Built-in scenario

gcp/sample_gcp_plan.json

GCP Inventory Demo

Analyzed sample_gcp_plan.json with 23 normalized resources and 4 trust boundaries.

Analyze another plan

Active findings

26

Trust boundaries

4

Resources

23

Observations

0
High 6
Medium 20
Low 0

Analysis coverage

Audit trail for this run

Terraform resources 23
Unsupported 0
Enabled rules 78
Unresolved refs 0

Resource coverage

Provider resources considered
23
Normalized resources
23

No unsupported GCP resource types were encountered.

Rule coverage

Registered rules
78
Disabled rules
0
  • gcp-sensitive-resource-iam-external-access2
  • gcp-pubsub-public-access1
  • gcp-pubsub-topic-customer-managed-encryption-missing1
  • gcp-pubsub-subscription-dead-letter-policy-missing1
  • gcp-bigquery-public-access1
  • gcp-cloud-sql-public-authorized-network1
  • gcp-cloud-sql-backup-disabled1
  • gcp-cloud-sql-public-ip-without-private-network1
  • gcp-cloud-sql-ssl-not-required1
  • gcp-cloud-sql-deletion-protection-disabled1
  • gcp-cloud-sql-zonal-availability1
  • gcp-gcs-public-access1
  • gcp-gcs-public-access-prevention-not-enforced1
  • gcp-gcs-versioning-disabled1
  • gcp-gcs-customer-managed-encryption-missing1
  • gcp-gcs-retention-policy-insufficient1
  • gcp-secret-manager-customer-managed-encryption-missing1
  • gcp-secret-manager-lifecycle-posture-incomplete1
  • gcp-public-compute-broad-ingress1
  • gcp-compute-os-login-disabled1
  • gcp-subnetwork-flow-logs-not-configured1
  • gcp-service-account-key-hygiene1
  • gcp-service-account-key-effective-access1
  • gcp-inherited-iam-blast-radius1
  • gcp-public-workload-sensitive-data-access1

Findings

Severity bands

High

6

BigQuery IAM binding allows public or broad data access

gcp-bigquery-public-access

google_bigquery_dataset.analytics grants `roles/bigquery.dataViewer` to `allUsers` through BigQuery IAM. Public or broad principals can read or modify analytical data outside the expected project trust boundary.

Category
Information Disclosure
Boundary
not-applicable
Resources
google_bigquery_dataset.analytics, google_bigquery_dataset_iam_binding.analytics_viewers
Evidence
  • iam binding: source=google_bigquery_dataset_iam_binding.analytics_viewers; role=roles/bigquery.dataViewer; member=allUsers
  • trust scope: member is public GCP principal `allUsers`
  • resource policy sources: google_bigquery_dataset_iam_binding.analytics_viewers

Cloud SQL instance accepts public authorized network access

gcp-cloud-sql-public-authorized-network

google_sql_database_instance.app has a public Cloud SQL IPv4 endpoint and an authorized network that allows internet-wide client sources. That weakens the database trust boundary even when database authentication is still required.

Category
Information Disclosure
Boundary
internet-to-service:internet->google_sql_database_instance.app
Resources
google_sql_database_instance.app
Evidence
  • authorized networks: anywhere (0.0.0.0/0)
  • public exposure reasons: authorized network `anywhere` allows 0.0.0.0/0

GCP service account key can exercise sensitive or privileged access

gcp-service-account-key-effective-access

google_service_account_key.web creates portable credentials for `google_service_account.web`, and that service account has sensitive data access or high-impact IAM grants. A copied key can exercise those effective permissions outside the intended workload boundary.

Category
Elevation of Privilege
Boundary
not-applicable
Resources
google_service_account.web, google_service_account_key.web, google_bigquery_dataset.analytics, google_bigquery_dataset_iam_binding.analytics_viewers
Evidence
  • key context: source=google_service_account_key.web; service_account_reference=google_service_account.web.email; resolved_service_account=google_service_account.web
  • service account principals: serviceAccount:tfstride-web@example.iam.gserviceaccount.com; tfstride-web@example.iam.gserviceaccount.com
  • effective access: resource=google_bigquery_dataset.analytics; source=google_bigquery_dataset_iam_binding.analytics_viewers; scope=BigQuery dataset IAM; role=roles/bigquery.dataViewer; member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com; risk=BigQuery dataset IAM grants roles/bigquery.dataViewer

Internet-exposed GCP workload can access sensitive data services

gcp-public-workload-sensitive-data-access

google_compute_instance.web is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-web@example.iam.gserviceaccount.com. That identity can access google_bigquery_dataset.analytics. A compromise of the public workload can therefore become direct access to sensitive GCP data services.

Category
Information Disclosure
Boundary
workload-to-data-store:google_compute_instance.web->google_bigquery_dataset.analytics
Resources
google_compute_instance.web, google_bigquery_dataset.analytics, google_bigquery_dataset_iam_binding.analytics_viewers
Evidence
  • public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress
  • workload identity: serviceAccount:tfstride-web@example.iam.gserviceaccount.com
  • workload identity scopes: cloud-platform
  • data access path: google_compute_instance.web reaches google_bigquery_dataset.analytics
  • boundary rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com.
  • resource policy sources: google_bigquery_dataset_iam_binding.analytics_viewers

Pub/Sub IAM binding allows public or broad data access

gcp-pubsub-public-access

google_pubsub_topic.events grants `roles/pubsub.publisher` to `allAuthenticatedUsers` through Pub/Sub IAM. Public or broad principals can publish, consume, or administer event streams outside the expected service boundary.

Category
Information Disclosure
Boundary
not-applicable
Resources
google_pubsub_topic.events, google_pubsub_topic_iam_member.public_publisher
Evidence
  • iam binding: source=google_pubsub_topic_iam_member.public_publisher; role=roles/pubsub.publisher; member=allAuthenticatedUsers
  • trust scope: member is public GCP principal `allAuthenticatedUsers`
  • resource policy sources: google_pubsub_topic_iam_member.public_publisher

Sensitive GCP resource IAM binding allows broad or external access

gcp-sensitive-resource-iam-external-access

google_secret_manager_secret.api_key grants `roles/secretmanager.secretAccessor` to `allAuthenticatedUsers` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.

Category
Information Disclosure
Boundary
not-applicable
Resources
google_secret_manager_secret.api_key, google_secret_manager_secret_iam_member.public_accessor
Evidence
  • iam binding: source=google_secret_manager_secret_iam_member.public_accessor; role=roles/secretmanager.secretAccessor; member=allAuthenticatedUsers
  • trust scope: member is public GCP principal `allAuthenticatedUsers`
  • resource policy sources: google_secret_manager_secret_iam_member.public_accessor

Medium

20

Cloud SQL automated backups are disabled

gcp-cloud-sql-backup-disabled

google_sql_database_instance.app does not have Cloud SQL automated backups enabled. A destructive change, operator error, or data corruption event would have fewer managed recovery points.

Category
Denial of Service
Boundary
not-applicable
Resources
google_sql_database_instance.app
Evidence
  • backup posture: backup_configuration.enabled is false; point_in_time_recovery_enabled is false; engine is POSTGRES_15

Cloud SQL deletion protection is disabled

gcp-cloud-sql-deletion-protection-disabled

google_sql_database_instance.app has Cloud SQL deletion protection disabled. Accidental or unauthorized infrastructure changes could destroy the managed database instance without this provider-level guardrail.

Category
Denial of Service
Boundary
not-applicable
Resources
google_sql_database_instance.app
Evidence
  • lifecycle posture: deletion_protection is false

Cloud SQL instance uses zonal availability

gcp-cloud-sql-zonal-availability

google_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.

Category
Denial of Service
Boundary
not-applicable
Resources
google_sql_database_instance.app
Evidence
  • availability posture: availability_type=ZONAL; engine=POSTGRES_15

Cloud SQL public IPv4 is enabled without private network access

gcp-cloud-sql-public-ip-without-private-network

google_sql_database_instance.app has Cloud SQL public IPv4 enabled without a private network attachment. That keeps database client access on a public endpoint instead of an internal VPC path.

Category
Information Disclosure
Boundary
internet-to-service:internet->google_sql_database_instance.app
Resources
google_sql_database_instance.app
Evidence
  • network posture: ipv4_enabled is true; private_network is unset; authorized_networks configured: 1
  • public access reasons: Cloud SQL public IPv4 access is enabled

Cloud SQL public client access does not require SSL

gcp-cloud-sql-ssl-not-required

google_sql_database_instance.app allows Cloud SQL public IPv4 client access without requiring encrypted client connections. Credentials and database traffic should not depend on client-side optional TLS behavior.

Category
Information Disclosure
Boundary
internet-to-service:internet->google_sql_database_instance.app
Resources
google_sql_database_instance.app
Evidence
  • ssl posture: require_ssl is false; ssl_mode is unset; ipv4_enabled is true

GCP compute instance disables OS Login

gcp-compute-os-login-disabled

google_compute_instance.web explicitly disables OS Login. SSH access can therefore fall back to instance or project metadata keys instead of centralized IAM-backed login and audit controls.

Category
Elevation of Privilege
Boundary
not-applicable
Resources
google_compute_instance.web
Evidence
  • os login posture: metadata.enable-oslogin is false
  • public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress

GCP service account user-managed key lacks rotation hygiene

gcp-service-account-key-hygiene

google_service_account_key.web creates a user-managed GCP service account key for `google_service_account.web`. User-managed service account keys are portable, long-lived credentials that can be copied outside GCP control, so they need explicit rotation controls or should be replaced with workload identity or impersonation flows.

Category
Spoofing
Boundary
not-applicable
Resources
google_service_account.web, google_service_account_key.web
Evidence
  • key context: source=google_service_account_key.web; service_account_reference=google_service_account.web.email; key_algorithm=KEY_ALG_RSA_2048; public_key_type=TYPE_X509_PEM_FILE
  • key risk: Terraform manages a user-created service-account key; validity window is 365 days and exceeds 180-day threshold; no Terraform keepers rotation trigger observed
  • validity window: valid_after=2026-01-01T00:00:00Z; valid_before=2027-01-01T00:00:00Z; validity_days=365
  • rotation control: no Terraform keepers rotation trigger observed

GCP subnetwork Flow Logs are not configured

gcp-subnetwork-flow-logs-not-configured

google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.

Category
Repudiation
Boundary
not-applicable
Resources
google_compute_subnetwork.app
Evidence
  • subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo

GCS bucket does not enforce Public Access Prevention

gcp-gcs-public-access-prevention-not-enforced

google_storage_bucket.logs does not enforce GCS Public Access Prevention. Public principals can still be introduced through bucket IAM unless an organization-level policy blocks them.

Category
Information Disclosure
Boundary
internet-to-service:internet->google_storage_bucket.logs
Resources
google_storage_bucket.logs
Evidence
  • access control posture: public_access_prevention is unset
  • public exposure reasons: google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers

GCS bucket is publicly accessible

gcp-gcs-public-access

google_storage_bucket.logs is publicly reachable through GCS IAM grants. Public bucket access is a common source of unintended object disclosure.

Category
Information Disclosure
Boundary
internet-to-service:internet->google_storage_bucket.logs
Resources
google_storage_bucket.logs
Evidence
  • public exposure reasons: google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers

GCS sensitive bucket does not use customer-managed encryption

gcp-gcs-customer-managed-encryption-missing

google_storage_bucket.logs relies on default GCS encryption rather than a customer-managed KMS key. Sensitive buckets lose key ownership, rotation, and separation-of-duties controls that a CMEK can provide.

Category
Information Disclosure
Boundary
not-applicable
Resources
google_storage_bucket.logs
Evidence
  • encryption posture: default_kms_key_name is unset; customer_managed_encryption is false

GCS sensitive bucket retention policy is insufficient

gcp-gcs-retention-policy-insufficient

google_storage_bucket.logs does not have deterministic GCS retention posture that meets the minimum retention threshold and lock expectation. Retention policy and retention lock reduce destructive deletion or overwrite risk, but are distinct from soft-delete recovery controls.

Category
Denial of Service
Boundary
not-applicable
Resources
google_storage_bucket.logs
Evidence
  • retention policy issues: retention_policy is missing
  • retention policy posture: retention_policy.retention_period_state=missing; minimum_retention_period_days=7; minimum_retention_period_seconds=604800; retention_policy.is_locked is unset

GCS sensitive bucket versioning is disabled

gcp-gcs-versioning-disabled

google_storage_bucket.logs stores sensitive GCS data without bucket versioning. Accidental overwrites, deletes, or destructive changes have fewer object-level recovery options.

Category
Denial of Service
Boundary
not-applicable
Resources
google_storage_bucket.logs
Evidence
  • data protection posture: versioning.enabled is false; data_sensitivity is sensitive

Inherited GCP IAM grant expands descendant blast radius

gcp-inherited-iam-blast-radius

google_project_iam_member.web_viewer grants `roles/viewer` to `serviceAccount:tfstride-web@example.iam.gserviceaccount.com` at project scope `tfstride-demo`, and that inherited grant applies to 17 concrete descendant resource(s). A high-level IAM grant with broad, external, or high-impact access increases control-plane blast radius because compromise or misuse can affect resources below the inherited scope.

