimum retention threshold and lock expectation. Retention policy and retention lock reduce destructive deletion or overwrite risk, but are distinct from soft-delete recovery controls.
- Category
- Denial of Service
- Boundary
- not-applicable
- Resources
- google_storage_bucket.logs
Evidence
- retention policy issues: retention_policy is missing
- retention policy posture: retention_policy.retention_period_state=missing; minimum_retention_period_days=7; minimum_retention_period_seconds=604800; retention_policy.is_locked is unset
GCS sensitive bucket versioning is disabled
gcp-gcs-versioning-disabledgoogle_storage_bucket.logs stores sensitive GCS data without bucket versioning. Accidental overwrites, deletes, or destructive changes have fewer object-level recovery options.
- Category
- Denial of Service
- Boundary
- not-applicable
- Resources
- google_storage_bucket.logs
Evidence
- data protection posture: versioning.enabled is false; data_sensitivity is sensitive
Inherited GCP IAM grant expands descendant blast radius
gcp-inherited-iam-blast-radiusgoogle_project_iam_member.web_viewer grants `roles/viewer` to `serviceAccount:tfstride-web@example.iam.gserviceaccount.com` at project scope `tfstride-demo`, and that inherited grant applies to 17 concrete descendant resource(s). A high-level IAM grant with broad, external, or high-impact access increases control-plane blast radius because compromise or misuse can affect resources below the inherited scope.
- Category
- Elevation of Privilege
- Boundary
- not-applicable
- Resources
- google_project_iam_member.web_viewer, google_bigquery_dataset.analytics, google_bigquery_table.events, google_compute_firewall.public_app, google_compute_firewall.public_ssh, google_compute_instance.web, google_compute_network.main, google_compute_route.default_internet, google_compute_subnetwork.app, google_kms_crypto_key.customer, google_logging_project_sink.processor, google_pubsub_subscription.events, google_pubsub_topic.events, google_secret_manager_secret.api_key, google_service_account.web, google_service_account_key.web, google_sql_database_instance.app, google_storage_bucket.logs
Evidence
- iam binding: source=google_project_iam_member.web_viewer; scope=project:tfstride-demo; member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com; role=roles/viewer
- trust scope: service account belongs to project `example`, outside resource project `tfstride-demo`
- descendant scope: scope=project:tfstride-demo; descendant_count=17; resource_type_count=16; projects=tfstride-demo
- descendant resource types: google_bigquery_dataset: 1; google_bigquery_table: 1; google_compute_firewall: 2; google_compute_instance: 1; google_compute_network: 1; google_compute_route: 1; google_compute_subnetwork: 1; google_kms_crypto_key: 1; google_logging_project_sink: 1; google_pubsub_subscription: 1; google_pubsub_topic: 1; google_secret_manager_secret: 1; google_service_account: 1; google_service_account_key: 1; google_sql_database_instance: 1; google_storage_bucket: 1
- descendant resources: google_bigquery_dataset.analytics; google_bigquery_table.events; google_compute_firewall.public_app; google_compute_firewall.public_ssh; google_compute_instance.web; google_compute_network.main; google_compute_route.default_internet; google_compute_subnetwork.app; google_kms_crypto_key.customer; google_logging_project_sink.processor; and 7 more descendant resources
Internet-exposed GCP compute instance permits broad ingress
gcp-public-compute-broad-ingressgoogle_compute_instance.web has an external access config and matching GCP firewall rules allow administrative access or all ports from the public internet. That broad ingress raises the chance of unauthenticated probing and credential attacks.
- Category
- Spoofing
- Boundary
- internet-to-service:internet->google_compute_instance.web
- Resources
- google_compute_instance.web, google_compute_firewall.public_ssh
Evidence
- firewall rules: google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0
- network tags: web
- internet ingress reasons: google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0; google_compute_firewall.public_app ingress tcp 8080 from 0.0.0.0/0
- public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress
Pub/Sub subscription does not configure a dead-letter policy
gcp-pubsub-subscription-dead-letter-policy-missinggoogle_pubsub_subscription.events does not configure a Pub/Sub dead-letter policy. Poison messages or repeated delivery failures can consume subscriber capacity and reduce recovery options for failed processing.
- Category
- Denial of Service
- Boundary
- not-applicable
- Resources
- google_pubsub_subscription.events
Evidence
- target resource: address=google_pubsub_subscription.events; resource_type=google_pubsub_subscription
- dead letter posture: dead_letter_policy_state=not_configured; dead_letter_topic=unset
Pub/Sub topic does not use customer-managed encryption
gcp-pubsub-topic-customer-managed-encryption-missinggoogle_pubsub_topic.events relies on Google-managed Pub/Sub encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still protects message data; this finding concerns key ownership, rotation, audit separation, and compliance posture.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- google_pubsub_topic.events
Evidence
- target resource: address=google_pubsub_topic.events; resource_type=google_pubsub_topic
- encryption ownership: cmek_state=not_configured; kms_key_name=unset
Secret Manager lifecycle posture is incomplete
gcp-secret-manager-lifecycle-posture-incompletegoogle_secret_manager_secret.api_key does not show deterministic Secret Manager lifecycle posture for secret expiry or delayed version destruction. Expiry and version-destroy TTL controls reduce the lifetime of stale or accidentally destroyed secret material, but do not replace access review or rotation.
- Category
- Denial of Service
- Boundary
- not-applicable
- Resources
- google_secret_manager_secret.api_key
Evidence
- target resource: address=google_secret_manager_secret.api_key; type=google_secret_manager_secret; identifier=projects/tfstride-demo/secrets/tfstride-api-key
- lifecycle issues: secret has no ttl, expire_time, or version_destroy_ttl lifecycle guardrail; version_destroy_ttl is missing
- lifecycle posture: ttl=unset; expire_time=unset; version_destroy_ttl=unset; minimum_version_destroy_ttl_days=7; minimum_version_destroy_ttl_seconds=604800
Secret Manager secret does not use customer-managed encryption
gcp-secret-manager-customer-managed-encryption-missinggoogle_secret_manager_secret.api_key relies on Google-managed Secret Manager encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still applies; this finding concerns customer key ownership, rotation, audit separation, and compliance posture for sensitive secrets.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- google_secret_manager_secret.api_key
Evidence
- target resource: address=google_secret_manager_secret.api_key; type=google_secret_manager_secret; identifier=projects/tfstride-demo/secrets/tfstride-api-key
- encryption ownership: customer_managed_encryption is false; secret_manager_replication_mode=automatic; secret_manager_kms_key_names is empty
- replication posture: replication.mode=automatic
Sensitive GCP resource IAM binding allows broad or external access
gcp-sensitive-resource-iam-external-accessgoogle_kms_crypto_key.customer grants `roles/cloudkms.cryptoKeyDecrypter` to `serviceAccount:decryptor@partner-project.iam.gserviceaccount.com` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- google_kms_crypto_key.customer, google_kms_crypto_key_iam_member.partner_decrypter
Evidence
- iam binding: source=google_kms_crypto_key_iam_member.partner_decrypter; role=roles/cloudkms.cryptoKeyDecrypter; member=serviceAccount:decryptor@partner-project.iam.gserviceaccount.com
- trust scope: service account belongs to project `partner-project`, outside resource project `tfstride-demo`
- resource policy sources: google_kms_crypto_key_iam_member.partner_decrypter
Low
0No low findings.
Observations
Controls and mitigating signals
No observations were recorded for this plan.
Trust boundaries
Crossings that drive the model
internet-to-service
internet -> google_compute_instance.web
The resource is directly reachable or intentionally exposed to unauthenticated network clients.
internet-to-service
internet -> google_sql_database_instance.app
The resource is directly reachable or intentionally exposed to unauthenticated network clients.
internet-to-service
internet -> google_storage_bucket.logs
The resource is directly reachable or intentionally exposed to unauthenticated network clients.
workload-to-data-store
google_compute_instance.web -> google_bigquery_dataset.analytics
GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "tfstride-report",
"version": "1.1",
"tool": {
"name": "tfstride",
"version": "0.4.23"
},
"title": "GCP Inventory Demo",
"analyzed_file": "sample_gcp_plan.json",
"analyzed_path": "sample_gcp_plan.json",
"summary": {
"normalized_resources": 23,
"unsupported_resources": 0,
"trust_boundaries": 4,
"active_findings": 26,
"total_findings": 26,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 6,
"medium": 20,
"low": 0
}
},
"filtering": {
"total_findings": 26,
"active_findings": 26,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"analysis_coverage": {
"resources": {
"total_resources": 23,
"provider_resources": 23,
"normalized_resources": 23,
"unsupported_resources": 0,
"unsupported_resource_types": {}
},
"rules": {
"registered_rule_count": 78,
"enabled_rules": [
"gcp-sensitive-resource-iam-external-access",
"gcp-pubsub-public-access",
"gcp-pubsub-topic-customer-managed-encryption-missing",
"gcp-pubsub-message-retention-insufficient",
"gcp-pubsub-subscription-dead-letter-policy-missing",
"gcp-bigquery-public-access",
"gcp-cloud-sql-public-authorized-network",
"gcp-cloud-sql-backup-disabled",
"gcp-cloud-sql-public-ip-without-private-network",
"gcp-cloud-sql-ssl-not-required",
"gcp-cloud-sql-point-in-time-recovery-disabled",
"gcp-cloud-sql-deletion-protection-disabled",
"gcp-cloud-sql-zonal-availability",
"gcp-cloud-sql-query-insights-disabled",
"gcp-cloud-sql-connector-enforcement-not-required",
"gcp-cloud-sql-private-connectivity-not-modeled",
"gcp-private-workload-private-google-access-disabled",
"gcp-gcs-public-access",
"gcp-gcs-uniform-bucket-level-access-disabled",
"gcp-gcs-public-access-prevention-not-enforced",
"gcp-gcs-versioning-disabled",
"gcp-gcs-customer-managed-encryption-missing",
"gcp-gcs-retention-policy-insufficient",
"gcp-artifact-registry-docker-tags-mutable",
"gcp-artifact-registry-customer-managed-encryption-missing",
"gcp-artifact-registry-vulnerability-scanning-disabled",
"gcp-secret-manager-customer-managed-encryption-missing",
"gcp-secret-manager-lifecycle-posture-incomplete",
"gcp-kms-key-rotation-not-configured-or-too-long",
"gcp-kms-key-destroy-scheduled-duration-too-short",
"gcp-public-compute-broad-ingress",
"gcp-public-load-balanced-workload",
"gcp-load-balancer-http-public-proxy",
"gcp-load-balancer-ssl-policy-missing-or-weak",
"gcp-public-load-balancer-cloud-armor-missing",
"gcp-compute-os-login-disabled",
"gcp-gke-public-control-plane",
"gcp-gke-broad-authorized-networks",
"gcp-gke-workload-identity-disabled",
"gcp-gke-legacy-metadata-endpoints-enabled",
"gcp-gke-broad-node-service-account",
"gcp-gke-control-plane-logging-incomplete",
"gcp-scc-asset-discovery-disabled",
"gcp-logging-exclusion-drops-audit-security-logs",
"gcp-logging-sink-audit-export-incomplete",
"gcp-central-audit-sink-not-modeled",
"gcp-subnetwork-flow-logs-not-configured",
"gcp-subnetwork-flow-log-capture-incomplete",
"gcp-gke-network-policy-disabled",
"gcp-gke-secrets-encryption-not-configured",
"gcp-gke-legacy-abac-enabled-or-unknown",
"gcp-gke-client-certificate-auth-enabled-or-unknown",
"gcp-gke-shielded-nodes-disabled-or-unknown",
"gcp-gke-binary-authorization-not-enabled",
"gcp-cloud-run-public-invoker",
"gcp-cloud-functions-public-invoker",
"gcp-cloud-run-image-not-digest-pinned",
"gcp-cloud-run-artifact-registry-mutable-tag",
"gcp-cloud-run-can-modify-image-repository",
"gcp-cloud-run-sensitive-environment-value-inline",