Category
Elevation of Privilege
Boundary
not-applicable
Resources
google_project_iam_member.web_viewer, google_bigquery_dataset.analytics, google_bigquery_table.events, google_compute_firewall.public_app, google_compute_firewall.public_ssh, google_compute_instance.web, google_compute_network.main, google_compute_route.default_internet, google_compute_subnetwork.app, google_kms_crypto_key.customer, google_logging_project_sink.processor, google_pubsub_subscription.events, google_pubsub_topic.events, google_secret_manager_secret.api_key, google_service_account.web, google_service_account_key.web, google_sql_database_instance.app, google_storage_bucket.logs
Evidence
  • iam binding: source=google_project_iam_member.web_viewer; scope=project:tfstride-demo; member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com; role=roles/viewer
  • trust scope: service account belongs to project `example`, outside resource project `tfstride-demo`
  • descendant scope: scope=project:tfstride-demo; descendant_count=17; resource_type_count=16; projects=tfstride-demo
  • descendant resource types: google_bigquery_dataset: 1; google_bigquery_table: 1; google_compute_firewall: 2; google_compute_instance: 1; google_compute_network: 1; google_compute_route: 1; google_compute_subnetwork: 1; google_kms_crypto_key: 1; google_logging_project_sink: 1; google_pubsub_subscription: 1; google_pubsub_topic: 1; google_secret_manager_secret: 1; google_service_account: 1; google_service_account_key: 1; google_sql_database_instance: 1; google_storage_bucket: 1
  • descendant resources: google_bigquery_dataset.analytics; google_bigquery_table.events; google_compute_firewall.public_app; google_compute_firewall.public_ssh; google_compute_instance.web; google_compute_network.main; google_compute_route.default_internet; google_compute_subnetwork.app; google_kms_crypto_key.customer; google_logging_project_sink.processor; and 7 more descendant resources

Internet-exposed GCP compute instance permits broad ingress

gcp-public-compute-broad-ingress

google_compute_instance.web has an external access config and matching GCP firewall rules allow administrative access or all ports from the public internet. That broad ingress raises the chance of unauthenticated probing and credential attacks.

Category
Spoofing
Boundary
internet-to-service:internet->google_compute_instance.web
Resources
google_compute_instance.web, google_compute_firewall.public_ssh
Evidence
  • firewall rules: google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0
  • network tags: web
  • internet ingress reasons: google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0; google_compute_firewall.public_app ingress tcp 8080 from 0.0.0.0/0
  • public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress

Pub/Sub subscription does not configure a dead-letter policy

gcp-pubsub-subscription-dead-letter-policy-missing

google_pubsub_subscription.events does not configure a Pub/Sub dead-letter policy. Poison messages or repeated delivery failures can consume subscriber capacity and reduce recovery options for failed processing.

Category
Denial of Service
Boundary
not-applicable
Resources
google_pubsub_subscription.events
Evidence
  • target resource: address=google_pubsub_subscription.events; resource_type=google_pubsub_subscription
  • dead letter posture: dead_letter_policy_state=not_configured; dead_letter_topic=unset

Pub/Sub topic does not use customer-managed encryption

gcp-pubsub-topic-customer-managed-encryption-missing

google_pubsub_topic.events relies on Google-managed Pub/Sub encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still protects message data; this finding concerns key ownership, rotation, audit separation, and compliance posture.

Category
Information Disclosure
Boundary
not-applicable
Resources
google_pubsub_topic.events
Evidence
  • target resource: address=google_pubsub_topic.events; resource_type=google_pubsub_topic
  • encryption ownership: cmek_state=not_configured; kms_key_name=unset

Secret Manager lifecycle posture is incomplete

gcp-secret-manager-lifecycle-posture-incomplete

google_secret_manager_secret.api_key does not show deterministic Secret Manager lifecycle posture for secret expiry or delayed version destruction. Expiry and version-destroy TTL controls reduce the lifetime of stale or accidentally destroyed secret material, but do not replace access review or rotation.

Category
Denial of Service
Boundary
not-applicable
Resources
google_secret_manager_secret.api_key
Evidence
  • target resource: address=google_secret_manager_secret.api_key; type=google_secret_manager_secret; identifier=projects/tfstride-demo/secrets/tfstride-api-key
  • lifecycle issues: secret has no ttl, expire_time, or version_destroy_ttl lifecycle guardrail; version_destroy_ttl is missing
  • lifecycle posture: ttl=unset; expire_time=unset; version_destroy_ttl=unset; minimum_version_destroy_ttl_days=7; minimum_version_destroy_ttl_seconds=604800

Secret Manager secret does not use customer-managed encryption

gcp-secret-manager-customer-managed-encryption-missing

google_secret_manager_secret.api_key relies on Google-managed Secret Manager encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still applies; this finding concerns customer key ownership, rotation, audit separation, and compliance posture for sensitive secrets.

Category
Information Disclosure
Boundary
not-applicable
Resources
google_secret_manager_secret.api_key
Evidence
  • target resource: address=google_secret_manager_secret.api_key; type=google_secret_manager_secret; identifier=projects/tfstride-demo/secrets/tfstride-api-key
  • encryption ownership: customer_managed_encryption is false; secret_manager_replication_mode=automatic; secret_manager_kms_key_names is empty
  • replication posture: replication.mode=automatic

Sensitive GCP resource IAM binding allows broad or external access

gcp-sensitive-resource-iam-external-access

google_kms_crypto_key.customer grants `roles/cloudkms.cryptoKeyDecrypter` to `serviceAccount:decryptor@partner-project.iam.gserviceaccount.com` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.

Category
Information Disclosure
Boundary
not-applicable
Resources
google_kms_crypto_key.customer, google_kms_crypto_key_iam_member.partner_decrypter
Evidence
  • iam binding: source=google_kms_crypto_key_iam_member.partner_decrypter; role=roles/cloudkms.cryptoKeyDecrypter; member=serviceAccount:decryptor@partner-project.iam.gserviceaccount.com
  • trust scope: service account belongs to project `partner-project`, outside resource project `tfstride-demo`
  • resource policy sources: google_kms_crypto_key_iam_member.partner_decrypter

Low

0

No low findings.

Observations

Controls and mitigating signals

No observations were recorded for this plan.

Trust boundaries

Crossings that drive the model

internet-to-service

internet -> google_compute_instance.web

The resource is directly reachable or intentionally exposed to unauthenticated network clients.

internet-to-service

internet -> google_sql_database_instance.app

The resource is directly reachable or intentionally exposed to unauthenticated network clients.

internet-to-service

internet -> google_storage_bucket.logs

The resource is directly reachable or intentionally exposed to unauthenticated network clients.

workload-to-data-store

google_compute_instance.web -> google_bigquery_dataset.analytics

GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com.