"gcp-cloud-run-secret-access-blast-radius",
"gcp-public-cloud-run-gcs-mutation-access",
"gcp-public-cloud-run-pubsub-mutation-access",
"gcp-service-account-iam-broad-principal",
"gcp-service-account-iam-privileged-role",
"gcp-service-account-key-hygiene",
"gcp-service-account-key-effective-access",
"gcp-workload-identity-pool-wide-impersonation",
"gcp-workload-identity-provider-unconditioned-broad-trust",
"gcp-workload-identity-privileged-service-account-access",
"gcp-org-folder-iam-broad-principal",
"gcp-org-folder-iam-privileged-role",
"gcp-project-iam-broad-principal",
"gcp-project-iam-privileged-role",
"gcp-iam-privileged-assignment",
"gcp-inherited-iam-sensitive-resource-access",
"gcp-inherited-iam-blast-radius",
"gcp-public-workload-sensitive-data-access"
],
"disabled_rules": [],
"severity_overrides": {},
"finding_counts_by_rule": {
"gcp-sensitive-resource-iam-external-access": 2,
"gcp-pubsub-public-access": 1,
"gcp-pubsub-topic-customer-managed-encryption-missing": 1,
"gcp-pubsub-message-retention-insufficient": 0,
"gcp-pubsub-subscription-dead-letter-policy-missing": 1,
"gcp-bigquery-public-access": 1,
"gcp-cloud-sql-public-authorized-network": 1,
"gcp-cloud-sql-backup-disabled": 1,
"gcp-cloud-sql-public-ip-without-private-network": 1,
"gcp-cloud-sql-ssl-not-required": 1,
"gcp-cloud-sql-point-in-time-recovery-disabled": 0,
"gcp-cloud-sql-deletion-protection-disabled": 1,
"gcp-cloud-sql-zonal-availability": 1,
"gcp-cloud-sql-query-insights-disabled": 0,
"gcp-cloud-sql-connector-enforcement-not-required": 0,
"gcp-cloud-sql-private-connectivity-not-modeled": 0,
"gcp-private-workload-private-google-access-disabled": 0,
"gcp-gcs-public-access": 1,
"gcp-gcs-uniform-bucket-level-access-disabled": 0,
"gcp-gcs-public-access-prevention-not-enforced": 1,
"gcp-gcs-versioning-disabled": 1,
"gcp-gcs-customer-managed-encryption-missing": 1,
"gcp-gcs-retention-policy-insufficient": 1,
"gcp-artifact-registry-docker-tags-mutable": 0,
"gcp-artifact-registry-customer-managed-encryption-missing": 0,
"gcp-artifact-registry-vulnerability-scanning-disabled": 0,
"gcp-secret-manager-customer-managed-encryption-missing": 1,
"gcp-secret-manager-lifecycle-posture-incomplete": 1,
"gcp-kms-key-rotation-not-configured-or-too-long": 0,
"gcp-kms-key-destroy-scheduled-duration-too-short": 0,
"gcp-public-compute-broad-ingress": 1,
"gcp-public-load-balanced-workload": 0,
"gcp-load-balancer-http-public-proxy": 0,
"gcp-load-balancer-ssl-policy-missing-or-weak": 0,
"gcp-public-load-balancer-cloud-armor-missing": 0,
"gcp-compute-os-login-disabled": 1,
"gcp-gke-public-control-plane": 0,
"gcp-gke-broad-authorized-networks": 0,
"gcp-gke-workload-identity-disabled": 0,
"gcp-gke-legacy-metadata-endpoints-enabled": 0,
"gcp-gke-broad-node-service-account": 0,
"gcp-gke-control-plane-logging-incomplete": 0,
"gcp-scc-asset-discovery-disabled": 0,
"gcp-logging-exclusion-drops-audit-security-logs": 0,
"gcp-logging-sink-audit-export-incomplete": 0,
"gcp-central-audit-sink-not-modeled": 0,
"gcp-subnetwork-flow-logs-not-configured": 1,
"gcp-subnetwork-flow-log-capture-incomplete": 0,
"gcp-gke-network-policy-disabled": 0,
"gcp-gke-secrets-encryption-not-configured": 0,
"gcp-gke-legacy-abac-enabled-or-unknown": 0,
"gcp-gke-client-certificate-auth-enabled-or-unknown": 0,
"gcp-gke-shielded-nodes-disabled-or-unknown": 0,
"gcp-gke-binary-authorization-not-enabled": 0,
"gcp-cloud-run-public-invoker": 0,
"gcp-cloud-functions-public-invoker": 0,
"gcp-cloud-run-image-not-digest-pinned": 0,
"gcp-cloud-run-artifact-registry-mutable-tag": 0,
"gcp-cloud-run-can-modify-image-repository": 0,
"gcp-cloud-run-sensitive-environment-value-inline": 0,
"gcp-cloud-run-secret-access-blast-radius": 0,
"gcp-public-cloud-run-gcs-mutation-access": 0,
"gcp-public-cloud-run-pubsub-mutation-access": 0,
"gcp-service-account-iam-broad-principal": 0,
"gcp-service-account-iam-privileged-role": 0,
"gcp-service-account-key-hygiene": 1,
"gcp-service-account-key-effective-access": 1,
"gcp-workload-identity-pool-wide-impersonation": 0,
"gcp-workload-identity-provider-unconditioned-broad-trust": 0,
"gcp-workload-identity-privileged-service-account-access": 0,
"gcp-org-folder-iam-broad-principal": 0,
"gcp-org-folder-iam-privileged-role": 0,
"gcp-project-iam-broad-principal": 0,
"gcp-project-iam-privileged-role": 0,
"gcp-iam-privileged-assignment": 0,
"gcp-inherited-iam-sensitive-resource-access": 0,
"gcp-inherited-iam-blast-radius": 1,
"gcp-public-workload-sensitive-data-access": 1
}
},
"references": {
"unresolved_reference_count": 0,
"unresolved_references": []
}
},
"inventory": {
"provider": "gcp",
"unsupported_resources": [],
"metadata": {
"supported_resource_types": [
"google_artifact_registry_repository",
"google_artifact_registry_repository_iam_binding",
"google_artifact_registry_repository_iam_member",
"google_artifact_registry_repository_iam_policy",
"google_bigquery_dataset",
"google_bigquery_dataset_iam_binding",
"google_bigquery_dataset_iam_member",
"google_bigquery_dataset_iam_policy",
"google_bigquery_table",
"google_bigquery_table_iam_binding",
"google_bigquery_table_iam_member",
"google_bigquery_table_iam_policy",
"google_cloud_run_service",
"google_cloud_run_service_iam_binding",
"google_cloud_run_service_iam_member",
"google_cloud_run_service_iam_policy",
"google_cloud_run_v2_service",
"google_cloud_run_v2_service_iam_binding",
"google_cloud_run_v2_service_iam_member",
"google_cloud_run_v2_service_iam_policy",
"google_cloudfunctions2_function",
"google_cloudfunctions2_function_iam_binding",
"google_cloudfunctions2_function_iam_member",
"google_cloudfunctions2_function_iam_policy",
"google_cloudfunctions_function",
"google_cloudfunctions_function_iam_binding",
"google_cloudfunctions_function_iam_member",
"google_cloudfunctions_function_iam_policy",
"google_compute_backend_bucket",
"google_compute_backend_service",
"google_compute_firewall",
"google_compute_firewall_policy",
"google_compute_firewall_policy_association",
"google_compute_firewall_policy_rule",
"google_compute_forwarding_rule",
"google_compute_global_address",
"google_compute_global_forwarding_rule",
"google_compute_instance",
"google_compute_managed_ssl_certificate",
"google_compute_network",
"google_compute_network_endpoint_group",
"google_compute_region_backend_service",
"google_compute_region_network_endpoint_group",
"google_compute_region_security_policy",
"google_compute_region_target_http_proxy",
"google_compute_region_target_https_proxy",
"google_compute_region_url_map",
"google_compute_route",
"google_compute_router",
"google_compute_router_nat",
"google_compute_security_policy",
"google_compute_service_attachment",
"google_compute_ssl_policy",
"google_compute_subnetwork",
"google_compute_target_http_proxy",
"google_compute_target_https_proxy",
"google_compute_url_map",
"google_container_cluster",
"google_container_node_pool",
"google_folder_iam_binding",
"google_folder_iam_member",
"google_folder_iam_policy",
"google_folder_organization_policy",
"google_iam_workload_identity_pool",
"google_iam_workload_identity_pool_provider",
"google_kms_crypto_key",
"google_kms_crypto_key_iam_binding",
"google_kms_crypto_key_iam_member",
"google_kms_crypto_key_iam_policy",
"google_kms_key_ring_iam_binding",
"google_kms_key_ring_iam_member",
"google_kms_key_ring_iam_policy",
"google_logging_organization_exclusion",
"google_logging_organization_sink",
"google_logging_project_exclusion",
"google_logging_project_sink",
"google_network_connectivity_service_connection_policy",
"google_org_policy_policy",
"google_organization_iam_binding",
"google_organization_iam_custom_role",
"google_organization_iam_member",
"google_organization_iam_policy",
"google_organization_policy",
"google_project_iam_binding",
"google_project_iam_custom_role",
"google_project_iam_member",
"google_project_iam_policy",
"google_project_organization_policy",
"google_pubsub_subscription",
"google_pubsub_subscription_iam_binding",
"google_pubsub_subscription_iam_member",
"google_pubsub_subscription_iam_policy",
"google_pubsub_topic",
"google_pubsub_topic_iam_binding",
"google_pubsub_topic_iam_member",
"google_pubsub_topic_iam_policy",
"google_scc_organization_settings",
"google_secret_manager_secret",
"google_secret_manager_secret_iam_binding",
"google_secret_manager_secret_iam_member",
"google_secret_manager_secret_iam_policy",
"google_service_account",
"google_service_account_iam_binding",
"google_service_account_iam_member",
"google_service_account_iam_policy",
"google_service_account_key",
"google_service_networking_connection",
"google_sql_database_instance",
"google_storage_bucket",
"google_storage_bucket_iam_binding",
"google_storage_bucket_iam_member",
"google_storage_bucket_iam_policy"
],
"total_input_resources": 23,
"provider_resource_count": 23,
"normalized_resource_count": 23,
"unsupported_resource_types": {}
},
"resources": [
{
"address": "google_bigquery_dataset.analytics",
"provider": "gcp",
"resource_type": "google_bigquery_dataset",
"name": "analytics",
"category": "data",
"identifier": "projects/tfstride-demo/datasets/tfstride_analytics",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "projects/tfstride-demo/datasets/tfstride_analytics",
"project": "tfstride-demo",
"bigquery_dataset_id": "tfstride_analytics",
"bigquery_dataset_reference": "projects/tfstride-demo/datasets/tfstride_analytics",
"labels": {
"app": "tfstride"
},
"delete_contents_on_destroy": false,
"default_table_expiration_ms": null,
"description": null,
"friendly_name": null,
"location": "US",
"max_time_travel_hours": null,
"storage_billing_model": null,
"customer_managed_encryption": false,
"storage_encrypted": true,
"iam_bindings": [
{
"role": "roles/bigquery.dataViewer",
"members": [
"allUsers",
"serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
],
"source": "google_bigquery_dataset_iam_binding.analytics_viewers"
}
],
"gcp_resource_policy_source_addresses": [
"google_bigquery_dataset_iam_binding.analytics_viewers"
]
}
},
{
"address": "google_bigquery_dataset_iam_binding.analytics_viewers",
"provider": "gcp",
"resource_type": "google_bigquery_dataset_iam_binding",
"name": "analytics_viewers",
"category": "iam",
"identifier": "google_bigquery_dataset.analytics.dataset_id:roles/bigquery.dataViewer:allUsers,serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"bigquery_dataset_reference": "google_bigquery_dataset.analytics.dataset_id",
"iam_role": "roles/bigquery.dataViewer",
"iam_members": [
"allUsers",
"serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "roles/bigquery.dataViewer",
"members": [
"allUsers",
"serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
]
}
],
"privileged_access_grants": []
}
},
{
"address": "google_bigquery_table.events",
"provider": "gcp",
"resource_type": "google_bigquery_table",
"name": "events",
"category": "data",
"identifier": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
"project": "tfstride-demo",
"bigquery_dataset_id": "google_bigquery_dataset.analytics.dataset_id",
"bigquery_dataset_reference": "google_bigquery_dataset.analytics.dataset_id",
"bigquery_table_id": "events",
"bigquery_table_reference": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
"labels": {},
"clustering": [],
"deletion_protection": true,
"description": null,
"friendly_name": null,
"schema": null,
"time_partitioning": [],
"view": [],
"customer_managed_encryption": false,
"storage_encrypted": true
}
},
{
"address": "google_compute_firewall.public_app",
"provider": "gcp",
"resource_type": "google_compute_firewall",
"name": "public_app",
"category": "network",
"identifier": "tfstride-public-app",
"arn": null,
"vpc_id": "google_compute_network.main.name",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 8080,
"to_port": 8080,
"cidr_blocks": [
"0.0.0.0/0"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": null
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-public-app",
"project": "tfstride-demo",
"network": "google_compute_network.main.name",
"allow": [
{
"protocol": "tcp",
"ports": [
"8080"
]
}
],
"deny": [],
"source_ranges": [
"0.0.0.0/0"
],
"destination_ranges": [],
"target_tags": [
"web"
],
"source_tags": [],
"target_service_accounts": [],
"source_service_accounts": [],