Raw outputs

Stable contract and markdown

JSON report
{
  "kind": "tfstride-report",
  "version": "1.1",
  "tool": {
    "name": "tfstride",
    "version": "0.4.23"
  },
  "title": "GCP Inventory Demo",
  "analyzed_file": "sample_gcp_plan.json",
  "analyzed_path": "sample_gcp_plan.json",
  "summary": {
    "normalized_resources": 23,
    "unsupported_resources": 0,
    "trust_boundaries": 4,
    "active_findings": 26,
    "total_findings": 26,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "severity_counts": {
      "high": 6,
      "medium": 20,
      "low": 0
    }
  },
  "filtering": {
    "total_findings": 26,
    "active_findings": 26,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "suppressions_path": null,
    "baseline_path": null
  },
  "analysis_coverage": {
    "resources": {
      "total_resources": 23,
      "provider_resources": 23,
      "normalized_resources": 23,
      "unsupported_resources": 0,
      "unsupported_resource_types": {}
    },
    "rules": {
      "registered_rule_count": 78,
      "enabled_rules": [
        "gcp-sensitive-resource-iam-external-access",
        "gcp-pubsub-public-access",
        "gcp-pubsub-topic-customer-managed-encryption-missing",
        "gcp-pubsub-message-retention-insufficient",
        "gcp-pubsub-subscription-dead-letter-policy-missing",
        "gcp-bigquery-public-access",
        "gcp-cloud-sql-public-authorized-network",
        "gcp-cloud-sql-backup-disabled",
        "gcp-cloud-sql-public-ip-without-private-network",
        "gcp-cloud-sql-ssl-not-required",
        "gcp-cloud-sql-point-in-time-recovery-disabled",
        "gcp-cloud-sql-deletion-protection-disabled",
        "gcp-cloud-sql-zonal-availability",
        "gcp-cloud-sql-query-insights-disabled",
        "gcp-cloud-sql-connector-enforcement-not-required",
        "gcp-cloud-sql-private-connectivity-not-modeled",
        "gcp-private-workload-private-google-access-disabled",
        "gcp-gcs-public-access",
        "gcp-gcs-uniform-bucket-level-access-disabled",
        "gcp-gcs-public-access-prevention-not-enforced",
        "gcp-gcs-versioning-disabled",
        "gcp-gcs-customer-managed-encryption-missing",
        "gcp-gcs-retention-policy-insufficient",
        "gcp-artifact-registry-docker-tags-mutable",
        "gcp-artifact-registry-customer-managed-encryption-missing",
        "gcp-artifact-registry-vulnerability-scanning-disabled",
        "gcp-secret-manager-customer-managed-encryption-missing",
        "gcp-secret-manager-lifecycle-posture-incomplete",
        "gcp-kms-key-rotation-not-configured-or-too-long",
        "gcp-kms-key-destroy-scheduled-duration-too-short",
        "gcp-public-compute-broad-ingress",
        "gcp-public-load-balanced-workload",
        "gcp-load-balancer-http-public-proxy",
        "gcp-load-balancer-ssl-policy-missing-or-weak",
        "gcp-public-load-balancer-cloud-armor-missing",
        "gcp-compute-os-login-disabled",
        "gcp-gke-public-control-plane",
        "gcp-gke-broad-authorized-networks",
        "gcp-gke-workload-identity-disabled",
        "gcp-gke-legacy-metadata-endpoints-enabled",
        "gcp-gke-broad-node-service-account",
        "gcp-gke-control-plane-logging-incomplete",
        "gcp-scc-asset-discovery-disabled",
        "gcp-logging-exclusion-drops-audit-security-logs",
        "gcp-logging-sink-audit-export-incomplete",
        "gcp-central-audit-sink-not-modeled",
        "gcp-subnetwork-flow-logs-not-configured",
        "gcp-subnetwork-flow-log-capture-incomplete",
        "gcp-gke-network-policy-disabled",
        "gcp-gke-secrets-encryption-not-configured",
        "gcp-gke-legacy-abac-enabled-or-unknown",
        "gcp-gke-client-certificate-auth-enabled-or-unknown",
        "gcp-gke-shielded-nodes-disabled-or-unknown",
        "gcp-gke-binary-authorization-not-enabled",
        "gcp-cloud-run-public-invoker",
        "gcp-cloud-functions-public-invoker",
        "gcp-cloud-run-image-not-digest-pinned",
        "gcp-cloud-run-artifact-registry-mutable-tag",
        "gcp-cloud-run-can-modify-image-repository",
        "gcp-cloud-run-sensitive-environment-value-inline",
        "gcp-cloud-run-secret-access-blast-radius",
        "gcp-public-cloud-run-gcs-mutation-access",
        "gcp-public-cloud-run-pubsub-mutation-access",
        "gcp-service-account-iam-broad-principal",
        "gcp-service-account-iam-privileged-role",
        "gcp-service-account-key-hygiene",
        "gcp-service-account-key-effective-access",
        "gcp-workload-identity-pool-wide-impersonation",
        "gcp-workload-identity-provider-unconditioned-broad-trust",
        "gcp-workload-identity-privileged-service-account-access",
        "gcp-org-folder-iam-broad-principal",
        "gcp-org-folder-iam-privileged-role",
        "gcp-project-iam-broad-principal",
        "gcp-project-iam-privileged-role",
        "gcp-iam-privileged-assignment",
        "gcp-inherited-iam-sensitive-resource-access",
        "gcp-inherited-iam-blast-radius",
        "gcp-public-workload-sensitive-data-access"
      ],
      "disabled_rules": [],
      "severity_overrides": {},
      "finding_counts_by_rule": {
        "gcp-sensitive-resource-iam-external-access": 2,
        "gcp-pubsub-public-access": 1,
        "gcp-pubsub-topic-customer-managed-encryption-missing": 1,
        "gcp-pubsub-message-retention-insufficient": 0,
        "gcp-pubsub-subscription-dead-letter-policy-missing": 1,
        "gcp-bigquery-public-access": 1,
        "gcp-cloud-sql-public-authorized-network": 1,
        "gcp-cloud-sql-backup-disabled": 1,
        "gcp-cloud-sql-public-ip-without-private-network": 1,
        "gcp-cloud-sql-ssl-not-required": 1,
        "gcp-cloud-sql-point-in-time-recovery-disabled": 0,
        "gcp-cloud-sql-deletion-protection-disabled": 1,
        "gcp-cloud-sql-zonal-availability": 1,
        "gcp-cloud-sql-query-insights-disabled": 0,
        "gcp-cloud-sql-connector-enforcement-not-required": 0,
        "gcp-cloud-sql-private-connectivity-not-modeled": 0,
        "gcp-private-workload-private-google-access-disabled": 0,
        "gcp-gcs-public-access": 1,
        "gcp-gcs-uniform-bucket-level-access-disabled": 0,
        "gcp-gcs-public-access-prevention-not-enforced": 1,
        "gcp-gcs-versioning-disabled": 1,
        "gcp-gcs-customer-managed-encryption-missing": 1,
        "gcp-gcs-retention-policy-insufficient": 1,
        "gcp-artifact-registry-docker-tags-mutable": 0,
        "gcp-artifact-registry-customer-managed-encryption-missing": 0,
        "gcp-artifact-registry-vulnerability-scanning-disabled": 0,
        "gcp-secret-manager-customer-managed-encryption-missing": 1,
        "gcp-secret-manager-lifecycle-posture-incomplete": 1,
        "gcp-kms-key-rotation-not-configured-or-too-long": 0,
        "gcp-kms-key-destroy-scheduled-duration-too-short": 0,
        "gcp-public-compute-broad-ingress": 1,
        "gcp-public-load-balanced-workload": 0,
        "gcp-load-balancer-http-public-proxy": 0,
        "gcp-load-balancer-ssl-policy-missing-or-weak": 0,
        "gcp-public-load-balancer-cloud-armor-missing": 0,
        "gcp-compute-os-login-disabled": 1,
        "gcp-gke-public-control-plane": 0,
        "gcp-gke-broad-authorized-networks": 0,
        "gcp-gke-workload-identity-disabled": 0,
        "gcp-gke-legacy-metadata-endpoints-enabled": 0,
        "gcp-gke-broad-node-service-account": 0,
        "gcp-gke-control-plane-logging-incomplete": 0,
        "gcp-scc-asset-discovery-disabled": 0,
        "gcp-logging-exclusion-drops-audit-security-logs": 0,
        "gcp-logging-sink-audit-export-incomplete": 0,
        "gcp-central-audit-sink-not-modeled": 0,
        "gcp-subnetwork-flow-logs-not-configured": 1,
        "gcp-subnetwork-flow-log-capture-incomplete": 0,
        "gcp-gke-network-policy-disabled": 0,
        "gcp-gke-secrets-encryption-not-configured": 0,
        "gcp-gke-legacy-abac-enabled-or-unknown": 0,
        "gcp-gke-client-certificate-auth-enabled-or-unknown": 0,
        "gcp-gke-shielded-nodes-disabled-or-unknown": 0,
        "gcp-gke-binary-authorization-not-enabled": 0,
        "gcp-cloud-run-public-invoker": 0,
        "gcp-cloud-functions-public-invoker": 0,
        "gcp-cloud-run-image-not-digest-pinned": 0,
        "gcp-cloud-run-artifact-registry-mutable-tag": 0,
        "gcp-cloud-run-can-modify-image-repository": 0,
        "gcp-cloud-run-sensitive-environment-value-inline": 0,
        "gcp-cloud-run-secret-access-blast-radius": 0,
        "gcp-public-cloud-run-gcs-mutation-access": 0,
        "gcp-public-cloud-run-pubsub-mutation-access": 0,
        "gcp-service-account-iam-broad-principal": 0,
        "gcp-service-account-iam-privileged-role": 0,
        "gcp-service-account-key-hygiene": 1,
        "gcp-service-account-key-effective-access": 1,
        "gcp-workload-identity-pool-wide-impersonation": 0,
        "gcp-workload-identity-provider-unconditioned-broad-trust": 0,
        "gcp-workload-identity-privileged-service-account-access": 0,
        "gcp-org-folder-iam-broad-principal": 0,
        "gcp-org-folder-iam-privileged-role": 0,
        "gcp-project-iam-broad-principal": 0,
        "gcp-project-iam-privileged-role": 0,
        "gcp-iam-privileged-assignment": 0,
        "gcp-inherited-iam-sensitive-resource-access": 0,
        "gcp-inherited-iam-blast-radius": 1,
        "gcp-public-workload-sensitive-data-access": 1
      }
    },
    "references": {
      "unresolved_reference_count": 0,
      "unresolved_references": []
    }
  },
  "inventory": {
    "provider": "gcp",
    "unsupported_resources": [],
    "metadata": {
      "supported_resource_types": [
        "google_artifact_registry_repository",
        "google_artifact_registry_repository_iam_binding",
        "google_artifact_registry_repository_iam_member",
        "google_artifact_registry_repository_iam_policy",
        "google_bigquery_dataset",
        "google_bigquery_dataset_iam_binding",
        "google_bigquery_dataset_iam_member",
        "google_bigquery_dataset_iam_policy",
        "google_bigquery_table",
        "google_bigquery_table_iam_binding",
        "google_bigquery_table_iam_member",
        "google_bigquery_table_iam_policy",
        "google_cloud_run_service",
        "google_cloud_run_service_iam_binding",
        "google_cloud_run_service_iam_member",
        "google_cloud_run_service_iam_policy",
        "google_cloud_run_v2_service",
        "google_cloud_run_v2_service_iam_binding",
        "google_cloud_run_v2_service_iam_member",
        "google_cloud_run_v2_service_iam_policy",
        "google_cloudfunctions2_function",
        "google_cloudfunctions2_function_iam_binding",
        "google_cloudfunctions2_function_iam_member",
        "google_cloudfunctions2_function_iam_policy",
        "google_cloudfunctions_function",
        "google_cloudfunctions_function_iam_binding",
        "google_cloudfunctions_function_iam_member",
        "google_cloudfunctions_function_iam_policy",
        "google_compute_backend_bucket",
        "google_compute_backend_service",
        "google_compute_firewall",
        "google_compute_firewall_policy",
        "google_compute_firewall_policy_association",
        "google_compute_firewall_policy_rule",
        "google_compute_forwarding_rule",
        "google_compute_global_address",
        "google_compute_global_forwarding_rule",
        "google_compute_instance",
        "google_compute_managed_ssl_certificate",
        "google_compute_network",
        "google_compute_network_endpoint_group",
        "google_compute_region_backend_service",
        "google_compute_region_network_endpoint_group",
        "google_compute_region_security_policy",
        "google_compute_region_target_http_proxy",
        "google_compute_region_target_https_proxy",
        "google_compute_region_url_map",
        "google_compute_route",
        "google_compute_router",
        "google_compute_router_nat",
        "google_compute_security_policy",
        "google_compute_service_attachment",
        "google_compute_ssl_policy",
        "google_compute_subnetwork",
        "google_compute_target_http_proxy",
        "google_compute_target_https_proxy",
        "google_compute_url_map",
        "google_container_cluster",
        "google_container_node_pool",
        "google_folder_iam_binding",
        "google_folder_iam_member",
        "google_folder_iam_policy",
        "google_folder_organization_policy",
        "google_iam_workload_identity_pool",
        "google_iam_workload_identity_pool_provider",
        "google_kms_crypto_key",
        "google_kms_crypto_key_iam_binding",
        "google_kms_crypto_key_iam_member",
        "google_kms_crypto_key_iam_policy",
        "google_kms_key_ring_iam_binding",
        "google_kms_key_ring_iam_member",
        "google_kms_key_ring_iam_policy",
        "google_logging_organization_exclusion",
        "google_logging_organization_sink",
        "google_logging_project_exclusion",
        "google_logging_project_sink",
        "google_network_connectivity_service_connection_policy",
        "google_org_policy_policy",
        "google_organization_iam_binding",
        "google_organization_iam_custom_role",
        "google_organization_iam_member",
        "google_organization_iam_policy",
        "google_organization_policy",
        "google_project_iam_binding",
        "google_project_iam_custom_role",
        "google_project_iam_member",
        "google_project_iam_policy",
        "google_project_organization_policy",
        "google_pubsub_subscription",
        "google_pubsub_subscription_iam_binding",
        "google_pubsub_subscription_iam_member",
        "google_pubsub_subscription_iam_policy",
        "google_pubsub_topic",
        "google_pubsub_topic_iam_binding",
        "google_pubsub_topic_iam_member",
        "google_pubsub_topic_iam_policy",
        "google_scc_organization_settings",
        "google_secret_manager_secret",
        "google_secret_manager_secret_iam_binding",
        "google_secret_manager_secret_iam_member",
        "google_secret_manager_secret_iam_policy",
        "google_service_account",
        "google_service_account_iam_binding",
        "google_service_account_iam_member",
        "google_service_account_iam_policy",
        "google_service_account_key",
        "google_service_networking_connection",
        "google_sql_database_instance",
        "google_storage_bucket",
        "google_storage_bucket_iam_binding",
        "google_storage_bucket_iam_member",
        "google_storage_bucket_iam_policy"
      ],
      "total_input_resources": 23,
      "provider_resource_count": 23,
      "normalized_resource_count": 23,
      "unsupported_resource_types": {}
    },
    "resources": [
      {
        "address": "google_bigquery_dataset.analytics",
        "provider": "gcp",
        "resource_type": "google_bigquery_dataset",
        "name": "analytics",
        "category": "data",
        "identifier": "projects/tfstride-demo/datasets/tfstride_analytics",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "projects/tfstride-demo/datasets/tfstride_analytics",
          "project": "tfstride-demo",
          "bigquery_dataset_id": "tfstride_analytics",
          "bigquery_dataset_reference": "projects/tfstride-demo/datasets/tfstride_analytics",
          "labels": {
            "app": "tfstride"
          },
          "delete_contents_on_destroy": false,
          "default_table_expiration_ms": null,
          "description": null,
          "friendly_name": null,
          "location": "US",
          "max_time_travel_hours": null,
          "storage_billing_model": null,
          "customer_managed_encryption": false,
          "storage_encrypted": true,
          "iam_bindings": [
            {
              "role": "roles/bigquery.dataViewer",
              "members": [
                "allUsers",
                "serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
              ],
              "source": "google_bigquery_dataset_iam_binding.analytics_viewers"
            }
          ],
          "gcp_resource_policy_source_addresses": [
            "google_bigquery_dataset_iam_binding.analytics_viewers"
          ]
        }
      },
      {
        "address": "google_bigquery_dataset_iam_binding.analytics_viewers",
        "provider": "gcp",
        "resource_type": "google_bigquery_dataset_iam_binding",
        "name": "analytics_viewers",
        "category": "iam",
        "identifier": "google_bigquery_dataset.analytics.dataset_id:roles/bigquery.dataViewer:allUsers,serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "bigquery_dataset_reference": "google_bigquery_dataset.analytics.dataset_id",
          "iam_role": "roles/bigquery.dataViewer",
          "iam_members": [
            "allUsers",
            "serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
          ],
          "iam_condition": {},
          "iam_bindings": [
            {
              "role": "roles/bigquery.dataViewer",
              "members": [
                "allUsers",
                "serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
              ]
            }
          ],
          "privileged_access_grants": []
        }
      },
      {
        "address": "google_bigquery_table.events",
        "provider": "gcp",
        "resource_type": "google_bigquery_table",
        "name": "events",
        "category": "data",
        "identifier": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
          "project": "tfstride-demo",
          "bigquery_dataset_id": "google_bigquery_dataset.analytics.dataset_id",
          "bigquery_dataset_reference": "google_bigquery_dataset.analytics.dataset_id",
          "bigquery_table_id": "events",
          "bigquery_table_reference": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
          "labels": {},
          "clustering": [],
          "deletion_protection": true,
          "description": null,
          "friendly_name": null,
          "schema": null,
          "time_partitioning": [],
          "view": [],
          "customer_managed_encryption": false,
          "storage_encrypted": true
        }
      },
      {
        "address": "google_compute_firewall.public_app",
        "provider": "gcp",
        "resource_type": "google_compute_firewall",
        "name": "public_app",
        "category": "network",
        "identifier": "tfstride-public-app",
        "arn": null,
        "vpc_id": "google_compute_network.main.name",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 8080,
            "to_port": 8080,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": null
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-public-app",
          "project": "tfstride-demo",
          "network": "google_compute_network.main.name",
          "allow": [
            {
              "protocol": "tcp",
              "ports": [
                "8080"
              ]
            }
          ],
          "deny": [],
          "source_ranges": [
            "0.0.0.0/0"
          ],
          "destination_ranges": [],
          "target_tags": [
            "web"
          ],
          "source_tags": [],
          "target_service_accounts": [],
          "source_service_accounts": [],
          "firewall_direction": "ingress",
          "firewall_disabled": false
        }
      },
      {
        "address": "google_compute_firewall.public_ssh",
        "provider": "gcp",
        "resource_type": "google_compute_firewall",
        "name": "public_ssh",
        "category": "network",
        "identifier": "tfstride-public-ssh",
        "arn": null,
        "vpc_id": "google_compute_network.main.name",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 22,
            "to_port": 22,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": null
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-public-ssh",
          "project": "tfstride-demo",
          "network": "google_compute_network.main.name",
          "allow": [
            {
              "protocol": "tcp",
              "ports": [
                "22"
              ]
            }
          ],
          "deny": [],
          "source_ranges": [
            "0.0.0.0/0"
          ],
          "destination_ranges": [],
          "target_tags": [
            "web"
          ],
          "source_tags": [],
          "target_service_accounts": [],
          "source_service_accounts": [],
          "firewall_direction": "ingress",
          "firewall_disabled": false
        }
      },
      {
        "address": "google_compute_instance.web",
        "provider": "gcp",
        "resource_type": "google_compute_instance",
        "name": "web",
        "category": "compute",
        "identifier": "tfstride-web",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [
          "google_compute_subnetwork.app.id"
        ],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": true,
        "public_exposure": true,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-web",
          "project": "tfstride-demo",
          "zone": "us-central1-a",
          "machine_type": "e2-medium",
          "network_tags": [
            "web"
          ],
          "network_interfaces": [
            {
              "subnetwork": "google_compute_subnetwork.app.id",
              "access_config": [
                {
                  "nat_ip": "35.1.2.3"
                }
              ]
            }
          ],
          "service_accounts": [
            {
              "email": "tfstride-web@example.iam.gserviceaccount.com",
              "scopes": [
                "cloud-platform"
              ]
            }
          ],
          "labels": {},
          "metadata": {
            "enable-oslogin": "false"
          },
          "can_ip_forward": false,
          "os_login_enabled": false,
          "public_access_reasons": [
            "compute instance has an external access config"
          ],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "has_public_route": true,
          "internet_ingress_capable": true,
          "internet_ingress_reasons": [
            "google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0",
            "google_compute_firewall.public_app ingress tcp 8080 from 0.0.0.0/0"
          ],
          "internet_ingress_firewalls": [
            "google_compute_firewall.public_ssh",
            "google_compute_firewall.public_app"
          ],
          "direct_internet_reachable": true,
          "public_exposure_reasons": [
            "compute instance has an external access config and matching firewall rules allow internet ingress"
          ]
        }
      },
      {
        "address": "google_compute_network.main",
        "provider": "gcp",
        "resource_type": "google_compute_network",
        "name": "main",
        "category": "network",
        "identifier": "tfstride-main",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-main",
          "project": "tfstride-demo",
          "auto_create_subnetworks": false,
          "routing_mode": "REGIONAL",
          "description": null
        }
      },
      {
        "address": "google_compute_route.default_internet",
        "provider": "gcp",
        "resource_type": "google_compute_route",
        "name": "default_internet",
        "category": "network",
        "identifier": "tfstride-default-internet",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-default-internet",
          "project": "tfstride-demo",
          "network": "google_compute_network.main.id",
          "route_dest_range": "0.0.0.0/0",
          "route_next_hop_gateway": "default-internet-gateway",
          "route_tags": [
            "web"
          ],
          "route_priority": 1000,
          "description": null
        }
      },
      {
        "address": "google_compute_subnetwork.app",
        "provider": "gcp",
        "resource_type": "google_compute_subnetwork",
        "name": "app",
        "category": "network",
        "identifier": "tfstride-app",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-app",
          "project": "tfstride-demo",
          "region": "us-central1",
          "network": "google_compute_network.main.id",
          "cidr_range": "10.10.1.0/24",
          "private_ip_google_access": true,
          "purpose": null,
          "stack_type": null,
          "secondary_ip_ranges": [],
          "subnetwork_flow_log_state": "not_configured",
          "subnetwork_flow_log_config": {},
          "subnetwork_flow_log_metadata_fields": [],
          "network_telemetry_posture_uncertainties": [],
          "has_public_route": false,
          "is_public_subnet": false,
          "has_nat_gateway_egress": false
        }
      },
      {
        "address": "google_kms_crypto_key.customer",
        "provider": "gcp",
        "resource_type": "google_kms_crypto_key",
        "name": "customer",
        "category": "data",
        "identifier": "projects/tfstride-demo/locations/global/keyRings/tfstride-app/cryptoKeys/tfstride-customer-key",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "tfstride-customer-key",
          "project": "tfstride-demo",
          "kms_crypto_key_reference": "projects/tfstride-demo/locations/global/keyRings/tfstride-app/cryptoKeys/tfstride-customer-key",
          "kms_key_ring": "projects/tfstride-demo/locations/global/keyRings/tfstride-app",
          "kms_purpose": "ENCRYPT_DECRYPT",
          "kms_rotation_period": "7776000s",
          "kms_posture_uncertainties": [],
          "labels": {
            "app": "tfstride"
          },
          "import_only": false,
          "skip_initial_version_creation": false,
          "storage_encrypted": true,
          "iam_bindings": [
            {
              "role": "roles/cloudkms.cryptoKeyDecrypter",
              "members": [
                "serviceAccount:decryptor@partner-project.iam.gserviceaccount.com"
              ],
              "source": "google_kms_crypto_key_iam_member.partner_decrypter"
            }
          ],
          "gcp_resource_policy_source_addresses": [
            "google_kms_crypto_key_iam_member.partner_decrypter"
          ]
        }
      },
      {
        "address": "google_kms_crypto_key_iam_member.partner_decrypter",
        "provider": "gcp",
        "resource_type": "google_kms_crypto_key_iam_member",
        "name": "partner_decrypter",
        "category": "iam",
        "identifier": "google_kms_crypto_key.customer.id:roles/cloudkms.cryptoKeyDecrypter:serviceAccount:decryptor@partner-project.iam.gserviceaccount.com",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "kms_crypto_key_reference": "google_kms_crypto_key.customer.id",
          "iam_role": "roles/cloudkms.cryptoKeyDecrypter",
          "iam_member": "serviceAccount:decryptor@partner-project.iam.gserviceaccount.com",
          "iam_members": [
            "serviceAccount:decryptor@partner-project.iam.gserviceaccount.com"
          ],
          "iam_condition": {},
          "iam_bindings": [
            {
              "role": "roles/cloudkms.cryptoKeyDecrypter",
              "members": [
                "serviceAccount:decryptor@partner-project.iam.gserviceaccount.com"
              ]
            }
          ],
          "privileged_access_grants": []
        }
      },
      {
        "address": "google_logging_project_sink.processor",
        "provider": "gcp",
        "resource_type": "google_logging_project_sink",
        "name": "processor",
        "category": "iam",
        "identifier": "processor-logs",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "project": "tfstride-demo",
          "name": "processor-logs",
          "logging_sink_name": "processor-logs",
          "logging_sink_destination": "storage.googleapis.com/tfstride-logs",
          "logging_sink_scope_type": "project",
          "logging_sink_scope": "tfstride-demo",
          "audit_security_posture_uncertainties": []
        }
      },
      {
        "address": "google_project_iam_member.web_viewer",
        "provider": "gcp",
        "resource_type": "google_project_iam_member",
        "name": "web_viewer",
        "category": "iam",
        "identifier": "roles/viewer:serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "project": "tfstride-demo",
          "iam_role": "roles/viewer",
          "iam_member": "serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
          "iam_members": [
            "serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
          ],
          "iam_condition": {},
          "iam_bindings": [
            {
              "role": "roles/viewer",
              "members": [
                "serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
              ]
            }
          ],
          "privileged_access_grants": []
        }
      },
      {
        "address": "google_pubsub_subscription.events",
        "provider": "gcp",
        "resource_type": "google_pubsub_subscription",
        "name": "events",
        "category": "data",
        "identifier": "tfstride-events-sub",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "tfstride-events-sub",
          "project": "tfstride-demo",
          "pubsub_subscription_reference": "tfstride-events-sub",
          "pubsub_topic_reference": "google_pubsub_topic.events.id",
          "labels": {},
          "pubsub_subscription_ack_deadline_seconds": 20,
          "pubsub_subscription_dead_letter_policy": [],
          "pubsub_subscription_dead_letter_policy_state": "not_configured",
          "pubsub_subscription_expiration_policy": [],
          "pubsub_subscription_message_retention_state": "not_configured",
          "pubsub_subscription_push_config": [],
          "pubsub_subscription_retain_acked_messages": false,
          "pubsub_subscription_retry_policy": [],
          "pubsub_posture_uncertainties": [],
          "storage_encrypted": true
        }
      },
      {
        "address": "google_pubsub_topic.events",
        "provider": "gcp",
        "resource_type": "google_pubsub_topic",
        "name": "events",
        "category": "data",
        "identifier": "tfstride-events",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "tfstride-events",
          "project": "tfstride-demo",
          "pubsub_topic_reference": "tfstride-events",
          "labels": {
            "app": "tfstride"
          },
          "pubsub_topic_cmek_state": "not_configured",
          "pubsub_topic_message_retention_state": "not_configured",
          "pubsub_topic_message_storage_policy": [],
          "pubsub_topic_schema_settings": [],
          "pubsub_posture_uncertainties": [],
          "customer_managed_encryption": false,
          "storage_encrypted": true,
          "iam_bindings": [
            {
              "role": "roles/pubsub.publisher",
              "members": [
                "allAuthenticatedUsers"
              ],
              "source": "google_pubsub_topic_iam_member.public_publisher"
            }
          ],
          "gcp_resource_policy_source_addresses": [
            "google_pubsub_topic_iam_member.public_publisher"
          ]
        }
      },
      {
        "address": "google_pubsub_topic_iam_member.public_publisher",
        "provider": "gcp",
        "resource_type": "google_pubsub_topic_iam_member",
        "name": "public_publisher",
        "category": "iam",
        "identifier": "google_pubsub_topic.events.name:roles/pubsub.publisher:allAuthenticatedUsers",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "pubsub_topic_reference": "google_pubsub_topic.events.name",
          "iam_role": "roles/pubsub.publisher",
          "iam_member": "allAuthenticatedUsers",
          "iam_members": [
            "allAuthenticatedUsers"
          ],
          "iam_condition": {},
          "iam_bindings": [
            {
              "role": "roles/pubsub.publisher",
              "members": [
                "allAuthenticatedUsers"
              ]
            }
          ],
          "privileged_access_grants": []
        }
      },
      {
        "address": "google_secret_manager_secret.api_key",
        "provider": "gcp",
        "resource_type": "google_secret_manager_secret",
        "name": "api_key",
        "category": "data",
        "identifier": "projects/tfstride-demo/secrets/tfstride-api-key",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "projects/tfstride-demo/secrets/tfstride-api-key",
          "secret_id": "tfstride-api-key",
          "project": "tfstride-demo",
          "labels": {
            "app": "tfstride"
          },
          "secret_manager_replication_mode": "automatic",
          "secret_manager_kms_key_names": [],
          "secret_manager_replication": {
            "mode": "automatic"
          },
          "secret_manager_posture_uncertainties": [],
          "annotations": {},
          "topics": [],