"firewall_direction": "ingress",
"firewall_disabled": false
}
},
{
"address": "google_compute_firewall.public_ssh",
"provider": "gcp",
"resource_type": "google_compute_firewall",
"name": "public_ssh",
"category": "network",
"identifier": "tfstride-public-ssh",
"arn": null,
"vpc_id": "google_compute_network.main.name",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 22,
"to_port": 22,
"cidr_blocks": [
"0.0.0.0/0"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": null
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-public-ssh",
"project": "tfstride-demo",
"network": "google_compute_network.main.name",
"allow": [
{
"protocol": "tcp",
"ports": [
"22"
]
}
],
"deny": [],
"source_ranges": [
"0.0.0.0/0"
],
"destination_ranges": [],
"target_tags": [
"web"
],
"source_tags": [],
"target_service_accounts": [],
"source_service_accounts": [],
"firewall_direction": "ingress",
"firewall_disabled": false
}
},
{
"address": "google_compute_instance.web",
"provider": "gcp",
"resource_type": "google_compute_instance",
"name": "web",
"category": "compute",
"identifier": "tfstride-web",
"arn": null,
"vpc_id": "google_compute_network.main.id",
"subnet_ids": [
"google_compute_subnetwork.app.id"
],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": true,
"public_exposure": true,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-web",
"project": "tfstride-demo",
"zone": "us-central1-a",
"machine_type": "e2-medium",
"network_tags": [
"web"
],
"network_interfaces": [
{
"subnetwork": "google_compute_subnetwork.app.id",
"access_config": [
{
"nat_ip": "35.1.2.3"
}
]
}
],
"service_accounts": [
{
"email": "tfstride-web@example.iam.gserviceaccount.com",
"scopes": [
"cloud-platform"
]
}
],
"labels": {},
"metadata": {
"enable-oslogin": "false"
},
"can_ip_forward": false,
"os_login_enabled": false,
"public_access_reasons": [
"compute instance has an external access config"
],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"has_public_route": true,
"internet_ingress_capable": true,
"internet_ingress_reasons": [
"google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0",
"google_compute_firewall.public_app ingress tcp 8080 from 0.0.0.0/0"
],
"internet_ingress_firewalls": [
"google_compute_firewall.public_ssh",
"google_compute_firewall.public_app"
],
"direct_internet_reachable": true,
"public_exposure_reasons": [
"compute instance has an external access config and matching firewall rules allow internet ingress"
]
}
},
{
"address": "google_compute_network.main",
"provider": "gcp",
"resource_type": "google_compute_network",
"name": "main",
"category": "network",
"identifier": "tfstride-main",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-main",
"project": "tfstride-demo",
"auto_create_subnetworks": false,
"routing_mode": "REGIONAL",
"description": null
}
},
{
"address": "google_compute_route.default_internet",
"provider": "gcp",
"resource_type": "google_compute_route",
"name": "default_internet",
"category": "network",
"identifier": "tfstride-default-internet",
"arn": null,
"vpc_id": "google_compute_network.main.id",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-default-internet",
"project": "tfstride-demo",
"network": "google_compute_network.main.id",
"route_dest_range": "0.0.0.0/0",
"route_next_hop_gateway": "default-internet-gateway",
"route_tags": [
"web"
],
"route_priority": 1000,
"description": null
}
},
{
"address": "google_compute_subnetwork.app",
"provider": "gcp",
"resource_type": "google_compute_subnetwork",
"name": "app",
"category": "network",
"identifier": "tfstride-app",
"arn": null,
"vpc_id": "google_compute_network.main.id",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-app",
"project": "tfstride-demo",
"region": "us-central1",
"network": "google_compute_network.main.id",
"cidr_range": "10.10.1.0/24",
"private_ip_google_access": true,
"purpose": null,
"stack_type": null,
"secondary_ip_ranges": [],
"subnetwork_flow_log_state": "not_configured",
"subnetwork_flow_log_config": {},
"subnetwork_flow_log_metadata_fields": [],
"network_telemetry_posture_uncertainties": [],
"has_public_route": false,
"is_public_subnet": false,
"has_nat_gateway_egress": false
}
},
{
"address": "google_kms_crypto_key.customer",
"provider": "gcp",
"resource_type": "google_kms_crypto_key",
"name": "customer",
"category": "data",
"identifier": "projects/tfstride-demo/locations/global/keyRings/tfstride-app/cryptoKeys/tfstride-customer-key",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "tfstride-customer-key",
"project": "tfstride-demo",
"kms_crypto_key_reference": "projects/tfstride-demo/locations/global/keyRings/tfstride-app/cryptoKeys/tfstride-customer-key",
"kms_key_ring": "projects/tfstride-demo/locations/global/keyRings/tfstride-app",
"kms_purpose": "ENCRYPT_DECRYPT",
"kms_rotation_period": "7776000s",
"kms_posture_uncertainties": [],
"labels": {
"app": "tfstride"
},
"import_only": false,
"skip_initial_version_creation": false,
"storage_encrypted": true,
"iam_bindings": [
{
"role": "roles/cloudkms.cryptoKeyDecrypter",
"members": [
"serviceAccount:decryptor@partner-project.iam.gserviceaccount.com"
],
"source": "google_kms_crypto_key_iam_member.partner_decrypter"
}
],
"gcp_resource_policy_source_addresses": [
"google_kms_crypto_key_iam_member.partner_decrypter"
]
}
},
{
"address": "google_kms_crypto_key_iam_member.partner_decrypter",
"provider": "gcp",
"resource_type": "google_kms_crypto_key_iam_member",
"name": "partner_decrypter",
"category": "iam",
"identifier": "google_kms_crypto_key.customer.id:roles/cloudkms.cryptoKeyDecrypter:serviceAccount:decryptor@partner-project.iam.gserviceaccount.com",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"kms_crypto_key_reference": "google_kms_crypto_key.customer.id",
"iam_role": "roles/cloudkms.cryptoKeyDecrypter",
"iam_member": "serviceAccount:decryptor@partner-project.iam.gserviceaccount.com",
"iam_members": [
"serviceAccount:decryptor@partner-project.iam.gserviceaccount.com"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "roles/cloudkms.cryptoKeyDecrypter",
"members": [
"serviceAccount:decryptor@partner-project.iam.gserviceaccount.com"
]
}
],
"privileged_access_grants": []
}
},
{
"address": "google_logging_project_sink.processor",
"provider": "gcp",
"resource_type": "google_logging_project_sink",
"name": "processor",
"category": "iam",
"identifier": "processor-logs",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"project": "tfstride-demo",
"name": "processor-logs",
"logging_sink_name": "processor-logs",
"logging_sink_destination": "storage.googleapis.com/tfstride-logs",
"logging_sink_scope_type": "project",
"logging_sink_scope": "tfstride-demo",
"audit_security_posture_uncertainties": []
}
},
{
"address": "google_project_iam_member.web_viewer",
"provider": "gcp",
"resource_type": "google_project_iam_member",
"name": "web_viewer",
"category": "iam",
"identifier": "roles/viewer:serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"project": "tfstride-demo",
"iam_role": "roles/viewer",
"iam_member": "serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
"iam_members": [
"serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "roles/viewer",
"members": [
"serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
]
}
],
"privileged_access_grants": []
}
},
{
"address": "google_pubsub_subscription.events",
"provider": "gcp",
"resource_type": "google_pubsub_subscription",
"name": "events",
"category": "data",
"identifier": "tfstride-events-sub",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "tfstride-events-sub",
"project": "tfstride-demo",
"pubsub_subscription_reference": "tfstride-events-sub",
"pubsub_topic_reference": "google_pubsub_topic.events.id",
"labels": {},
"pubsub_subscription_ack_deadline_seconds": 20,
"pubsub_subscription_dead_letter_policy": [],
"pubsub_subscription_dead_letter_policy_state": "not_configured",
"pubsub_subscription_expiration_policy": [],
"pubsub_subscription_message_retention_state": "not_configured",
"pubsub_subscription_push_config": [],
"pubsub_subscription_retain_acked_messages": false,
"pubsub_subscription_retry_policy": [],
"pubsub_posture_uncertainties": [],
"storage_encrypted": true
}
},
{
"address": "google_pubsub_topic.events",
"provider": "gcp",
"resource_type": "google_pubsub_topic",
"name": "events",
"category": "data",
"identifier": "tfstride-events",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "tfstride-events",
"project": "tfstride-demo",
"pubsub_topic_reference": "tfstride-events",
"labels": {
"app": "tfstride"
},
"pubsub_topic_cmek_state": "not_configured",
"pubsub_topic_message_retention_state": "not_configured",
"pubsub_topic_message_storage_policy": [],
"pubsub_topic_schema_settings": [],
"pubsub_posture_uncertainties": [],
"customer_managed_encryption": false,
"storage_encrypted": true,
"iam_bindings": [
{
"role": "roles/pubsub.publisher",
"members": [
"allAuthenticatedUsers"
],
"source": "google_pubsub_topic_iam_member.public_publisher"
}
],
"gcp_resource_policy_source_addresses": [
"google_pubsub_topic_iam_member.public_publisher"
]
}
},
{
"address": "google_pubsub_topic_iam_member.public_publisher",
"provider": "gcp",
"resource_type": "google_pubsub_topic_iam_member",
"name": "public_publisher",
"category": "iam",
"identifier": "google_pubsub_topic.events.name:roles/pubsub.publisher:allAuthenticatedUsers",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"pubsub_topic_reference": "google_pubsub_topic.events.name",
"iam_role": "roles/pubsub.publisher",
"iam_member": "allAuthenticatedUsers",
"iam_members": [
"allAuthenticatedUsers"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "roles/pubsub.publisher",
"members": [
"allAuthenticatedUsers"
]
}
],
"privileged_access_grants": []
}
},
{
"address": "google_secret_manager_secret.api_key",
"provider": "gcp",
"resource_type": "google_secret_manager_secret",
"name": "api_key",
"category": "data",
"identifier": "projects/tfstride-demo/secrets/tfstride-api-key",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "projects/tfstride-demo/secrets/tfstride-api-key",
"secret_id": "tfstride-api-key",
"project": "tfstride-demo",
"labels": {
"app": "tfstride"
},
"secret_manager_replication_mode": "automatic",
"secret_manager_kms_key_names": [],
"secret_manager_replication": {
"mode": "automatic"
},
"secret_manager_posture_uncertainties": [],
"annotations": {},
"topics": [],
"customer_managed_encryption": false,
"storage_encrypted": true,
"iam_bindings": [
{
"role": "roles/secretmanager.secretAccessor",
"members": [
"allAuthenticatedUsers"
],
"source": "google_secret_manager_secret_iam_member.public_accessor"
}
],
"gcp_resource_policy_source_addresses": [
"google_secret_manager_secret_iam_member.public_accessor"
]
}
},
{
"address": "google_secret_manager_secret_iam_member.public_accessor",
"provider": "gcp",
"resource_type": "google_secret_manager_secret_iam_member",
"name": "public_accessor",
"category": "iam",
"identifier": "google_secret_manager_secret.api_key.id:roles/secretmanager.secretAccessor:allAuthenticatedUsers",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"secret_reference": "google_secret_manager_secret.api_key.id",
"project": "tfstride-demo",
"iam_role": "roles/secretmanager.secretAccessor",
"iam_member": "allAuthenticatedUsers",
"iam_members": [
"allAuthenticatedUsers"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "roles/secretmanager.secretAccessor",
"members": [
"allAuthenticatedUsers"
]
}
],
"privileged_access_grants": []
}
},
{
"address": "google_service_account.web",
"provider": "gcp",
"resource_type": "google_service_account",
"name": "web",
"category": "iam",
"identifier": "tfstride-web@example.iam.gserviceaccount.com",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "projects/tfstride-demo/serviceAccounts/tfstride-web@example.iam.gserviceaccount.com",
"project": "tfstride-demo",
"service_account_account_id": "tfstride-web",
"service_account_email": "tfstride-web@example.iam.gserviceaccount.com",
"service_account_member": "serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
"service_account_unique_id": "100000000000000000001",
"service_account_disabled": false,
"display_name": "tfSTRIDE web workload",
"description": "Service account used by the sample web workload."