          "customer_managed_encryption": false,
          "storage_encrypted": true,
          "iam_bindings": [
            {
              "role": "roles/secretmanager.secretAccessor",
              "members": [
                "allAuthenticatedUsers"
              ],
              "source": "google_secret_manager_secret_iam_member.public_accessor"
            }
          ],
          "gcp_resource_policy_source_addresses": [
            "google_secret_manager_secret_iam_member.public_accessor"
          ]
        }
      },
      {
        "address": "google_secret_manager_secret_iam_member.public_accessor",
        "provider": "gcp",
        "resource_type": "google_secret_manager_secret_iam_member",
        "name": "public_accessor",
        "category": "iam",
        "identifier": "google_secret_manager_secret.api_key.id:roles/secretmanager.secretAccessor:allAuthenticatedUsers",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "secret_reference": "google_secret_manager_secret.api_key.id",
          "project": "tfstride-demo",
          "iam_role": "roles/secretmanager.secretAccessor",
          "iam_member": "allAuthenticatedUsers",
          "iam_members": [
            "allAuthenticatedUsers"
          ],
          "iam_condition": {},
          "iam_bindings": [
            {
              "role": "roles/secretmanager.secretAccessor",
              "members": [
                "allAuthenticatedUsers"
              ]
            }
          ],
          "privileged_access_grants": []
        }
      },
      {
        "address": "google_service_account.web",
        "provider": "gcp",
        "resource_type": "google_service_account",
        "name": "web",
        "category": "iam",
        "identifier": "tfstride-web@example.iam.gserviceaccount.com",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "projects/tfstride-demo/serviceAccounts/tfstride-web@example.iam.gserviceaccount.com",
          "project": "tfstride-demo",
          "service_account_account_id": "tfstride-web",
          "service_account_email": "tfstride-web@example.iam.gserviceaccount.com",
          "service_account_member": "serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
          "service_account_unique_id": "100000000000000000001",
          "service_account_disabled": false,
          "display_name": "tfSTRIDE web workload",
          "description": "Service account used by the sample web workload."
        }
      },
      {
        "address": "google_service_account_key.web",
        "provider": "gcp",
        "resource_type": "google_service_account_key",
        "name": "web",
        "category": "iam",
        "identifier": "projects/tfstride-demo/serviceAccounts/tfstride-web@example.iam.gserviceaccount.com/keys/sample-key",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "projects/tfstride-demo/serviceAccounts/tfstride-web@example.iam.gserviceaccount.com/keys/sample-key",
          "service_account_id": "google_service_account.web.email",
          "service_account_reference": "google_service_account.web.email",
          "service_account_key_algorithm": "KEY_ALG_RSA_2048",
          "service_account_public_key_type": "TYPE_X509_PEM_FILE",
          "valid_after": "2026-01-01T00:00:00Z",
          "valid_before": "2027-01-01T00:00:00Z",
          "keepers": {}
        }
      },
      {
        "address": "google_sql_database_instance.app",
        "provider": "gcp",
        "resource_type": "google_sql_database_instance",
        "name": "app",
        "category": "data",
        "identifier": "tfstride-app-db",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": true,
        "public_exposure": true,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "tfstride-app-db",
          "project": "tfstride-demo",
          "region": "us-central1",
          "database_version": "POSTGRES_15",
          "availability_type": "ZONAL",
          "cloud_sql_query_insights_state": "not_configured",
          "cloud_sql_insights_config": {},
          "cloud_sql_deletion_protection_state": "unknown",
          "cloud_sql_posture_uncertainties": [],
          "cloud_sql_ipv4_enabled": true,
          "cloud_sql_backup_enabled": false,
          "cloud_sql_point_in_time_recovery_enabled": false,
          "cloud_sql_require_ssl": false,
          "cloud_sql_authorized_networks": [
            {
              "name": "anywhere",
              "value": "0.0.0.0/0"
            }
          ],
          "cloud_sql_backup_configuration": {
            "enabled": false,
            "point_in_time_recovery_enabled": false
          },
          "cloud_sql_ip_configuration": {
            "ipv4_enabled": true,
            "require_ssl": false,
            "authorized_networks": [
              {
                "name": "anywhere",
                "value": "0.0.0.0/0"
              }
            ]
          },
          "deletion_protection": false,
          "labels": {},
          "tier": "db-f1-micro",
          "disk_type": "PD_SSD",
          "disk_size": 20,
          "public_access_reasons": [
            "Cloud SQL public IPv4 access is enabled"
          ],
          "direct_internet_reachable": true,
          "internet_ingress_capable": true,
          "internet_ingress_reasons": [
            "authorized network `anywhere` allows 0.0.0.0/0"
          ],
          "public_exposure_reasons": [
            "authorized network `anywhere` allows 0.0.0.0/0"
          ],
          "publicly_accessible": true,
          "storage_encrypted": true
        }
      },
      {
        "address": "google_storage_bucket.logs",
        "provider": "gcp",
        "resource_type": "google_storage_bucket",
        "name": "logs",
        "category": "data",
        "identifier": "tfstride-logs",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": true,
        "public_exposure": true,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "tfstride-logs",
          "bucket": "tfstride-logs",
          "project": "tfstride-demo",
          "labels": {},
          "uniform_bucket_level_access": true,
          "gcs_versioning_enabled": false,
          "gcs_versioning_configuration": {},
          "gcs_encryption_configuration": {},
          "gcs_retention_policy_configuration": {},
          "gcs_retention_policy_uncertainties": [],
          "location": "US",
          "storage_class": null,
          "force_destroy": false,
          "customer_managed_encryption": false,
          "storage_encrypted": true,
          "public_access_reasons": [
            "google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers"
          ],
          "direct_internet_reachable": true,
          "public_exposure_reasons": [
            "google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers"
          ],
          "iam_bindings": [
            {
              "role": "roles/storage.objectViewer",
              "members": [
                "allUsers"
              ],
              "source": "google_storage_bucket_iam_member.public_logs_reader"
            }
          ],
          "gcp_resource_policy_source_addresses": [
            "google_storage_bucket_iam_member.public_logs_reader"
          ]
        }
      },
      {
        "address": "google_storage_bucket_iam_member.public_logs_reader",
        "provider": "gcp",
        "resource_type": "google_storage_bucket_iam_member",
        "name": "public_logs_reader",
        "category": "iam",
        "identifier": "google_storage_bucket.logs.name:roles/storage.objectViewer:allUsers",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "bucket": "google_storage_bucket.logs.name",
          "iam_role": "roles/storage.objectViewer",
          "iam_member": "allUsers",
          "iam_members": [
            "allUsers"
          ],
          "iam_condition": {},
          "iam_bindings": [
            {
              "role": "roles/storage.objectViewer",
              "members": [
                "allUsers"
              ]
            }
          ],
          "privileged_access_grants": []
        }
      }
    ]
  },
  "trust_boundaries": [
    {
      "identifier": "internet-to-service:internet->google_compute_instance.web",
      "boundary_type": "internet-to-service",
      "source": "internet",
      "target": "google_compute_instance.web",
      "description": "Traffic can cross from the public internet to google_compute_instance.web.",
      "rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
    },
    {
      "identifier": "internet-to-service:internet->google_sql_database_instance.app",
      "boundary_type": "internet-to-service",
      "source": "internet",
      "target": "google_sql_database_instance.app",
      "description": "Traffic can cross from the public internet to google_sql_database_instance.app.",
      "rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
    },
    {
      "identifier": "internet-to-service:internet->google_storage_bucket.logs",
      "boundary_type": "internet-to-service",
      "source": "internet",
      "target": "google_storage_bucket.logs",
      "description": "Traffic can cross from the public internet to google_storage_bucket.logs.",
      "rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
    },
    {
      "identifier": "workload-to-data-store:google_compute_instance.web->google_bigquery_dataset.analytics",
      "boundary_type": "workload-to-data-store",
      "source": "google_compute_instance.web",
      "target": "google_bigquery_dataset.analytics",
      "description": "google_compute_instance.web can interact with google_bigquery_dataset.analytics.",
      "rationale": "GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com."
    }
  ],
  "findings": [
    {
      "fingerprint": "sha256:8c74c28ba2223af9fe27d104c317aad0cf77b75e2f1ffe4b32615981e1a3786a",
      "title": "BigQuery IAM binding allows public or broad data access",
      "rule_id": "gcp-bigquery-public-access",
      "category": "Information Disclosure",
      "severity": "high",
      "affected_resources": [
        "google_bigquery_dataset.analytics",
        "google_bigquery_dataset_iam_binding.analytics_viewers"
      ],
      "trust_boundary_id": null,
      "rationale": "google_bigquery_dataset.analytics grants `roles/bigquery.dataViewer` to `allUsers` through BigQuery IAM. Public or broad principals can read or modify analytical data outside the expected project trust boundary.",
      "recommended_mitigation": "Grant BigQuery dataset and table access only to specific in-project identities or reviewed analytics groups, remove public principals, and prefer least-privilege data roles.",
      "evidence": [
        {
          "key": "iam_binding",
          "values": [
            "source=google_bigquery_dataset_iam_binding.analytics_viewers",
            "role=roles/bigquery.dataViewer",
            "member=allUsers"
          ]
        },
        {
          "key": "trust_scope",
          "values": [
            "member is public GCP principal `allUsers`"
          ]
        },
        {
          "key": "resource_policy_sources",
          "values": [
            "google_bigquery_dataset_iam_binding.analytics_viewers"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 2,
        "data_sensitivity": 2,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 9,
        "severity": "high",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:ea244fab8b597f86d6033e9dd1a7a85fcd2582156da247f7cf41dc56ce1996aa",
      "title": "Cloud SQL instance accepts public authorized network access",
      "rule_id": "gcp-cloud-sql-public-authorized-network",
      "category": "Information Disclosure",
      "severity": "high",
      "affected_resources": [
        "google_sql_database_instance.app"
      ],
      "trust_boundary_id": "internet-to-service:internet->google_sql_database_instance.app",
      "rationale": "google_sql_database_instance.app has a public Cloud SQL IPv4 endpoint and an authorized network that allows internet-wide client sources. That weakens the database trust boundary even when database authentication is still required.",
      "recommended_mitigation": "Disable public IPv4 access where possible, use private IP connectivity or the Cloud SQL Auth Proxy, and restrict authorized networks to narrow CIDRs when public client access is required.",
      "evidence": [
        {
          "key": "authorized_networks",
          "values": [
            "anywhere (0.0.0.0/0)"
          ]
        },
        {
          "key": "public_exposure_reasons",
          "values": [
            "authorized network `anywhere` allows 0.0.0.0/0"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 6,
        "severity": "high",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:28fb6117ee37f719c61424c06d297ce2a6a8c7a5a39fbbf562f344dd08716986",
      "title": "GCP service account key can exercise sensitive or privileged access",
      "rule_id": "gcp-service-account-key-effective-access",
      "category": "Elevation of Privilege",
      "severity": "high",
      "affected_resources": [
        "google_service_account.web",
        "google_service_account_key.web",
        "google_bigquery_dataset.analytics",
        "google_bigquery_dataset_iam_binding.analytics_viewers"
      ],
      "trust_boundary_id": null,
      "rationale": "google_service_account_key.web creates portable credentials for `google_service_account.web`, and that service account has sensitive data access or high-impact IAM grants. A copied key can exercise those effective permissions outside the intended workload boundary.",
      "recommended_mitigation": "Remove sensitive data and high-impact IAM grants from service accounts that still have user-managed keys, replace keys with workload identity or service-account impersonation, and revoke or rotate existing keys after privilege reduction.",
      "evidence": [
        {
          "key": "key_context",
          "values": [
            "source=google_service_account_key.web",
            "service_account_reference=google_service_account.web.email",
            "resolved_service_account=google_service_account.web"
          ]
        },
        {
          "key": "service_account_principals",
          "values": [
            "serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
            "tfstride-web@example.iam.gserviceaccount.com"
          ]
        },
        {
          "key": "effective_access",
          "values": [
            "resource=google_bigquery_dataset.analytics; source=google_bigquery_dataset_iam_binding.analytics_viewers; scope=BigQuery dataset IAM; role=roles/bigquery.dataViewer; member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com; risk=BigQuery dataset IAM grants roles/bigquery.dataViewer"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 2,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 6,
        "severity": "high",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:ef139b4e20dc1f10522b417424c5b7cc88a9063aee35b5f0b643f0329233c326",
      "title": "Internet-exposed GCP workload can access sensitive data services",
      "rule_id": "gcp-public-workload-sensitive-data-access",
      "category": "Information Disclosure",
      "severity": "high",
      "affected_resources": [
        "google_compute_instance.web",
        "google_bigquery_dataset.analytics",
        "google_bigquery_dataset_iam_binding.analytics_viewers"
      ],
      "trust_boundary_id": "workload-to-data-store:google_compute_instance.web->google_bigquery_dataset.analytics",
      "rationale": "google_compute_instance.web is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-web@example.iam.gserviceaccount.com. That identity can access google_bigquery_dataset.analytics. A compromise of the public workload can therefore become direct access to sensitive GCP data services.",
      "recommended_mitigation": "Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.",
      "evidence": [
        {
          "key": "public_exposure_reasons",
          "values": [
            "compute instance has an external access config and matching firewall rules allow internet ingress"
          ]
        },
        {
          "key": "workload_identity",
          "values": [
            "serviceAccount:tfstride-web@example.iam.gserviceaccount.com"
          ]
        },
        {
          "key": "workload_identity_scopes",
          "values": [
            "cloud-platform"
          ]
        },
        {
          "key": "data_access_path",
          "values": [
            "google_compute_instance.web reaches google_bigquery_dataset.analytics"
          ]
        },
        {
          "key": "boundary_rationale",
          "values": [
            "GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com."
          ]
        },
        {
          "key": "resource_policy_sources",
          "values": [
            "google_bigquery_dataset_iam_binding.analytics_viewers"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 1,
        "data_sensitivity": 2,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 7,
        "severity": "high",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:86d087ae3581ec714df99490d6c8eea1073e5a3ff78d5d4b9c8cf877533e3448",
      "title": "Pub/Sub IAM binding allows public or broad data access",
      "rule_id": "gcp-pubsub-public-access",
      "category": "Information Disclosure",
      "severity": "high",
      "affected_resources": [
        "google_pubsub_topic.events",
        "google_pubsub_topic_iam_member.public_publisher"
      ],
      "trust_boundary_id": null,
      "rationale": "google_pubsub_topic.events grants `roles/pubsub.publisher` to `allAuthenticatedUsers` through Pub/Sub IAM. Public or broad principals can publish, consume, or administer event streams outside the expected service boundary.",
      "recommended_mitigation": "Grant Pub/Sub publisher and subscriber roles only to specific service accounts or groups, remove public principals, and separate publish and consume permissions by workload.",
      "evidence": [
        {
          "key": "iam_binding",
          "values": [
            "source=google_pubsub_topic_iam_member.public_publisher",
            "role=roles/pubsub.publisher",
            "member=allAuthenticatedUsers"
          ]
        },
        {
          "key": "trust_scope",
          "values": [
            "member is public GCP principal `allAuthenticatedUsers`"
          ]
        },
        {
          "key": "resource_policy_sources",
          "values": [
            "google_pubsub_topic_iam_member.public_publisher"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 2,
        "data_sensitivity": 1,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 7,
        "severity": "high",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:dcda21548d88813aa36e2cf734e63769e0d32d5bcc6bb38b1f39ca442702b607",
      "title": "Sensitive GCP resource IAM binding allows broad or external access",
      "rule_id": "gcp-sensitive-resource-iam-external-access",
      "category": "Information Disclosure",
      "severity": "high",
      "affected_resources": [
        "google_secret_manager_secret.api_key",
        "google_secret_manager_secret_iam_member.public_accessor"
      ],
      "trust_boundary_id": null,
      "rationale": "google_secret_manager_secret.api_key grants `roles/secretmanager.secretAccessor` to `allAuthenticatedUsers` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.",
      "recommended_mitigation": "Grant Secret Manager and Cloud KMS IAM roles only to specific in-project service accounts or groups, remove public principals, and require explicit cross-project access reviews for partner identities.",
      "evidence": [
        {
          "key": "iam_binding",
          "values": [
            "source=google_secret_manager_secret_iam_member.public_accessor",
            "role=roles/secretmanager.secretAccessor",
            "member=allAuthenticatedUsers"
          ]
        },
        {
          "key": "trust_scope",
          "values": [
            "member is public GCP principal `allAuthenticatedUsers`"
          ]
        },
        {
          "key": "resource_policy_sources",
          "values": [
            "google_secret_manager_secret_iam_member.public_accessor"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 2,
        "data_sensitivity": 2,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 9,
        "severity": "high",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:732031ebf10c1377662fe780b23c0062f4bd35fca0ff1594e027473c04ad58b3",
      "title": "Cloud SQL automated backups are disabled",
      "rule_id": "gcp-cloud-sql-backup-disabled",
      "category": "Denial of Service",
      "severity": "medium",
      "affected_resources": [
        "google_sql_database_instance.app"
      ],
      "trust_boundary_id": null,
      "rationale": "google_sql_database_instance.app does not have Cloud SQL automated backups enabled. A destructive change, operator error, or data corruption event would have fewer managed recovery points.",
      "recommended_mitigation": "Enable automated backups for Cloud SQL instances, configure retention appropriate to the workload, and enable point-in-time recovery where supported.",
      "evidence": [
        {
          "key": "backup_posture",
          "values": [
            "backup_configuration.enabled is false",
            "point_in_time_recovery_enabled is false",
            "engine is POSTGRES_15"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:45d6257e521b0a506b22d24effc4ea056c44258268d8daf7718eb88fa7d08ee0",
      "title": "Cloud SQL deletion protection is disabled",
      "rule_id": "gcp-cloud-sql-deletion-protection-disabled",
      "category": "Denial of Service",
      "severity": "medium",
      "affected_resources": [
        "google_sql_database_instance.app"
      ],
      "trust_boundary_id": null,
      "rationale": "google_sql_database_instance.app has Cloud SQL deletion protection disabled. Accidental or unauthorized infrastructure changes could destroy the managed database instance without this provider-level guardrail.",
      "recommended_mitigation": "Enable Cloud SQL deletion protection for persistent environments and require explicit review before disabling it during planned database retirement.",
      "evidence": [
        {
          "key": "lifecycle_posture",
          "values": [
            "deletion_protection is false"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:a9a311adbcdee8161de2e4e8e8247dee5c199db0555e662a89c4626bb18a2a24",
      "title": "Cloud SQL instance uses zonal availability",
      "rule_id": "gcp-cloud-sql-zonal-availability",
      "category": "Denial of Service",
      "severity": "medium",
      "affected_resources": [
        "google_sql_database_instance.app"
      ],
      "trust_boundary_id": null,
      "rationale": "google_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.",
      "recommended_mitigation": "Use `REGIONAL` availability for production Cloud SQL instances that require higher availability, then validate application failover behavior and recovery objectives.",
      "evidence": [
        {
          "key": "availability_posture",
          "values": [
            "availability_type=ZONAL",
            "engine=POSTGRES_15"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:6d18157ff1cecde179c5827e348e0ea19bcb17e4fb3d3ecf1a2394d940215cb6",
      "title": "Cloud SQL public IPv4 is enabled without private network access",
      "rule_id": "gcp-cloud-sql-public-ip-without-private-network",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "google_sql_database_instance.app"
      ],
      "trust_boundary_id": "internet-to-service:internet->google_sql_database_instance.app",
      "rationale": "google_sql_database_instance.app has Cloud SQL public IPv4 enabled without a private network attachment. That keeps database client access on a public endpoint instead of an internal VPC path.",
      "recommended_mitigation": "Disable public IPv4 where possible, attach the instance to a private network, and route clients through private IP, the Cloud SQL Auth Proxy, or tightly controlled connectivity paths.",
      "evidence": [
        {
          "key": "network_posture",
          "values": [
            "ipv4_enabled is true",
            "private_network is unset",
            "authorized_networks configured: 1"
          ]
        },
        {
          "key": "public_access_reasons",
          "values": [
            "Cloud SQL public IPv4 access is enabled"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 1,
        "blast_radius": 0,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:2f9a3d374af8b51e6e3aa80ad9da2145f6f078927c72b74c19ab52f0d3266d8c",
      "title": "Cloud SQL public client access does not require SSL",
      "rule_id": "gcp-cloud-sql-ssl-not-required",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "google_sql_database_instance.app"
      ],
      "trust_boundary_id": "internet-to-service:internet->google_sql_database_instance.app",
      "rationale": "google_sql_database_instance.app allows Cloud SQL public IPv4 client access without requiring encrypted client connections. Credentials and database traffic should not depend on client-side optional TLS behavior.",
      "recommended_mitigation": "Require encrypted Cloud SQL client connections with `require_ssl` or an enforcing `ssl_mode`, and prefer private IP or the Cloud SQL Auth Proxy for application connectivity.",
      "evidence": [
        {
          "key": "ssl_posture",
          "values": [
            "require_ssl is false",
            "ssl_mode is unset",
            "ipv4_enabled is true"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 1,
        "blast_radius": 0,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:cf045d82abf9eb22d59cbc03ddb4d9f079c49d771b3e395bf64dc215946993d6",
      "title": "GCP compute instance disables OS Login",
      "rule_id": "gcp-compute-os-login-disabled",
      "category": "Elevation of Privilege",
      "severity": "medium",
      "affected_resources": [
        "google_compute_instance.web"
      ],
      "trust_boundary_id": null,
      "rationale": "google_compute_instance.web explicitly disables OS Login. SSH access can therefore fall back to instance or project metadata keys instead of centralized IAM-backed login and audit controls.",
      "recommended_mitigation": "Enable OS Login on GCE instances and manage SSH access through IAM roles, two-factor enforcement, and centralized audit logs instead of metadata SSH keys.",
      "evidence": [
        {
          "key": "os_login_posture",
          "values": [
            "metadata.enable-oslogin is false"
          ]
        },
        {
          "key": "public_exposure_reasons",
          "values": [
            "compute instance has an external access config and matching firewall rules allow internet ingress"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 1,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:556a241d54f7b6b0865f194d59c860efffbac01aaad254d687d6f439632fca8f",
      "title": "GCP service account user-managed key lacks rotation hygiene",
      "rule_id": "gcp-service-account-key-hygiene",
      "category": "Spoofing",
      "severity": "medium",
      "affected_resources": [
        "google_service_account.web",
        "google_service_account_key.web"
      ],
      "trust_boundary_id": null,
      "rationale": "google_service_account_key.web creates a user-managed GCP service account key for `google_service_account.web`. User-managed service account keys are portable, long-lived credentials that can be copied outside GCP control, so they need explicit rotation controls or should be replaced with workload identity or impersonation flows.",
      "recommended_mitigation": "Avoid user-managed service account keys where Workload Identity Federation, workload identity, or service-account impersonation can be used; when keys are unavoidable, keep lifetimes short, configure explicit rotation triggers, and store private material outside Terraform state.",
      "evidence": [
        {
          "key": "key_context",
          "values": [
            "source=google_service_account_key.web",
            "service_account_reference=google_service_account.web.email",
            "key_algorithm=KEY_ALG_RSA_2048",
            "public_key_type=TYPE_X509_PEM_FILE"
          ]
        },
        {
          "key": "key_risk",
          "values": [
            "Terraform manages a user-created service-account key",
            "validity window is 365 days and exceeds 180-day threshold",
            "no Terraform keepers rotation trigger observed"
          ]
        },
        {
          "key": "validity_window",
          "values": [
            "valid_after=2026-01-01T00:00:00Z",
            "valid_before=2027-01-01T00:00:00Z",
            "validity_days=365"
          ]
        },
        {
          "key": "rotation_control",
          "values": [
            "no Terraform keepers rotation trigger observed"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 4,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:d7380b4b3e19c2f29c68019a1757075b9455a4465c9cf613a0fd4a3a2d8dc9e9",
      "title": "GCP subnetwork Flow Logs are not configured",
      "rule_id": "gcp-subnetwork-flow-logs-not-configured",
      "category": "Repudiation",
      "severity": "medium",
      "affected_resources": [
        "google_compute_subnetwork.app"
      ],
      "trust_boundary_id": null,
      "rationale": "google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.",
      "recommended_mitigation": "Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.",
      "evidence": [
        {
          "key": "subnetwork_flow_log_posture",
          "values": [
            "address=google_compute_subnetwork.app",
            "type=google_compute_subnetwork",
            "name=app",
            "identifier=tfstride-app",
            "flow_log_state=not_configured",
            "network=google_compute_network.main.id",
            "project=tfstride-demo"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 2,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:7f9b36a6593edd523470255de4c3c4dd97f9b9004e2fe64bc257be0bb37d1453",
      "title": "GCS bucket does not enforce Public Access Prevention",
      "rule_id": "gcp-gcs-public-access-prevention-not-enforced",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "google_storage_bucket.logs"
      ],
      "trust_boundary_id": "internet-to-service:internet->google_storage_bucket.logs",
      "rationale": "google_storage_bucket.logs does not enforce GCS Public Access Prevention. Public principals can still be introduced through bucket IAM unless an organization-level policy blocks them.",
      "recommended_mitigation": "Set GCS Public Access Prevention to `enforced` on sensitive buckets and rely on explicit non-public identities or signed access patterns when objects must be shared.",
      "evidence": [
        {
          "key": "access_control_posture",
          "values": [
            "public_access_prevention is unset"
          ]
        },
        {
          "key": "public_exposure_reasons",
          "values": [
            "google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:c40cdeca64a1e9283e86c379c3ef9e8a37ce2983381579cf7ab47eab05f62be9",
      "title": "GCS bucket is publicly accessible",
      "rule_id": "gcp-gcs-public-access",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "google_storage_bucket.logs"
      ],
      "trust_boundary_id": "internet-to-service:internet->google_storage_bucket.logs",
      "rationale": "google_storage_bucket.logs is publicly reachable through GCS IAM grants. Public bucket access is a common source of unintended object disclosure.",
      "recommended_mitigation": "Remove `allUsers` and `allAuthenticatedUsers` from bucket-level IAM grants, enforce GCS Public Access Prevention, and use signed URLs, CDN origins, or narrow identities when objects must be distributed.",
      "evidence": [
        {
          "key": "public_exposure_reasons",
          "values": [
            "google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:90b26f239387e86c12b711ddfccfd9c03f230b8db90b6d4f559178f63d5412d2",
      "title": "GCS sensitive bucket does not use customer-managed encryption",
      "rule_id": "gcp-gcs-customer-managed-encryption-missing",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "google_storage_bucket.logs"
      ],
      "trust_boundary_id": null,
      "rationale": "google_storage_bucket.logs relies on default GCS encryption rather than a customer-managed KMS key. Sensitive buckets lose key ownership, rotation, and separation-of-duties controls that a CMEK can provide.",