}
},
{
"address": "google_service_account_key.web",
"provider": "gcp",
"resource_type": "google_service_account_key",
"name": "web",
"category": "iam",
"identifier": "projects/tfstride-demo/serviceAccounts/tfstride-web@example.iam.gserviceaccount.com/keys/sample-key",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "projects/tfstride-demo/serviceAccounts/tfstride-web@example.iam.gserviceaccount.com/keys/sample-key",
"service_account_id": "google_service_account.web.email",
"service_account_reference": "google_service_account.web.email",
"service_account_key_algorithm": "KEY_ALG_RSA_2048",
"service_account_public_key_type": "TYPE_X509_PEM_FILE",
"valid_after": "2026-01-01T00:00:00Z",
"valid_before": "2027-01-01T00:00:00Z",
"keepers": {}
}
},
{
"address": "google_sql_database_instance.app",
"provider": "gcp",
"resource_type": "google_sql_database_instance",
"name": "app",
"category": "data",
"identifier": "tfstride-app-db",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": true,
"public_exposure": true,
"data_sensitivity": "sensitive",
"metadata": {
"name": "tfstride-app-db",
"project": "tfstride-demo",
"region": "us-central1",
"database_version": "POSTGRES_15",
"availability_type": "ZONAL",
"cloud_sql_query_insights_state": "not_configured",
"cloud_sql_insights_config": {},
"cloud_sql_deletion_protection_state": "unknown",
"cloud_sql_posture_uncertainties": [],
"cloud_sql_ipv4_enabled": true,
"cloud_sql_backup_enabled": false,
"cloud_sql_point_in_time_recovery_enabled": false,
"cloud_sql_require_ssl": false,
"cloud_sql_authorized_networks": [
{
"name": "anywhere",
"value": "0.0.0.0/0"
}
],
"cloud_sql_backup_configuration": {
"enabled": false,
"point_in_time_recovery_enabled": false
},
"cloud_sql_ip_configuration": {
"ipv4_enabled": true,
"require_ssl": false,
"authorized_networks": [
{
"name": "anywhere",
"value": "0.0.0.0/0"
}
]
},
"deletion_protection": false,
"labels": {},
"tier": "db-f1-micro",
"disk_type": "PD_SSD",
"disk_size": 20,
"public_access_reasons": [
"Cloud SQL public IPv4 access is enabled"
],
"direct_internet_reachable": true,
"internet_ingress_capable": true,
"internet_ingress_reasons": [
"authorized network `anywhere` allows 0.0.0.0/0"
],
"public_exposure_reasons": [
"authorized network `anywhere` allows 0.0.0.0/0"
],
"publicly_accessible": true,
"storage_encrypted": true
}
},
{
"address": "google_storage_bucket.logs",
"provider": "gcp",
"resource_type": "google_storage_bucket",
"name": "logs",
"category": "data",
"identifier": "tfstride-logs",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": true,
"public_exposure": true,
"data_sensitivity": "sensitive",
"metadata": {
"name": "tfstride-logs",
"bucket": "tfstride-logs",
"project": "tfstride-demo",
"labels": {},
"uniform_bucket_level_access": true,
"gcs_versioning_enabled": false,
"gcs_versioning_configuration": {},
"gcs_encryption_configuration": {},
"gcs_retention_policy_configuration": {},
"gcs_retention_policy_uncertainties": [],
"location": "US",
"storage_class": null,
"force_destroy": false,
"customer_managed_encryption": false,
"storage_encrypted": true,
"public_access_reasons": [
"google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers"
],
"direct_internet_reachable": true,
"public_exposure_reasons": [
"google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers"
],
"iam_bindings": [
{
"role": "roles/storage.objectViewer",
"members": [
"allUsers"
],
"source": "google_storage_bucket_iam_member.public_logs_reader"
}
],
"gcp_resource_policy_source_addresses": [
"google_storage_bucket_iam_member.public_logs_reader"
]
}
},
{
"address": "google_storage_bucket_iam_member.public_logs_reader",
"provider": "gcp",
"resource_type": "google_storage_bucket_iam_member",
"name": "public_logs_reader",
"category": "iam",
"identifier": "google_storage_bucket.logs.name:roles/storage.objectViewer:allUsers",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"bucket": "google_storage_bucket.logs.name",
"iam_role": "roles/storage.objectViewer",
"iam_member": "allUsers",
"iam_members": [
"allUsers"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "roles/storage.objectViewer",
"members": [
"allUsers"
]
}
],
"privileged_access_grants": []
}
}
]
},
"trust_boundaries": [
{
"identifier": "internet-to-service:internet->google_compute_instance.web",
"boundary_type": "internet-to-service",
"source": "internet",
"target": "google_compute_instance.web",
"description": "Traffic can cross from the public internet to google_compute_instance.web.",
"rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
},
{
"identifier": "internet-to-service:internet->google_sql_database_instance.app",
"boundary_type": "internet-to-service",
"source": "internet",
"target": "google_sql_database_instance.app",
"description": "Traffic can cross from the public internet to google_sql_database_instance.app.",
"rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
},
{
"identifier": "internet-to-service:internet->google_storage_bucket.logs",
"boundary_type": "internet-to-service",
"source": "internet",
"target": "google_storage_bucket.logs",
"description": "Traffic can cross from the public internet to google_storage_bucket.logs.",
"rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
},
{
"identifier": "workload-to-data-store:google_compute_instance.web->google_bigquery_dataset.analytics",
"boundary_type": "workload-to-data-store",
"source": "google_compute_instance.web",
"target": "google_bigquery_dataset.analytics",
"description": "google_compute_instance.web can interact with google_bigquery_dataset.analytics.",
"rationale": "GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com."
}
],
"findings": [
{
"fingerprint": "sha256:8c74c28ba2223af9fe27d104c317aad0cf77b75e2f1ffe4b32615981e1a3786a",
"title": "BigQuery IAM binding allows public or broad data access",
"rule_id": "gcp-bigquery-public-access",
"category": "Information Disclosure",
"severity": "high",
"affected_resources": [
"google_bigquery_dataset.analytics",
"google_bigquery_dataset_iam_binding.analytics_viewers"
],
"trust_boundary_id": null,
"rationale": "google_bigquery_dataset.analytics grants `roles/bigquery.dataViewer` to `allUsers` through BigQuery IAM. Public or broad principals can read or modify analytical data outside the expected project trust boundary.",
"recommended_mitigation": "Grant BigQuery dataset and table access only to specific in-project identities or reviewed analytics groups, remove public principals, and prefer least-privilege data roles.",
"evidence": [
{
"key": "iam_binding",
"values": [
"source=google_bigquery_dataset_iam_binding.analytics_viewers",
"role=roles/bigquery.dataViewer",
"member=allUsers"
]
},
{
"key": "trust_scope",
"values": [
"member is public GCP principal `allUsers`"
]
},
{
"key": "resource_policy_sources",
"values": [
"google_bigquery_dataset_iam_binding.analytics_viewers"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 2,
"data_sensitivity": 2,
"lateral_movement": 1,
"blast_radius": 2,
"final_score": 9,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:ea244fab8b597f86d6033e9dd1a7a85fcd2582156da247f7cf41dc56ce1996aa",
"title": "Cloud SQL instance accepts public authorized network access",
"rule_id": "gcp-cloud-sql-public-authorized-network",
"category": "Information Disclosure",
"severity": "high",
"affected_resources": [
"google_sql_database_instance.app"
],
"trust_boundary_id": "internet-to-service:internet->google_sql_database_instance.app",
"rationale": "google_sql_database_instance.app has a public Cloud SQL IPv4 endpoint and an authorized network that allows internet-wide client sources. That weakens the database trust boundary even when database authentication is still required.",
"recommended_mitigation": "Disable public IPv4 access where possible, use private IP connectivity or the Cloud SQL Auth Proxy, and restrict authorized networks to narrow CIDRs when public client access is required.",
"evidence": [
{
"key": "authorized_networks",
"values": [
"anywhere (0.0.0.0/0)"
]
},
{
"key": "public_exposure_reasons",
"values": [
"authorized network `anywhere` allows 0.0.0.0/0"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 1,
"blast_radius": 1,
"final_score": 6,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:28fb6117ee37f719c61424c06d297ce2a6a8c7a5a39fbbf562f344dd08716986",
"title": "GCP service account key can exercise sensitive or privileged access",
"rule_id": "gcp-service-account-key-effective-access",
"category": "Elevation of Privilege",
"severity": "high",
"affected_resources": [
"google_service_account.web",
"google_service_account_key.web",
"google_bigquery_dataset.analytics",
"google_bigquery_dataset_iam_binding.analytics_viewers"
],
"trust_boundary_id": null,
"rationale": "google_service_account_key.web creates portable credentials for `google_service_account.web`, and that service account has sensitive data access or high-impact IAM grants. A copied key can exercise those effective permissions outside the intended workload boundary.",
"recommended_mitigation": "Remove sensitive data and high-impact IAM grants from service accounts that still have user-managed keys, replace keys with workload identity or service-account impersonation, and revoke or rotate existing keys after privilege reduction.",
"evidence": [
{
"key": "key_context",
"values": [
"source=google_service_account_key.web",
"service_account_reference=google_service_account.web.email",
"resolved_service_account=google_service_account.web"
]
},
{
"key": "service_account_principals",
"values": [
"serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
"tfstride-web@example.iam.gserviceaccount.com"
]
},
{
"key": "effective_access",
"values": [
"resource=google_bigquery_dataset.analytics; source=google_bigquery_dataset_iam_binding.analytics_viewers; scope=BigQuery dataset IAM; role=roles/bigquery.dataViewer; member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com; risk=BigQuery dataset IAM grants roles/bigquery.dataViewer"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 1,
"data_sensitivity": 2,
"lateral_movement": 1,
"blast_radius": 2,
"final_score": 6,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:ef139b4e20dc1f10522b417424c5b7cc88a9063aee35b5f0b643f0329233c326",
"title": "Internet-exposed GCP workload can access sensitive data services",
"rule_id": "gcp-public-workload-sensitive-data-access",
"category": "Information Disclosure",
"severity": "high",
"affected_resources": [
"google_compute_instance.web",
"google_bigquery_dataset.analytics",
"google_bigquery_dataset_iam_binding.analytics_viewers"
],
"trust_boundary_id": "workload-to-data-store:google_compute_instance.web->google_bigquery_dataset.analytics",
"rationale": "google_compute_instance.web is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-web@example.iam.gserviceaccount.com. That identity can access google_bigquery_dataset.analytics. A compromise of the public workload can therefore become direct access to sensitive GCP data services.",
"recommended_mitigation": "Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.",
"evidence": [
{
"key": "public_exposure_reasons",
"values": [
"compute instance has an external access config and matching firewall rules allow internet ingress"
]
},
{
"key": "workload_identity",
"values": [
"serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
]
},
{
"key": "workload_identity_scopes",
"values": [
"cloud-platform"
]
},
{
"key": "data_access_path",
"values": [
"google_compute_instance.web reaches google_bigquery_dataset.analytics"
]
},
{
"key": "boundary_rationale",
"values": [
"GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com."