      "recommended_mitigation": "Configure a Cloud KMS customer-managed key for sensitive GCS buckets, assign the GCS service agent only the key roles it needs, and manage key rotation separately from bucket IAM.",
      "evidence": [
        {
          "key": "encryption_posture",
          "values": [
            "default_kms_key_name is unset",
            "customer_managed_encryption is false"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:9a500cc3c8625c002b61bcdc1c12c2f93348dd2ad1f9371641b6c77d6f104942",
      "title": "GCS sensitive bucket retention policy is insufficient",
      "rule_id": "gcp-gcs-retention-policy-insufficient",
      "category": "Denial of Service",
      "severity": "medium",
      "affected_resources": [
        "google_storage_bucket.logs"
      ],
      "trust_boundary_id": null,
      "rationale": "google_storage_bucket.logs does not have deterministic GCS retention posture that meets the minimum retention threshold and lock expectation. Retention policy and retention lock reduce destructive deletion or overwrite risk, but are distinct from soft-delete recovery controls.",
      "recommended_mitigation": "Configure a GCS retention policy that meets recovery and compliance objectives, and lock the retention policy after operational validation. Treat retention lock as immutability posture, not as a replacement for object versioning or soft-delete recovery.",
      "evidence": [
        {
          "key": "retention_policy_issues",
          "values": [
            "retention_policy is missing"
          ]
        },
        {
          "key": "retention_policy_posture",
          "values": [
            "retention_policy.retention_period_state=missing",
            "minimum_retention_period_days=7",
            "minimum_retention_period_seconds=604800",
            "retention_policy.is_locked is unset"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:b581f92581ebad73170a679021871c1cdbef137bf69e170c5f0c4085af7665bc",
      "title": "GCS sensitive bucket versioning is disabled",
      "rule_id": "gcp-gcs-versioning-disabled",
      "category": "Denial of Service",
      "severity": "medium",
      "affected_resources": [
        "google_storage_bucket.logs"
      ],
      "trust_boundary_id": null,
      "rationale": "google_storage_bucket.logs stores sensitive GCS data without bucket versioning. Accidental overwrites, deletes, or destructive changes have fewer object-level recovery options.",
      "recommended_mitigation": "Enable bucket versioning for sensitive GCS buckets and pair it with lifecycle retention rules that match recovery objectives and storage cost constraints.",
      "evidence": [
        {
          "key": "data_protection_posture",
          "values": [
            "versioning.enabled is false",
            "data_sensitivity is sensitive"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:f9ce9a2599d6177745d490154cf7dcc976cbf65e1b8e57c39171912f767c2e66",
      "title": "Inherited GCP IAM grant expands descendant blast radius",
      "rule_id": "gcp-inherited-iam-blast-radius",
      "category": "Elevation of Privilege",
      "severity": "medium",
      "affected_resources": [
        "google_project_iam_member.web_viewer",
        "google_bigquery_dataset.analytics",
        "google_bigquery_table.events",
        "google_compute_firewall.public_app",
        "google_compute_firewall.public_ssh",
        "google_compute_instance.web",
        "google_compute_network.main",
        "google_compute_route.default_internet",
        "google_compute_subnetwork.app",
        "google_kms_crypto_key.customer",
        "google_logging_project_sink.processor",
        "google_pubsub_subscription.events",
        "google_pubsub_topic.events",
        "google_secret_manager_secret.api_key",
        "google_service_account.web",
        "google_service_account_key.web",
        "google_sql_database_instance.app",
        "google_storage_bucket.logs"
      ],
      "trust_boundary_id": null,
      "rationale": "google_project_iam_member.web_viewer grants `roles/viewer` to `serviceAccount:tfstride-web@example.iam.gserviceaccount.com` at project scope `tfstride-demo`, and that inherited grant applies to 17 concrete descendant resource(s). A high-level IAM grant with broad, external, or high-impact access increases control-plane blast radius because compromise or misuse can affect resources below the inherited scope.",
      "recommended_mitigation": "Avoid broad or high-impact IAM grants at organization, folder, and project scope when narrower resource-level or workload-specific bindings are possible; split inherited roles by service and review descendant resources before assigning public, external, or administrator principals.",
      "evidence": [
        {
          "key": "iam_binding",
          "values": [
            "source=google_project_iam_member.web_viewer",
            "scope=project:tfstride-demo",
            "member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
            "role=roles/viewer"
          ]
        },
        {
          "key": "trust_scope",
          "values": [
            "service account belongs to project `example`, outside resource project `tfstride-demo`"
          ]
        },
        {
          "key": "descendant_scope",
          "values": [
            "scope=project:tfstride-demo",
            "descendant_count=17",
            "resource_type_count=16",
            "projects=tfstride-demo"
          ]
        },
        {
          "key": "descendant_resource_types",
          "values": [
            "google_bigquery_dataset: 1",
            "google_bigquery_table: 1",
            "google_compute_firewall: 2",
            "google_compute_instance: 1",
            "google_compute_network: 1",
            "google_compute_route: 1",
            "google_compute_subnetwork: 1",
            "google_kms_crypto_key: 1",
            "google_logging_project_sink: 1",
            "google_pubsub_subscription: 1",
            "google_pubsub_topic: 1",
            "google_secret_manager_secret: 1",
            "google_service_account: 1",
            "google_service_account_key: 1",
            "google_sql_database_instance: 1",
            "google_storage_bucket: 1"
          ]
        },
        {
          "key": "descendant_resources",
          "values": [
            "google_bigquery_dataset.analytics",
            "google_bigquery_table.events",
            "google_compute_firewall.public_app",
            "google_compute_firewall.public_ssh",
            "google_compute_instance.web",
            "google_compute_network.main",
            "google_compute_route.default_internet",
            "google_compute_subnetwork.app",
            "google_kms_crypto_key.customer",
            "google_logging_project_sink.processor",
            "and 7 more descendant resources"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 4,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:2baea47d0ebc1d51fb6d07282f63d7a6b6594aa953b0c00989a28723377c6771",
      "title": "Internet-exposed GCP compute instance permits broad ingress",
      "rule_id": "gcp-public-compute-broad-ingress",
      "category": "Spoofing",
      "severity": "medium",
      "affected_resources": [
        "google_compute_instance.web",
        "google_compute_firewall.public_ssh"
      ],
      "trust_boundary_id": "internet-to-service:internet->google_compute_instance.web",
      "rationale": "google_compute_instance.web has an external access config and matching GCP firewall rules allow administrative access or all ports from the public internet. That broad ingress raises the chance of unauthenticated probing and credential attacks.",
      "recommended_mitigation": "Restrict GCP firewall source ranges and exposed ports, remove external IP access where possible, and use Identity-Aware Proxy, VPN, or a controlled bastion for administration.",
      "evidence": [
        {
          "key": "firewall_rules",
          "values": [
            "google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0"
          ]
        },
        {
          "key": "network_tags",
          "values": [
            "web"
          ]
        },
        {
          "key": "internet_ingress_reasons",
          "values": [
            "google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0",
            "google_compute_firewall.public_app ingress tcp 8080 from 0.0.0.0/0"
          ]
        },
        {
          "key": "public_exposure_reasons",
          "values": [
            "compute instance has an external access config and matching firewall rules allow internet ingress"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 4,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:9cffb8d448336f1a502e2dc72413c93d27369f9794c560a2742552b8602992b6",
      "title": "Pub/Sub subscription does not configure a dead-letter policy",
      "rule_id": "gcp-pubsub-subscription-dead-letter-policy-missing",
      "category": "Denial of Service",
      "severity": "medium",
      "affected_resources": [
        "google_pubsub_subscription.events"
      ],
      "trust_boundary_id": null,
      "rationale": "google_pubsub_subscription.events does not configure a Pub/Sub dead-letter policy. Poison messages or repeated delivery failures can consume subscriber capacity and reduce recovery options for failed processing.",
      "recommended_mitigation": "Configure a reviewed Pub/Sub dead-letter topic and delivery-attempt threshold for subscriptions where poison messages or repeated delivery failures could disrupt processing.",
      "evidence": [
        {
          "key": "target_resource",
          "values": [
            "address=google_pubsub_subscription.events",
            "resource_type=google_pubsub_subscription"
          ]
        },
        {
          "key": "dead_letter_posture",
          "values": [
            "dead_letter_policy_state=not_configured",
            "dead_letter_topic=unset"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:87622623c501ede23c62e92e63616b8e9fe19bc701d031de917f19757d61bcc9",
      "title": "Pub/Sub topic does not use customer-managed encryption",
      "rule_id": "gcp-pubsub-topic-customer-managed-encryption-missing",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "google_pubsub_topic.events"
      ],
      "trust_boundary_id": null,
      "rationale": "google_pubsub_topic.events relies on Google-managed Pub/Sub encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still protects message data; this finding concerns key ownership, rotation, audit separation, and compliance posture.",
      "recommended_mitigation": "Configure a customer-managed Cloud KMS key for sensitive Pub/Sub topics where key ownership, rotation, audit separation, or compliance requirements warrant it.",
      "evidence": [
        {
          "key": "target_resource",
          "values": [
            "address=google_pubsub_topic.events",
            "resource_type=google_pubsub_topic"
          ]
        },
        {
          "key": "encryption_ownership",
          "values": [
            "cmek_state=not_configured",
            "kms_key_name=unset"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:2cb0283d7cd0a3c2bcd90a345b80a5779aea5392cfd8535aff986da5d44d0a10",
      "title": "Secret Manager lifecycle posture is incomplete",
      "rule_id": "gcp-secret-manager-lifecycle-posture-incomplete",
      "category": "Denial of Service",
      "severity": "medium",
      "affected_resources": [
        "google_secret_manager_secret.api_key"
      ],
      "trust_boundary_id": null,
      "rationale": "google_secret_manager_secret.api_key does not show deterministic Secret Manager lifecycle posture for secret expiry or delayed version destruction. Expiry and version-destroy TTL controls reduce the lifetime of stale or accidentally destroyed secret material, but do not replace access review or rotation.",
      "recommended_mitigation": "Configure Secret Manager `ttl` or `expire_time` where secret-level expiry is expected, and set `version_destroy_ttl` to a retention window that gives operators enough time to recover from accidental or malicious secret version destruction.",
      "evidence": [
        {
          "key": "target_resource",
          "values": [
            "address=google_secret_manager_secret.api_key",
            "type=google_secret_manager_secret",
            "identifier=projects/tfstride-demo/secrets/tfstride-api-key"
          ]
        },
        {
          "key": "lifecycle_issues",
          "values": [
            "secret has no ttl, expire_time, or version_destroy_ttl lifecycle guardrail",
            "version_destroy_ttl is missing"
          ]
        },
        {
          "key": "lifecycle_posture",
          "values": [
            "ttl=unset",
            "expire_time=unset",
            "version_destroy_ttl=unset",
            "minimum_version_destroy_ttl_days=7",
            "minimum_version_destroy_ttl_seconds=604800"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:b3893099e06aad5adc9f9094188a13dc66675541dedccfd9636175998fb0ff8a",
      "title": "Secret Manager secret does not use customer-managed encryption",
      "rule_id": "gcp-secret-manager-customer-managed-encryption-missing",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "google_secret_manager_secret.api_key"
      ],
      "trust_boundary_id": null,
      "rationale": "google_secret_manager_secret.api_key relies on Google-managed Secret Manager encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still applies; this finding concerns customer key ownership, rotation, audit separation, and compliance posture for sensitive secrets.",
      "recommended_mitigation": "Configure Secret Manager replication with Cloud KMS customer-managed encryption for secrets that require customer key ownership, independent rotation, audit separation, or compliance controls.",
      "evidence": [
        {
          "key": "target_resource",
          "values": [
            "address=google_secret_manager_secret.api_key",
            "type=google_secret_manager_secret",
            "identifier=projects/tfstride-demo/secrets/tfstride-api-key"
          ]
        },
        {
          "key": "encryption_ownership",
          "values": [
            "customer_managed_encryption is false",
            "secret_manager_replication_mode=automatic",
            "secret_manager_kms_key_names is empty"
          ]
        },
        {
          "key": "replication_posture",
          "values": [
            "replication.mode=automatic"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:408c558dd93f32bfca75eea24d9787a2feaab97ff26e4a869e7984cda37b5bd3",
      "title": "Sensitive GCP resource IAM binding allows broad or external access",
      "rule_id": "gcp-sensitive-resource-iam-external-access",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "google_kms_crypto_key.customer",
        "google_kms_crypto_key_iam_member.partner_decrypter"
      ],
      "trust_boundary_id": null,
      "rationale": "google_kms_crypto_key.customer grants `roles/cloudkms.cryptoKeyDecrypter` to `serviceAccount:decryptor@partner-project.iam.gserviceaccount.com` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.",
      "recommended_mitigation": "Grant Secret Manager and Cloud KMS IAM roles only to specific in-project service accounts or groups, remove public principals, and require explicit cross-project access reviews for partner identities.",
      "evidence": [
        {
          "key": "iam_binding",
          "values": [
            "source=google_kms_crypto_key_iam_member.partner_decrypter",
            "role=roles/cloudkms.cryptoKeyDecrypter",
            "member=serviceAccount:decryptor@partner-project.iam.gserviceaccount.com"
          ]
        },
        {
          "key": "trust_scope",
          "values": [
            "service account belongs to project `partner-project`, outside resource project `tfstride-demo`"
          ]
        },
        {
          "key": "resource_policy_sources",
          "values": [
            "google_kms_crypto_key_iam_member.partner_decrypter"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 2,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    }
  ],
  "suppressed_findings": [],
  "baselined_findings": [],
  "observations": [],
  "limitations": [
    "GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.",
    "The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
  ]
}
Markdown report
# GCP Inventory Demo