]
},
{
"key": "resource_policy_sources",
"values": [
"google_bigquery_dataset_iam_binding.analytics_viewers"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 1,
"data_sensitivity": 2,
"lateral_movement": 1,
"blast_radius": 1,
"final_score": 7,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:86d087ae3581ec714df99490d6c8eea1073e5a3ff78d5d4b9c8cf877533e3448",
"title": "Pub/Sub IAM binding allows public or broad data access",
"rule_id": "gcp-pubsub-public-access",
"category": "Information Disclosure",
"severity": "high",
"affected_resources": [
"google_pubsub_topic.events",
"google_pubsub_topic_iam_member.public_publisher"
],
"trust_boundary_id": null,
"rationale": "google_pubsub_topic.events grants `roles/pubsub.publisher` to `allAuthenticatedUsers` through Pub/Sub IAM. Public or broad principals can publish, consume, or administer event streams outside the expected service boundary.",
"recommended_mitigation": "Grant Pub/Sub publisher and subscriber roles only to specific service accounts or groups, remove public principals, and separate publish and consume permissions by workload.",
"evidence": [
{
"key": "iam_binding",
"values": [
"source=google_pubsub_topic_iam_member.public_publisher",
"role=roles/pubsub.publisher",
"member=allAuthenticatedUsers"
]
},
{
"key": "trust_scope",
"values": [
"member is public GCP principal `allAuthenticatedUsers`"
]
},
{
"key": "resource_policy_sources",
"values": [
"google_pubsub_topic_iam_member.public_publisher"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 2,
"data_sensitivity": 1,
"lateral_movement": 1,
"blast_radius": 1,
"final_score": 7,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:dcda21548d88813aa36e2cf734e63769e0d32d5bcc6bb38b1f39ca442702b607",
"title": "Sensitive GCP resource IAM binding allows broad or external access",
"rule_id": "gcp-sensitive-resource-iam-external-access",
"category": "Information Disclosure",
"severity": "high",
"affected_resources": [
"google_secret_manager_secret.api_key",
"google_secret_manager_secret_iam_member.public_accessor"
],
"trust_boundary_id": null,
"rationale": "google_secret_manager_secret.api_key grants `roles/secretmanager.secretAccessor` to `allAuthenticatedUsers` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.",
"recommended_mitigation": "Grant Secret Manager and Cloud KMS IAM roles only to specific in-project service accounts or groups, remove public principals, and require explicit cross-project access reviews for partner identities.",
"evidence": [
{
"key": "iam_binding",
"values": [
"source=google_secret_manager_secret_iam_member.public_accessor",
"role=roles/secretmanager.secretAccessor",
"member=allAuthenticatedUsers"
]
},
{
"key": "trust_scope",
"values": [
"member is public GCP principal `allAuthenticatedUsers`"
]
},
{
"key": "resource_policy_sources",
"values": [
"google_secret_manager_secret_iam_member.public_accessor"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 2,
"data_sensitivity": 2,
"lateral_movement": 1,
"blast_radius": 2,
"final_score": 9,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:732031ebf10c1377662fe780b23c0062f4bd35fca0ff1594e027473c04ad58b3",
"title": "Cloud SQL automated backups are disabled",
"rule_id": "gcp-cloud-sql-backup-disabled",
"category": "Denial of Service",
"severity": "medium",
"affected_resources": [
"google_sql_database_instance.app"
],
"trust_boundary_id": null,
"rationale": "google_sql_database_instance.app does not have Cloud SQL automated backups enabled. A destructive change, operator error, or data corruption event would have fewer managed recovery points.",
"recommended_mitigation": "Enable automated backups for Cloud SQL instances, configure retention appropriate to the workload, and enable point-in-time recovery where supported.",
"evidence": [
{
"key": "backup_posture",
"values": [
"backup_configuration.enabled is false",
"point_in_time_recovery_enabled is false",
"engine is POSTGRES_15"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:45d6257e521b0a506b22d24effc4ea056c44258268d8daf7718eb88fa7d08ee0",
"title": "Cloud SQL deletion protection is disabled",
"rule_id": "gcp-cloud-sql-deletion-protection-disabled",
"category": "Denial of Service",
"severity": "medium",
"affected_resources": [
"google_sql_database_instance.app"
],
"trust_boundary_id": null,
"rationale": "google_sql_database_instance.app has Cloud SQL deletion protection disabled. Accidental or unauthorized infrastructure changes could destroy the managed database instance without this provider-level guardrail.",
"recommended_mitigation": "Enable Cloud SQL deletion protection for persistent environments and require explicit review before disabling it during planned database retirement.",
"evidence": [
{
"key": "lifecycle_posture",
"values": [
"deletion_protection is false"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:a9a311adbcdee8161de2e4e8e8247dee5c199db0555e662a89c4626bb18a2a24",
"title": "Cloud SQL instance uses zonal availability",
"rule_id": "gcp-cloud-sql-zonal-availability",
"category": "Denial of Service",
"severity": "medium",
"affected_resources": [
"google_sql_database_instance.app"
],
"trust_boundary_id": null,
"rationale": "google_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.",
"recommended_mitigation": "Use `REGIONAL` availability for production Cloud SQL instances that require higher availability, then validate application failover behavior and recovery objectives.",
"evidence": [
{
"key": "availability_posture",
"values": [
"availability_type=ZONAL",
"engine=POSTGRES_15"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:6d18157ff1cecde179c5827e348e0ea19bcb17e4fb3d3ecf1a2394d940215cb6",
"title": "Cloud SQL public IPv4 is enabled without private network access",
"rule_id": "gcp-cloud-sql-public-ip-without-private-network",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"google_sql_database_instance.app"
],
"trust_boundary_id": "internet-to-service:internet->google_sql_database_instance.app",
"rationale": "google_sql_database_instance.app has Cloud SQL public IPv4 enabled without a private network attachment. That keeps database client access on a public endpoint instead of an internal VPC path.",
"recommended_mitigation": "Disable public IPv4 where possible, attach the instance to a private network, and route clients through private IP, the Cloud SQL Auth Proxy, or tightly controlled connectivity paths.",
"evidence": [
{
"key": "network_posture",
"values": [
"ipv4_enabled is true",
"private_network is unset",
"authorized_networks configured: 1"
]
},
{
"key": "public_access_reasons",
"values": [
"Cloud SQL public IPv4 access is enabled"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 1,
"blast_radius": 0,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:2f9a3d374af8b51e6e3aa80ad9da2145f6f078927c72b74c19ab52f0d3266d8c",
"title": "Cloud SQL public client access does not require SSL",
"rule_id": "gcp-cloud-sql-ssl-not-required",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"google_sql_database_instance.app"
],
"trust_boundary_id": "internet-to-service:internet->google_sql_database_instance.app",
"rationale": "google_sql_database_instance.app allows Cloud SQL public IPv4 client access without requiring encrypted client connections. Credentials and database traffic should not depend on client-side optional TLS behavior.",
"recommended_mitigation": "Require encrypted Cloud SQL client connections with `require_ssl` or an enforcing `ssl_mode`, and prefer private IP or the Cloud SQL Auth Proxy for application connectivity.",
"evidence": [
{
"key": "ssl_posture",
"values": [
"require_ssl is false",
"ssl_mode is unset",
"ipv4_enabled is true"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 1,
"blast_radius": 0,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:cf045d82abf9eb22d59cbc03ddb4d9f079c49d771b3e395bf64dc215946993d6",
"title": "GCP compute instance disables OS Login",
"rule_id": "gcp-compute-os-login-disabled",
"category": "Elevation of Privilege",
"severity": "medium",
"affected_resources": [
"google_compute_instance.web"
],
"trust_boundary_id": null,
"rationale": "google_compute_instance.web explicitly disables OS Login. SSH access can therefore fall back to instance or project metadata keys instead of centralized IAM-backed login and audit controls.",
"recommended_mitigation": "Enable OS Login on GCE instances and manage SSH access through IAM roles, two-factor enforcement, and centralized audit logs instead of metadata SSH keys.",
"evidence": [
{
"key": "os_login_posture",
"values": [
"metadata.enable-oslogin is false"
]
},
{
"key": "public_exposure_reasons",
"values": [
"compute instance has an external access config and matching firewall rules allow internet ingress"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 1,
"data_sensitivity": 0,
"lateral_movement": 1,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:556a241d54f7b6b0865f194d59c860efffbac01aaad254d687d6f439632fca8f",
"title": "GCP service account user-managed key lacks rotation hygiene",
"rule_id": "gcp-service-account-key-hygiene",
"category": "Spoofing",
"severity": "medium",
"affected_resources": [
"google_service_account.web",
"google_service_account_key.web"
],
"trust_boundary_id": null,
"rationale": "google_service_account_key.web creates a user-managed GCP service account key for `google_service_account.web`. User-managed service account keys are portable, long-lived credentials that can be copied outside GCP control, so they need explicit rotation controls or should be replaced with workload identity or impersonation flows.",
"recommended_mitigation": "Avoid user-managed service account keys where Workload Identity Federation, workload identity, or service-account impersonation can be used; when keys are unavoidable, keep lifetimes short, configure explicit rotation triggers, and store private material outside Terraform state.",
"evidence": [
{
"key": "key_context",
"values": [
"source=google_service_account_key.web",
"service_account_reference=google_service_account.web.email",
"key_algorithm=KEY_ALG_RSA_2048",
"public_key_type=TYPE_X509_PEM_FILE"
]
},
{
"key": "key_risk",
"values": [
"Terraform manages a user-created service-account key",
"validity window is 365 days and exceeds 180-day threshold",
"no Terraform keepers rotation trigger observed"
]
},
{
"key": "validity_window",
"values": [
"valid_after=2026-01-01T00:00:00Z",
"valid_before=2027-01-01T00:00:00Z",
"validity_days=365"
]
},
{
"key": "rotation_control",
"values": [
"no Terraform keepers rotation trigger observed"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 1,
"data_sensitivity": 0,
"lateral_movement": 1,
"blast_radius": 2,
"final_score": 4,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:d7380b4b3e19c2f29c68019a1757075b9455a4465c9cf613a0fd4a3a2d8dc9e9",
"title": "GCP subnetwork Flow Logs are not configured",
"rule_id": "gcp-subnetwork-flow-logs-not-configured",
"category": "Repudiation",
"severity": "medium",
"affected_resources": [
"google_compute_subnetwork.app"
],
"trust_boundary_id": null,
"rationale": "google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.",
"recommended_mitigation": "Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.",
"evidence": [
{
"key": "subnetwork_flow_log_posture",
"values": [
"address=google_compute_subnetwork.app",
"type=google_compute_subnetwork",
"name=app",
"identifier=tfstride-app",
"flow_log_state=not_configured",
"network=google_compute_network.main.id",
"project=tfstride-demo"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 0,
"lateral_movement": 2,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:7f9b36a6593edd523470255de4c3c4dd97f9b9004e2fe64bc257be0bb37d1453",
"title": "GCS bucket does not enforce Public Access Prevention",
"rule_id": "gcp-gcs-public-access-prevention-not-enforced",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"google_storage_bucket.logs"
],
"trust_boundary_id": "internet-to-service:internet->google_storage_bucket.logs",
"rationale": "google_storage_bucket.logs does not enforce GCS Public Access Prevention. Public principals can still be introduced through bucket IAM unless an organization-level policy blocks them.",
"recommended_mitigation": "Set GCS Public Access Prevention to `enforced` on sensitive buckets and rely on explicit non-public identities or signed access patterns when objects must be shared.",
"evidence": [
{
"key": "access_control_posture",
"values": [
"public_access_prevention is unset"
]
},
{
"key": "public_exposure_reasons",
"values": [
"google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:c40cdeca64a1e9283e86c379c3ef9e8a37ce2983381579cf7ab47eab05f62be9",
"title": "GCS bucket is publicly accessible",
"rule_id": "gcp-gcs-public-access",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"google_storage_bucket.logs"
],
"trust_boundary_id": "internet-to-service:internet->google_storage_bucket.logs",
"rationale": "google_storage_bucket.logs is publicly reachable through GCS IAM grants. Public bucket access is a common source of unintended object disclosure.",
"recommended_mitigation": "Remove `allUsers` and `allAuthenticatedUsers` from bucket-level IAM grants, enforce GCS Public Access Prevention, and use signed URLs, CDN origins, or narrow identities when objects must be distributed.",
"evidence": [
{
"key": "public_exposure_reasons",
"values": [
"google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:90b26f239387e86c12b711ddfccfd9c03f230b8db90b6d4f559178f63d5412d2",
"title": "GCS sensitive bucket does not use customer-managed encryption",
"rule_id": "gcp-gcs-customer-managed-encryption-missing",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"google_storage_bucket.logs"
],
"trust_boundary_id": null,
"rationale": "google_storage_bucket.logs relies on default GCS encryption rather than a customer-managed KMS key. Sensitive buckets lose key ownership, rotation, and separation-of-duties controls that a CMEK can provide.",
"recommended_mitigation": "Configure a Cloud KMS customer-managed key for sensitive GCS buckets, assign the GCS service agent only the key roles it needs, and manage key rotation separately from bucket IAM.",
"evidence": [
{
"key": "encryption_posture",
"values": [
"default_kms_key_name is unset",
"customer_managed_encryption is false"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:9a500cc3c8625c002b61bcdc1c12c2f93348dd2ad1f9371641b6c77d6f104942",
"title": "GCS sensitive bucket retention policy is insufficient",
"rule_id": "gcp-gcs-retention-policy-insufficient",
"category": "Denial of Service",
"severity": "medium",
"affected_resources": [
"google_storage_bucket.logs"
],
"trust_boundary_id": null,
"rationale": "google_storage_bucket.logs does not have deterministic GCS retention posture that meets the minimum retention threshold and lock expectation. Retention policy and retention lock reduce destructive deletion or overwrite risk, but are distinct from soft-delete recovery controls.",
"recommended_mitigation": "Configure a GCS retention policy that meets recovery and compliance objectives, and lock the retention policy after operational validation. Treat retention lock as immutability posture, not as a replacement for object versioning or soft-delete recovery.",
"evidence": [
{
"key": "retention_policy_issues",
"values": [
"retention_policy is missing"
]
},
{
"key": "retention_policy_posture",
"values": [
"retention_policy.retention_period_state=missing",
"minimum_retention_period_days=7",
"minimum_retention_period_seconds=604800",
"retention_policy.is_locked is unset"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:b581f92581ebad73170a679021871c1cdbef137bf69e170c5f0c4085af7665bc",
"title": "GCS sensitive bucket versioning is disabled",
"rule_id": "gcp-gcs-versioning-disabled",
"category": "Denial of Service",
"severity": "medium",
"affected_resources": [
"google_storage_bucket.logs"
],
"trust_boundary_id": null,
"rationale": "google_storage_bucket.logs stores sensitive GCS data without bucket versioning. Accidental overwrites, deletes, or destructive changes have fewer object-level recovery options.",
"recommended_mitigation": "Enable bucket versioning for sensitive GCS buckets and pair it with lifecycle retention rules that match recovery objectives and storage cost constraints.",
"evidence": [
{
"key": "data_protection_posture",
"values": [
"versioning.enabled is false",
"data_sensitivity is sensitive"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:f9ce9a2599d6177745d490154cf7dcc976cbf65e1b8e57c39171912f767c2e66",
"title": "Inherited GCP IAM grant expands descendant blast radius",
"rule_id": "gcp-inherited-iam-blast-radius",
"category": "Elevation of Privilege",
"severity": "medium",
"affected_resources": [
"google_project_iam_member.web_viewer",
"google_bigquery_dataset.analytics",
"google_bigquery_table.events",
"google_compute_firewall.public_app",
"google_compute_firewall.public_ssh",
"google_compute_instance.web",
"google_compute_network.main",
"google_compute_route.default_internet",
"google_compute_subnetwork.app",
"google_kms_crypto_key.customer",
"google_logging_project_sink.processor",
"google_pubsub_subscription.events",
"google_pubsub_topic.events",
"google_secret_manager_secret.api_key",
"google_service_account.web",
"google_service_account_key.web",
"google_sql_database_instance.app",
"google_storage_bucket.logs"
],
"trust_boundary_id": null,
"rationale": "google_project_iam_member.web_viewer grants `roles/viewer` to `serviceAccount:tfstride-web@example.iam.gserviceaccount.com` at project scope `tfstride-demo`, and that inherited grant applies to 17 concrete descendant resource(s). A high-level IAM grant with broad, external, or high-impact access increases control-plane blast radius because compromise or misuse can affect resources below the inherited scope.",
"recommended_mitigation": "Avoid broad or high-impact IAM grants at organization, folder, and project scope when narrower resource-level or workload-specific bindings are possible; split inherited roles by service and review descendant resources before assigning public, external, or administrator principals.",
"evidence": [
{
"key": "iam_binding",
"values": [
"source=google_project_iam_member.web_viewer",
"scope=project:tfstride-demo",
"member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
"role=roles/viewer"
]
},
{
"key": "trust_scope",
"values": [
"service account belongs to project `example`, outside resource project `tfstride-demo`"
]
},
{
"key": "descendant_scope",
"values": [
"scope=project:tfstride-demo",
"descendant_count=17",
"resource_type_count=16",
"projects=tfstride-demo"
]
},
{
"key": "descendant_resource_types",
"values": [
"google_bigquery_dataset: 1",
"google_bigquery_table: 1",
"google_compute_firewall: 2",
"google_compute_instance: 1",
"google_compute_network: 1",
"google_compute_route: 1",
"google_compute_subnetwork: 1",
"google_kms_crypto_key: 1",
"google_logging_project_sink: 1",
"google_pubsub_subscription: 1",
"google_pubsub_topic: 1",
"google_secret_manager_secret: 1",
"google_service_account: 1",
"google_service_account_key: 1",
"google_sql_database_instance: 1",
"google_storage_bucket: 1"
]
},
{
"key": "descendant_resources",
"values": [
"google_bigquery_dataset.analytics",
"google_bigquery_table.events",
"google_compute_firewall.public_app",
"google_compute_firewall.public_ssh",
"google_compute_instance.web",
"google_compute_network.main",
"google_compute_route.default_internet",
"google_compute_subnetwork.app",
"google_kms_crypto_key.customer",
"google_logging_project_sink.processor",
"and 7 more descendant resources"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 1,
"data_sensitivity": 0,
"lateral_movement": 1,
"blast_radius": 2,
"final_score": 4,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:2baea47d0ebc1d51fb6d07282f63d7a6b6594aa953b0c00989a28723377c6771",
"title": "Internet-exposed GCP compute instance permits broad ingress",
"rule_id": "gcp-public-compute-broad-ingress",
"category": "Spoofing",
"severity": "medium",
"affected_resources": [
"google_compute_instance.web",
"google_compute_firewall.public_ssh"
],
"trust_boundary_id": "internet-to-service:internet->google_compute_instance.web",
"rationale": "google_compute_instance.web has an external access config and matching GCP firewall rules allow administrative access or all ports from the public internet. That broad ingress raises the chance of unauthenticated probing and credential attacks.",
"recommended_mitigation": "Restrict GCP firewall source ranges and exposed ports, remove external IP access where possible, and use Identity-Aware Proxy, VPN, or a controlled bastion for administration.",
"evidence": [
{
"key": "firewall_rules",
"values": [
"google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0"
]
},
{
"key": "network_tags",
"values": [
"web"
]
},
{
"key": "internet_ingress_reasons",
"values": [
"google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0",
"google_compute_firewall.public_app ingress tcp 8080 from 0.0.0.0/0"
]
},
{
"key": "public_exposure_reasons",
"values": [
"compute instance has an external access config and matching firewall rules allow internet ingress"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 0,
"lateral_movement": 1,
"blast_radius": 1,
"final_score": 4,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:9cffb8d448336f1a502e2dc72413c93d27369f9794c560a2742552b8602992b6",
"title": "Pub/Sub subscription does not configure a dead-letter policy",
"rule_id": "gcp-pubsub-subscription-dead-letter-policy-missing",
"category": "Denial of Service",
"severity": "medium",
"affected_resources": [
"google_pubsub_subscription.events"
],
"trust_boundary_id": null,
"rationale": "google_pubsub_subscription.events does not configure a Pub/Sub dead-letter policy. Poison messages or repeated delivery failures can consume subscriber capacity and reduce recovery options for failed processing.",
"recommended_mitigation": "Configure a reviewed Pub/Sub dead-letter topic and delivery-attempt threshold for subscriptions where poison messages or repeated delivery failures could disrupt processing.",
"evidence": [
{
"key": "target_resource",
"values": [
"address=google_pubsub_subscription.events",
"resource_type=google_pubsub_subscription"
]
},
{
"key": "dead_letter_posture",
"values": [
"dead_letter_policy_state=not_configured",
"dead_letter_topic=unset"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:87622623c501ede23c62e92e63616b8e9fe19bc701d031de917f19757d61bcc9",
"title": "Pub/Sub topic does not use customer-managed encryption",
"rule_id": "gcp-pubsub-topic-customer-managed-encryption-missing",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"google_pubsub_topic.events"
],
"trust_boundary_id": null,
"rationale": "google_pubsub_topic.events relies on Google-managed Pub/Sub encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still protects message data; this finding concerns key ownership, rotation, audit separation, and compliance posture.",
"recommended_mitigation": "Configure a customer-managed Cloud KMS key for sensitive Pub/Sub topics where key ownership, rotation, audit separation, or compliance requirements warrant it.",
"evidence": [
{
"key": "target_resource",
"values": [
"address=google_pubsub_topic.events",
"resource_type=google_pubsub_topic"
]
},
{
"key": "encryption_ownership",
"values": [
"cmek_state=not_configured",
"kms_key_name=unset"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:2cb0283d7cd0a3c2bcd90a345b80a5779aea5392cfd8535aff986da5d44d0a10",
"title": "Secret Manager lifecycle posture is incomplete",
"rule_id": "gcp-secret-manager-lifecycle-posture-incomplete",
"category": "Denial of Service",
"severity": "medium",
"affected_resources": [
"google_secret_manager_secret.api_key"
],
"trust_boundary_id": null,
"rationale": "google_secret_manager_secret.api_key does not show deterministic Secret Manager lifecycle posture for secret expiry or delayed version destruction. Expiry and version-destroy TTL controls reduce the lifetime of stale or accidentally destroyed secret material, but do not replace access review or rotation.",
"recommended_mitigation": "Configure Secret Manager `ttl` or `expire_time` where secret-level expiry is expected, and set `version_destroy_ttl` to a retention window that gives operators enough time to recover from accidental or malicious secret version destruction.",
"evidence": [
{
"key": "target_resource",
"values": [
"address=google_secret_manager_secret.api_key",
"type=google_secret_manager_secret",
"identifier=projects/tfstride-demo/secrets/tfstride-api-key"
]
},
{
"key": "lifecycle_issues",
"values": [
"secret has no ttl, expire_time, or version_destroy_ttl lifecycle guardrail",
"version_destroy_ttl is missing"
]
},
{
"key": "lifecycle_posture",
"values": [
"ttl=unset",
"expire_time=unset",
"version_destroy_ttl=unset",
"minimum_version_destroy_ttl_days=7",
"minimum_version_destroy_ttl_seconds=604800"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:b3893099e06aad5adc9f9094188a13dc66675541dedccfd9636175998fb0ff8a",
"title": "Secret Manager secret does not use customer-managed encryption",
"rule_id": "gcp-secret-manager-customer-managed-encryption-missing",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"google_secret_manager_secret.api_key"
],
"trust_boundary_id": null,
"rationale": "google_secret_manager_secret.api_key relies on Google-managed Secret Manager encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still applies; this finding concerns customer key ownership, rotation, audit separation, and compliance posture for sensitive secrets.",
"recommended_mitigation": "Configure Secret Manager replication with Cloud KMS customer-managed encryption for secrets that require customer key ownership, independent rotation, audit separation, or compliance controls.",
"evidence": [
{
"key": "target_resource",
"values": [
"address=google_secret_manager_secret.api_key",
"type=google_secret_manager_secret",
"identifier=projects/tfstride-demo/secrets/tfstride-api-key"
]
},
{
"key": "encryption_ownership",
"values": [
"customer_managed_encryption is false",
"secret_manager_replication_mode=automatic",
"secret_manager_kms_key_names is empty"
]
},
{
"key": "replication_posture",
"values": [
"replication.mode=automatic"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:408c558dd93f32bfca75eea24d9787a2feaab97ff26e4a869e7984cda37b5bd3",
"title": "Sensitive GCP resource IAM binding allows broad or external access",
"rule_id": "gcp-sensitive-resource-iam-external-access",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"google_kms_crypto_key.customer",
"google_kms_crypto_key_iam_member.partner_decrypter"
],
"trust_boundary_id": null,
"rationale": "google_kms_crypto_key.customer grants `roles/cloudkms.cryptoKeyDecrypter` to `serviceAccount:decryptor@partner-project.iam.gserviceaccount.com` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.",
"recommended_mitigation": "Grant Secret Manager and Cloud KMS IAM roles only to specific in-project service accounts or groups, remove public principals, and require explicit cross-project access reviews for partner identities.",
"evidence": [
{
"key": "iam_binding",
"values": [
"source=google_kms_crypto_key_iam_member.partner_decrypter",
"role=roles/cloudkms.cryptoKeyDecrypter",
"member=serviceAccount:decryptor@partner-project.iam.gserviceaccount.com"
]
},
{
"key": "trust_scope",
"values": [
"service account belongs to project `partner-project`, outside resource project `tfstride-demo`"
]
},
{
"key": "resource_policy_sources",
"values": [
"google_kms_crypto_key_iam_member.partner_decrypter"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 1,
"data_sensitivity": 2,
"lateral_movement": 1,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
}
],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [],
"limitations": [
"GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}
Markdown report
# GCP Inventory Demo
- Analyzed file: `sample_gcp_plan.json`
- Provider: `gcp`
- Normalized resources: `23`
- Unsupported resources: `0`
## Summary
This run identified **4 trust boundaries** and **26 findings** across **23 normalized resources**.
- High severity findings: `6`
- Medium severity findings: `20`
- Low severity findings: `0`
## Analysis Coverage
- Terraform resources seen: `23`
- Provider resources considered: `23`
- Normalized resources: `23`
- Unsupported resources: `0`
- Registered provider rules (GCP): `78`
- Enabled provider rules (GCP): `78`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
- `gcp-sensitive-resource-iam-external-access`: `2`
- `gcp-pubsub-public-access`: `1`
- `gcp-pubsub-topic-customer-managed-encryption-missing`: `1`
- `gcp-pubsub-subscription-dead-letter-policy-missing`: `1`
- `gcp-bigquery-public-access`: `1`
- `gcp-cloud-sql-public-authorized-network`: `1`
- `gcp-cloud-sql-backup-disabled`: `1`
- `gcp-cloud-sql-public-ip-without-private-network`: `1`
- `gcp-cloud-sql-ssl-not-required`: `1`
- `gcp-cloud-sql-deletion-protection-disabled`: `1`
- `gcp-cloud-sql-zonal-availability`: `1`
- `gcp-gcs-public-access`: `1`
- `gcp-gcs-public-access-prevention-not-enforced`: `1`
- `gcp-gcs-versioning-disabled`: `1`
- `gcp-gcs-customer-managed-encryption-missing`: `1`
- `gcp-gcs-retention-policy-insufficient`: `1`
- `gcp-secret-manager-customer-managed-encryption-missing`: `1`
- `gcp-secret-manager-lifecycle-posture-incomplete`: `1`
- `gcp-public-compute-broad-ingress`: `1`
- `gcp-compute-os-login-disabled`: `1`
- `gcp-subnetwork-flow-logs-not-configured`: `1`
- `gcp-service-account-key-hygiene`: `1`
- `gcp-service-account-key-effective-access`: `1`
- `gcp-inherited-iam-blast-radius`: `1`
- `gcp-public-workload-sensitive-data-access`: `1`
## Discovered Trust Boundaries
### `internet-to-service`
- Source: `internet`
- Target: `google_compute_instance.web`
- Description: Traffic can cross from the public internet to google_compute_instance.web.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.
### `internet-to-service`
- Source: `internet`
- Target: `google_sql_database_instance.app`
- Description: Traffic can cross from the public internet to google_sql_database_instance.app.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.
### `internet-to-service`
- Source: `internet`
- Target: `google_storage_bucket.logs`
- Description: Traffic can cross from the public internet to google_storage_bucket.logs.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.
### `workload-to-data-store`
- Source: `google_compute_instance.web`
- Target: `google_bigquery_dataset.analytics`
- Description: google_compute_instance.web can interact with google_bigquery_dataset.analytics.
- Rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com.
## Findings
### High
#### BigQuery IAM binding allows public or broad data access
- STRIDE category: Information Disclosure
- Affected resources: `google_bigquery_dataset.analytics`, `google_bigquery_dataset_iam_binding.analytics_viewers`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +2, data_sensitivity +2, lateral_movement +1, blast_radius +2, final_score 9 => high
- Rationale: google_bigquery_dataset.analytics grants `roles/bigquery.dataViewer` to `allUsers` through BigQuery IAM. Public or broad principals can read or modify analytical data outside the expected project trust boundary.
- Recommended mitigation: Grant BigQuery dataset and table access only to specific in-project identities or reviewed analytics groups, remove public principals, and prefer least-privilege data roles.
- Evidence:
- iam binding: source=google_bigquery_dataset_iam_binding.analytics_viewers; role=roles/bigquery.dataViewer; member=allUsers
- trust scope: member is public GCP principal `allUsers`
- resource policy sources: google_bigquery_dataset_iam_binding.analytics_viewers
#### Cloud SQL instance accepts public authorized network access
- STRIDE category: Information Disclosure
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `internet-to-service:internet->google_sql_database_instance.app`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +1, blast_radius +1, final_score 6 => high
- Rationale: google_sql_database_instance.app has a public Cloud SQL IPv4 endpoint and an authorized network that allows internet-wide client sources. That weakens the database trust boundary even when database authentication is still required.
- Recommended mitigation: Disable public IPv4 access where possible, use private IP connectivity or the Cloud SQL Auth Proxy, and restrict authorized networks to narrow CIDRs when public client access is required.
- Evidence:
- authorized networks: anywhere (0.0.0.0/0)
- public exposure reasons: authorized network `anywhere` allows 0.0.0.0/0
#### GCP service account key can exercise sensitive or privileged access
- STRIDE category: Elevation of Privilege
- Affected resources: `google_service_account.web`, `google_service_account_key.web`, `google_bigquery_dataset.analytics`, `google_bigquery_dataset_iam_binding.analytics_viewers`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +2, lateral_movement +1, blast_radius +2, final_score 6 => high
- Rationale: google_service_account_key.web creates portable credentials for `google_service_account.web`, and that service account has sensitive data access or high-impact IAM grants. A copied key can exercise those effective permissions outside the intended workload boundary.
- Recommended mitigation: Remove sensitive data and high-impact IAM grants from service accounts that still have user-managed keys, replace keys with workload identity or service-account impersonation, and revoke or rotate existing keys after privilege reduction.
- Evidence:
- key context: source=google_service_account_key.web; service_account_reference=google_service_account.web.email; resolved_service_account=google_service_account.web
- service account principals: serviceAccount:tfstride-web@example.iam.gserviceaccount.com; tfstride-web@example.iam.gserviceaccount.com
- effective access: resource=google_bigquery_dataset.analytics; source=google_bigquery_dataset_iam_binding.analytics_viewers; scope=BigQuery dataset IAM; role=roles/bigquery.dataViewer; member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com; risk=BigQuery dataset IAM grants roles/bigquery.dataViewer
#### Internet-exposed GCP workload can access sensitive data services
- STRIDE category: Information Disclosure
- Affected resources: `google_compute_instance.web`, `google_bigquery_dataset.analytics`, `google_bigquery_dataset_iam_binding.analytics_viewers`
- Trust boundary: `workload-to-data-store:google_compute_instance.web->google_bigquery_dataset.analytics`
- Severity reasoning: internet_exposure +2, privilege_breadth +1, data_sensitivity +2, lateral_movement +1, blast_radius +1, final_score 7 => high
- Rationale: google_compute_instance.web is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-web@example.iam.gserviceaccount.com. That identity can access google_bigquery_dataset.analytics. A compromise of the public workload can therefore become direct access to sensitive GCP data services.
- Recommended mitigation: Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.
- Evidence:
- public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress
- workload identity: serviceAccount:tfstride-web@example.iam.gserviceaccount.com
- workload identity scopes: cloud-platform
- data access path: google_compute_instance.web reaches google_bigquery_dataset.analytics
- boundary rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com.
- resource policy sources: google_bigquery_dataset_iam_binding.analytics_viewers
#### Pub/Sub IAM binding allows public or broad data access
- STRIDE category: Information Disclosure
- Affected resources: `google_pubsub_topic.events`, `google_pubsub_topic_iam_member.public_publisher`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +2, data_sensitivity +1, lateral_movement +1, blast_radius +1, final_score 7 => high
- Rationale: google_pubsub_topic.events grants `roles/pubsub.publisher` to `allAuthenticatedUsers` through Pub/Sub IAM. Public or broad principals can publish, consume, or administer event streams outside the expected service boundary.
- Recommended mitigation: Grant Pub/Sub publisher and subscriber roles only to specific service accounts or groups, remove public principals, and separate publish and consume permissions by workload.
- Evidence:
- iam binding: source=google_pubsub_topic_iam_member.public_publisher; role=roles/pubsub.publisher; member=allAuthenticatedUsers
- trust scope: member is public GCP principal `allAuthenticatedUsers`
- resource policy sources: google_pubsub_topic_iam_member.public_publisher
#### Sensitive GCP resource IAM binding allows broad or external access
- STRIDE category: Information Disclosure
- Affected resources: `google_secret_manager_secret.api_key`, `google_secret_manager_secret_iam_member.public_accessor`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +2, data_sensitivity +2, lateral_movement +1, blast_radius +2, final_score 9 => high
- Rationale: google_secret_manager_secret.api_key grants `roles/secretmanager.secretAccessor` to `allAuthenticatedUsers` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.
- Recommended mitigation: Grant Secret Manager and Cloud KMS IAM roles only to specific in-project service accounts or groups, remove public principals, and require explicit cross-project access reviews for partner identities.
- Evidence:
- iam binding: source=google_secret_manager_secret_iam_member.public_accessor; role=roles/secretmanager.secretAccessor; member=allAuthenticatedUsers
- trust scope: member is public GCP principal `allAuthenticatedUsers`
- resource policy sources: google_secret_manager_secret_iam_member.public_accessor
### Medium
#### Cloud SQL automated backups are disabled
- STRIDE category: Denial of Service
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_sql_database_instance.app does not have Cloud SQL automated backups enabled. A destructive change, operator error, or data corruption event would have fewer managed recovery points.
- Recommended mitigation: Enable automated backups for Cloud SQL instances, configure retention appropriate to the workload, and enable point-in-time recovery where supported.
- Evidence:
- backup posture: backup_configuration.enabled is false; point_in_time_recovery_enabled is false; engine is POSTGRES_15
#### Cloud SQL deletion protection is disabled
- STRIDE category: Denial of Service
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_sql_database_instance.app has Cloud SQL deletion protection disabled. Accidental or unauthorized infrastructure changes could destroy the managed database instance without this provider-level guardrail.
- Recommended mitigation: Enable Cloud SQL deletion protection for persistent environments and require explicit review before disabling it during planned database retirement.
- Evidence:
- lifecycle posture: deletion_protection is false
#### Cloud SQL instance uses zonal availability
- STRIDE category: Denial of Service
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.
- Recommended mitigation: Use `REGIONAL` availability for production Cloud SQL instances that require higher availability, then validate application failover behavior and recovery objectives.
- Evidence:
- availability posture: availability_type=ZONAL; engine=POSTGRES_15
#### Cloud SQL public IPv4 is enabled without private network access
- STRIDE category: Information Disclosure
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `internet-to-service:internet->google_sql_database_instance.app`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +1, blast_radius +0, final_score 5 => medium
- Rationale: google_sql_database_instance.app has Cloud SQL public IPv4 enabled without a private network attachment. That keeps database client access on a public endpoint instead of an internal VPC path.
- Recommended mitigation: Disable public IPv4 where possible, attach the instance to a private network, and route clients through private IP, the Cloud SQL Auth Proxy, or tightly controlled connectivity paths.
- Evidence:
- network posture: ipv4_enabled is true; private_network is unset; authorized_networks configured: 1
- public access reasons: Cloud SQL public IPv4 access is enabled
#### Cloud SQL public client access does not require SSL
- STRIDE category: Information Disclosure
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `internet-to-service:internet->google_sql_database_instance.app`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +1, blast_radius +0, final_score 5 => medium
- Rationale: google_sql_database_instance.app allows Cloud SQL public IPv4 client access without requiring encrypted client connections. Credentials and database traffic should not depend on client-side optional TLS behavior.
- Recommended mitigation: Require encrypted Cloud SQL client connections with `require_ssl` or an enforcing `ssl_mode`, and prefer private IP or the Cloud SQL Auth Proxy for application connectivity.
- Evidence:
- ssl posture: require_ssl is false; ssl_mode is unset; ipv4_enabled is true
#### GCP compute instance disables OS Login
- STRIDE category: Elevation of Privilege
- Affected resources: `google_compute_instance.web`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +1, data_sensitivity +0, lateral_movement +1, blast_radius +1, final_score 5 => medium
- Rationale: google_compute_instance.web explicitly disables OS Login. SSH access can therefore fall back to instance or project metadata keys instead of centralized IAM-backed login and audit controls.
- Recommended mitigation: Enable OS Login on GCE instances and manage SSH access through IAM roles, two-factor enforcement, and centralized audit logs instead of metadata SSH keys.
- Evidence:
- os login posture: metadata.enable-oslogin is false
- public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress
#### GCP service account user-managed key lacks rotation hygiene
- STRIDE category: Spoofing
- Affected resources: `google_service_account.web`, `google_service_account_key.web`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 4 => medium
- Rationale: google_service_account_key.web creates a user-managed GCP service account key for `google_service_account.web`. User-managed service account keys are portable, long-lived credentials that can be copied outside GCP control, so they need explicit rotation controls or should be replaced with workload identity or impersonation flows.
- Recommended mitigation: Avoid user-managed service account keys where Workload Identity Federation, workload identity, or service-account impersonation can be used; when keys are unavoidable, keep lifetimes short, configure explicit rotation triggers, and store private material outside Terraform state.
- Evidence:
- key context: source=google_service_account_key.web; service_account_reference=google_service_account.web.email; key_algorithm=KEY_ALG_RSA_2048; public_key_type=TYPE_X509_PEM_FILE
- key risk: Terraform manages a user-created service-account key; validity window is 365 days and exceeds 180-day threshold; no Terraform keepers rotation trigger observed
- validity window: valid_after=2026-01-01T00:00:00Z; valid_before=2027-01-01T00:00:00Z; validity_days=365
- rotation control: no Terraform keepers rotation trigger observed
#### GCP subnetwork Flow Logs are not configured
- STRIDE category: Repudiation
- Affected resources: `google_compute_subnetwork.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +0, lateral_movement +2, blast_radius +1, final_score 3 => medium
- Rationale: google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.
- Recommended mitigation: Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.
- Evidence:
- subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo
#### GCS bucket does not enforce Public Access Prevention
- STRIDE category: Information Disclosure
- Affected resources: `google_storage_bucket.logs`
- Trust boundary: `internet-to-service:internet->google_storage_bucket.logs`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: google_storage_bucket.logs does not enforce GCS Public Access Prevention. Public principals can still be introduced through bucket IAM unless an organization-level policy blocks them.
- Recommended mitigation: Set GCS Public Access Prevention to `enforced` on sensitive buckets and rely on explicit non-public identities or signed access patterns when objects must be shared.
- Evidence:
- access control posture: public_access_prevention is unset
- public exposure reasons: google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers
#### GCS bucket is publicly accessible
- STRIDE category: Information Disclosure
- Affected resources: `google_storage_bucket.logs`
- Trust boundary: `internet-to-service:internet->google_storage_bucket.logs`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: google_storage_bucket.logs is publicly reachable through GCS IAM grants. Public bucket access is a common source of unintended object disclosure.
- Recommended mitigation: Remove `allUsers` and `allAuthenticatedUsers` from bucket-level IAM grants, enforce GCS Public Access Prevention, and use signed URLs, CDN origins, or narrow identities when objects must be distributed.
- Evidence:
- public exposure reasons: google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers
#### GCS sensitive bucket does not use customer-managed encryption
- STRIDE category: Information Disclosure
- Affected resources: `google_storage_bucket.logs`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_storage_bucket.logs relies on default GCS encryption rather than a customer-managed KMS key. Sensitive buckets lose key ownership, rotation, and separation-of-duties controls that a CMEK can provide.
- Recommended mitigation: Configure a Cloud KMS customer-managed key for sensitive GCS buckets, assign the GCS service agent only the key roles it needs, and manage key rotation separately from bucket IAM.
- Evidence:
- encryption posture: default_kms_key_name is unset; customer_managed_encryption is false
#### GCS sensitive bucket retention policy is insufficient
- STRIDE category: Denial of Service
- Affected resources: `google_storage_bucket.logs`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_storage_bucket.logs does not have deterministic GCS retention posture that meets the minimum retention threshold and lock expectation. Retention policy and retention lock reduce destructive deletion or overwrite risk, but are distinct from soft-delete recovery controls.
- Recommended mitigation: Configure a GCS retention policy that meets recovery and compliance objectives, and lock the retention policy after operational validation. Treat retention lock as immutability posture, not as a replacement for object versioning or soft-delete recovery.
- Evidence:
- retention policy issues: retention_policy is missing
- retention policy posture: retention_policy.retention_period_state=missing; minimum_retention_period_days=7; minimum_retention_period_seconds=604800; retention_policy.is_locked is unset
#### GCS sensitive bucket versioning is disabled
- STRIDE category: Denial of Service
- Affected resources: `google_storage_bucket.logs`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_storage_bucket.logs stores sensitive GCS data without bucket versioning. Accidental overwrites, deletes, or destructive changes have fewer object-level recovery options.
- Recommended mitigation: Enable bucket versioning for sensitive GCS buckets and pair it with lifecycle retention rules that match recovery objectives and storage cost constraints.
- Evidence:
- data protection posture: versioning.enabled is false; data_sensitivity is sensitive
#### Inherited GCP IAM grant expands descendant blast radius
- STRIDE category: Elevation of Privilege
- Affected resources: `google_project_iam_member.web_viewer`, `google_bigquery_dataset.analytics`, `google_bigquery_table.events`, `google_compute_firewall.public_app`, `google_compute_firewall.public_ssh`, `google_compute_instance.web`, `google_compute_network.main`, `google_compute_route.default_internet`, `google_compute_subnetwork.app`, `google_kms_crypto_key.customer`, `google_logging_project_sink.processor`, `google_pubsub_subscription.events`, `google_pubsub_topic.events`, `google_secret_manager_secret.api_key`, `google_service_account.web`, `google_service_account_key.web`, `google_sql_database_instance.app`, `google_storage_bucket.logs`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 4 => medium
- Rationale: google_project_iam_member.web_viewer grants `roles/viewer` to `serviceAccount:tfstride-web@example.iam.gserviceaccount.com` at project scope `tfstride-demo`, and that inherited grant applies to 17 concrete descendant resource(s). A high-level IAM grant with broad, external, or high-impact access increases control-plane blast radius because compromise or misuse can affect resources below the inherited scope.
- Recommended mitigation: Avoid broad or high-impact IAM grants at organization, folder, and project scope when narrower resource-level or workload-specific bindings are possible; split inherited roles by service and review descendant resources before assigning public, external, or administrator principals.
- Evidence:
- iam binding: source=google_project_iam_member.web_viewer; scope=project:tfstride-demo; member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com; role=roles/viewer
- trust scope: service account belongs to project `example`, outside resource project `tfstride-demo`
- descendant scope: scope=project:tfstride-demo; descendant_count=17; resource_type_count=16; projects=tfstride-demo
- descendant resource types: google_bigquery_dataset: 1; google_bigquery_table: 1; google_compute_firewall: 2; google_compute_instance: 1; google_compute_network: 1; google_compute_route: 1; google_compute_subnetwork: 1; google_kms_crypto_key: 1; google_logging_project_sink: 1; google_pubsub_subscription: 1; google_pubsub_topic: 1; google_secret_manager_secret: 1; google_service_account: 1; google_service_account_key: 1; google_sql_database_instance: 1; google_storage_bucket: 1
- descendant resources: google_bigquery_dataset.analytics; google_bigquery_table.events; google_compute_firewall.public_app; google_compute_firewall.public_ssh; google_compute_instance.web; google_compute_network.main; google_compute_route.default_internet; google_compute_subnetwork.app; google_kms_crypto_key.customer; google_logging_project_sink.processor; and 7 more descendant resources
#### Internet-exposed GCP compute instance permits broad ingress
- STRIDE category: Spoofing
- Affected resources: `google_compute_instance.web`, `google_compute_firewall.public_ssh`
- Trust boundary: `internet-to-service:internet->google_compute_instance.web`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +0, lateral_movement +1, blast_radius +1, final_score 4 => medium
- Rationale: google_compute_instance.web has an external access config and matching GCP firewall rules allow administrative access or all ports from the public internet. That broad ingress raises the chance of unauthenticated probing and credential attacks.
- Recommended mitigation: Restrict GCP firewall source ranges and exposed ports, remove external IP access where possible, and use Identity-Aware Proxy, VPN, or a controlled bastion for administration.
- Evidence:
- firewall rules: google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0
- network tags: web
- internet ingress reasons: google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0; google_compute_firewall.public_app ingress tcp 8080 from 0.0.0.0/0
- public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress
#### Pub/Sub subscription does not configure a dead-letter policy
- STRIDE category: Denial of Service
- Affected resources: `google_pubsub_subscription.events`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_pubsub_subscription.events does not configure a Pub/Sub dead-letter policy. Poison messages or repeated delivery failures can consume subscriber capacity and reduce recovery options for failed processing.
- Recommended mitigation: Configure a reviewed Pub/Sub dead-letter topic and delivery-attempt threshold for subscriptions where poison messages or repeated delivery failures could disrupt processing.
- Evidence:
- target resource: address=google_pubsub_subscription.events; resource_type=google_pubsub_subscription
- dead letter posture: dead_letter_policy_state=not_configured; dead_letter_topic=unset
#### Pub/Sub topic does not use customer-managed encryption
- STRIDE category: Information Disclosure
- Affected resources: `google_pubsub_topic.events`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_pubsub_topic.events relies on Google-managed Pub/Sub encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still protects message data; this finding concerns key ownership, rotation, audit separation, and compliance posture.
- Recommended mitigation: Configure a customer-managed Cloud KMS key for sensitive Pub/Sub topics where key ownership, rotation, audit separation, or compliance requirements warrant it.
- Evidence:
- target resource: address=google_pubsub_topic.events; resource_type=google_pubsub_topic
- encryption ownership: cmek_state=not_configured; kms_key_name=unset
#### Secret Manager lifecycle posture is incomplete
- STRIDE category: Denial of Service
- Affected resources: `google_secret_manager_secret.api_key`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_secret_manager_secret.api_key does not show deterministic Secret Manager lifecycle posture for secret expiry or delayed version destruction. Expiry and version-destroy TTL controls reduce the lifetime of stale or accidentally destroyed secret material, but do not replace access review or rotation.
- Recommended mitigation: Configure Secret Manager `ttl` or `expire_time` where secret-level expiry is expected, and set `version_destroy_ttl` to a retention window that gives operators enough time to recover from accidental or malicious secret version destruction.
- Evidence:
- target resource: address=google_secret_manager_secret.api_key; type=google_secret_manager_secret; identifier=projects/tfstride-demo/secrets/tfstride-api-key
- lifecycle issues: secret has no ttl, expire_time, or version_destroy_ttl lifecycle guardrail; version_destroy_ttl is missing
- lifecycle posture: ttl=unset; expire_time=unset; version_destroy_ttl=unset; minimum_version_destroy_ttl_days=7; minimum_version_destroy_ttl_seconds=604800
#### Secret Manager secret does not use customer-managed encryption
- STRIDE category: Information Disclosure
- Affected resources: `google_secret_manager_secret.api_key`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_secret_manager_secret.api_key relies on Google-managed Secret Manager encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still applies; this finding concerns customer key ownership, rotation, audit separation, and compliance posture for sensitive secrets.
- Recommended mitigation: Configure Secret Manager replication with Cloud KMS customer-managed encryption for secrets that require customer key ownership, independent rotation, audit separation, or compliance controls.
- Evidence:
- target resource: address=google_secret_manager_secret.api_key; type=google_secret_manager_secret; identifier=projects/tfstride-demo/secrets/tfstride-api-key
- encryption ownership: customer_managed_encryption is false; secret_manager_replication_mode=automatic; secret_manager_kms_key_names is empty
- replication posture: replication.mode=automatic
#### Sensitive GCP resource IAM binding allows broad or external access
- STRIDE category: Information Disclosure
- Affected resources: `google_kms_crypto_key.customer`, `google_kms_crypto_key_iam_member.partner_decrypter`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +2, lateral_movement +1, blast_radius +1, final_score 5 => medium
- Rationale: google_kms_crypto_key.customer grants `roles/cloudkms.cryptoKeyDecrypter` to `serviceAccount:decryptor@partner-project.iam.gserviceaccount.com` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.
- Recommended mitigation: Grant Secret Manager and Cloud KMS IAM roles only to specific in-project service accounts or groups, remove public principals, and require explicit cross-project access reviews for partner identities.
- Evidence:
- iam binding: source=google_kms_crypto_key_iam_member.partner_decrypter; role=roles/cloudkms.cryptoKeyDecrypter; member=serviceAccount:decryptor@partner-project.iam.gserviceaccount.com
- trust scope: service account belongs to project `partner-project`, outside resource project `tfstride-demo`
- resource policy sources: google_kms_crypto_key_iam_member.partner_decrypter
### Low
No findings in this severity band.
## Limitations / Unsupported Resources
- GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.