- Analyzed file: `sample_gcp_plan.json`
- Provider: `gcp`
- Normalized resources: `23`
- Unsupported resources: `0`

## Summary

This run identified **4 trust boundaries** and **26 findings** across **23 normalized resources**.

- High severity findings: `6`
- Medium severity findings: `20`
- Low severity findings: `0`

## Analysis Coverage

- Terraform resources seen: `23`
- Provider resources considered: `23`
- Normalized resources: `23`
- Unsupported resources: `0`
- Registered provider rules (GCP): `78`
- Enabled provider rules (GCP): `78`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
  - `gcp-sensitive-resource-iam-external-access`: `2`
  - `gcp-pubsub-public-access`: `1`
  - `gcp-pubsub-topic-customer-managed-encryption-missing`: `1`
  - `gcp-pubsub-subscription-dead-letter-policy-missing`: `1`
  - `gcp-bigquery-public-access`: `1`
  - `gcp-cloud-sql-public-authorized-network`: `1`
  - `gcp-cloud-sql-backup-disabled`: `1`
  - `gcp-cloud-sql-public-ip-without-private-network`: `1`
  - `gcp-cloud-sql-ssl-not-required`: `1`
  - `gcp-cloud-sql-deletion-protection-disabled`: `1`
  - `gcp-cloud-sql-zonal-availability`: `1`
  - `gcp-gcs-public-access`: `1`
  - `gcp-gcs-public-access-prevention-not-enforced`: `1`
  - `gcp-gcs-versioning-disabled`: `1`
  - `gcp-gcs-customer-managed-encryption-missing`: `1`
  - `gcp-gcs-retention-policy-insufficient`: `1`
  - `gcp-secret-manager-customer-managed-encryption-missing`: `1`
  - `gcp-secret-manager-lifecycle-posture-incomplete`: `1`
  - `gcp-public-compute-broad-ingress`: `1`
  - `gcp-compute-os-login-disabled`: `1`
  - `gcp-subnetwork-flow-logs-not-configured`: `1`
  - `gcp-service-account-key-hygiene`: `1`
  - `gcp-service-account-key-effective-access`: `1`
  - `gcp-inherited-iam-blast-radius`: `1`
  - `gcp-public-workload-sensitive-data-access`: `1`

## Discovered Trust Boundaries

### `internet-to-service`

- Source: `internet`
- Target: `google_compute_instance.web`
- Description: Traffic can cross from the public internet to google_compute_instance.web.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.

### `internet-to-service`

- Source: `internet`
- Target: `google_sql_database_instance.app`
- Description: Traffic can cross from the public internet to google_sql_database_instance.app.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.

### `internet-to-service`

- Source: `internet`
- Target: `google_storage_bucket.logs`
- Description: Traffic can cross from the public internet to google_storage_bucket.logs.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.

### `workload-to-data-store`

- Source: `google_compute_instance.web`
- Target: `google_bigquery_dataset.analytics`
- Description: google_compute_instance.web can interact with google_bigquery_dataset.analytics.
- Rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com.

## Findings

### High

#### BigQuery IAM binding allows public or broad data access

- STRIDE category: Information Disclosure
- Affected resources: `google_bigquery_dataset.analytics`, `google_bigquery_dataset_iam_binding.analytics_viewers`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +2, data_sensitivity +2, lateral_movement +1, blast_radius +2, final_score 9 => high
- Rationale: google_bigquery_dataset.analytics grants `roles/bigquery.dataViewer` to `allUsers` through BigQuery IAM. Public or broad principals can read or modify analytical data outside the expected project trust boundary.
- Recommended mitigation: Grant BigQuery dataset and table access only to specific in-project identities or reviewed analytics groups, remove public principals, and prefer least-privilege data roles.
- Evidence:
  - iam binding: source=google_bigquery_dataset_iam_binding.analytics_viewers; role=roles/bigquery.dataViewer; member=allUsers
  - trust scope: member is public GCP principal `allUsers`
  - resource policy sources: google_bigquery_dataset_iam_binding.analytics_viewers

#### Cloud SQL instance accepts public authorized network access

- STRIDE category: Information Disclosure
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `internet-to-service:internet->google_sql_database_instance.app`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +1, blast_radius +1, final_score 6 => high
- Rationale: google_sql_database_instance.app has a public Cloud SQL IPv4 endpoint and an authorized network that allows internet-wide client sources. That weakens the database trust boundary even when database authentication is still required.
- Recommended mitigation: Disable public IPv4 access where possible, use private IP connectivity or the Cloud SQL Auth Proxy, and restrict authorized networks to narrow CIDRs when public client access is required.
- Evidence:
  - authorized networks: anywhere (0.0.0.0/0)
  - public exposure reasons: authorized network `anywhere` allows 0.0.0.0/0

#### GCP service account key can exercise sensitive or privileged access

- STRIDE category: Elevation of Privilege
- Affected resources: `google_service_account.web`, `google_service_account_key.web`, `google_bigquery_dataset.analytics`, `google_bigquery_dataset_iam_binding.analytics_viewers`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +2, lateral_movement +1, blast_radius +2, final_score 6 => high
- Rationale: google_service_account_key.web creates portable credentials for `google_service_account.web`, and that service account has sensitive data access or high-impact IAM grants. A copied key can exercise those effective permissions outside the intended workload boundary.
- Recommended mitigation: Remove sensitive data and high-impact IAM grants from service accounts that still have user-managed keys, replace keys with workload identity or service-account impersonation, and revoke or rotate existing keys after privilege reduction.
- Evidence:
  - key context: source=google_service_account_key.web; service_account_reference=google_service_account.web.email; resolved_service_account=google_service_account.web
  - service account principals: serviceAccount:tfstride-web@example.iam.gserviceaccount.com; tfstride-web@example.iam.gserviceaccount.com
  - effective access: resource=google_bigquery_dataset.analytics; source=google_bigquery_dataset_iam_binding.analytics_viewers; scope=BigQuery dataset IAM; role=roles/bigquery.dataViewer; member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com; risk=BigQuery dataset IAM grants roles/bigquery.dataViewer

#### Internet-exposed GCP workload can access sensitive data services

- STRIDE category: Information Disclosure
- Affected resources: `google_compute_instance.web`, `google_bigquery_dataset.analytics`, `google_bigquery_dataset_iam_binding.analytics_viewers`
- Trust boundary: `workload-to-data-store:google_compute_instance.web->google_bigquery_dataset.analytics`
- Severity reasoning: internet_exposure +2, privilege_breadth +1, data_sensitivity +2, lateral_movement +1, blast_radius +1, final_score 7 => high
- Rationale: google_compute_instance.web is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-web@example.iam.gserviceaccount.com. That identity can access google_bigquery_dataset.analytics. A compromise of the public workload can therefore become direct access to sensitive GCP data services.
- Recommended mitigation: Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.
- Evidence:
  - public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress
  - workload identity: serviceAccount:tfstride-web@example.iam.gserviceaccount.com
  - workload identity scopes: cloud-platform
  - data access path: google_compute_instance.web reaches google_bigquery_dataset.analytics
  - boundary rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_bigquery_dataset_iam_binding.analytics_viewers grants roles/bigquery.dataViewer to serviceAccount:tfstride-web@example.iam.gserviceaccount.com.
  - resource policy sources: google_bigquery_dataset_iam_binding.analytics_viewers

#### Pub/Sub IAM binding allows public or broad data access

- STRIDE category: Information Disclosure
- Affected resources: `google_pubsub_topic.events`, `google_pubsub_topic_iam_member.public_publisher`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +2, data_sensitivity +1, lateral_movement +1, blast_radius +1, final_score 7 => high
- Rationale: google_pubsub_topic.events grants `roles/pubsub.publisher` to `allAuthenticatedUsers` through Pub/Sub IAM. Public or broad principals can publish, consume, or administer event streams outside the expected service boundary.
- Recommended mitigation: Grant Pub/Sub publisher and subscriber roles only to specific service accounts or groups, remove public principals, and separate publish and consume permissions by workload.
- Evidence:
  - iam binding: source=google_pubsub_topic_iam_member.public_publisher; role=roles/pubsub.publisher; member=allAuthenticatedUsers
  - trust scope: member is public GCP principal `allAuthenticatedUsers`
  - resource policy sources: google_pubsub_topic_iam_member.public_publisher

#### Sensitive GCP resource IAM binding allows broad or external access

- STRIDE category: Information Disclosure
- Affected resources: `google_secret_manager_secret.api_key`, `google_secret_manager_secret_iam_member.public_accessor`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +2, data_sensitivity +2, lateral_movement +1, blast_radius +2, final_score 9 => high
- Rationale: google_secret_manager_secret.api_key grants `roles/secretmanager.secretAccessor` to `allAuthenticatedUsers` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.
- Recommended mitigation: Grant Secret Manager and Cloud KMS IAM roles only to specific in-project service accounts or groups, remove public principals, and require explicit cross-project access reviews for partner identities.
- Evidence:
  - iam binding: source=google_secret_manager_secret_iam_member.public_accessor; role=roles/secretmanager.secretAccessor; member=allAuthenticatedUsers
  - trust scope: member is public GCP principal `allAuthenticatedUsers`
  - resource policy sources: google_secret_manager_secret_iam_member.public_accessor

### Medium

#### Cloud SQL automated backups are disabled

- STRIDE category: Denial of Service
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_sql_database_instance.app does not have Cloud SQL automated backups enabled. A destructive change, operator error, or data corruption event would have fewer managed recovery points.
- Recommended mitigation: Enable automated backups for Cloud SQL instances, configure retention appropriate to the workload, and enable point-in-time recovery where supported.
- Evidence:
  - backup posture: backup_configuration.enabled is false; point_in_time_recovery_enabled is false; engine is POSTGRES_15

#### Cloud SQL deletion protection is disabled

- STRIDE category: Denial of Service
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_sql_database_instance.app has Cloud SQL deletion protection disabled. Accidental or unauthorized infrastructure changes could destroy the managed database instance without this provider-level guardrail.
- Recommended mitigation: Enable Cloud SQL deletion protection for persistent environments and require explicit review before disabling it during planned database retirement.
- Evidence:
  - lifecycle posture: deletion_protection is false

#### Cloud SQL instance uses zonal availability

- STRIDE category: Denial of Service
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.
- Recommended mitigation: Use `REGIONAL` availability for production Cloud SQL instances that require higher availability, then validate application failover behavior and recovery objectives.
- Evidence:
  - availability posture: availability_type=ZONAL; engine=POSTGRES_15

#### Cloud SQL public IPv4 is enabled without private network access

- STRIDE category: Information Disclosure
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `internet-to-service:internet->google_sql_database_instance.app`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +1, blast_radius +0, final_score 5 => medium
- Rationale: google_sql_database_instance.app has Cloud SQL public IPv4 enabled without a private network attachment. That keeps database client access on a public endpoint instead of an internal VPC path.
- Recommended mitigation: Disable public IPv4 where possible, attach the instance to a private network, and route clients through private IP, the Cloud SQL Auth Proxy, or tightly controlled connectivity paths.
- Evidence:
  - network posture: ipv4_enabled is true; private_network is unset; authorized_networks configured: 1
  - public access reasons: Cloud SQL public IPv4 access is enabled

#### Cloud SQL public client access does not require SSL

- STRIDE category: Information Disclosure
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `internet-to-service:internet->google_sql_database_instance.app`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +1, blast_radius +0, final_score 5 => medium
- Rationale: google_sql_database_instance.app allows Cloud SQL public IPv4 client access without requiring encrypted client connections. Credentials and database traffic should not depend on client-side optional TLS behavior.
- Recommended mitigation: Require encrypted Cloud SQL client connections with `require_ssl` or an enforcing `ssl_mode`, and prefer private IP or the Cloud SQL Auth Proxy for application connectivity.
- Evidence:
  - ssl posture: require_ssl is false; ssl_mode is unset; ipv4_enabled is true

#### GCP compute instance disables OS Login

- STRIDE category: Elevation of Privilege
- Affected resources: `google_compute_instance.web`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +2, privilege_breadth +1, data_sensitivity +0, lateral_movement +1, blast_radius +1, final_score 5 => medium
- Rationale: google_compute_instance.web explicitly disables OS Login. SSH access can therefore fall back to instance or project metadata keys instead of centralized IAM-backed login and audit controls.
- Recommended mitigation: Enable OS Login on GCE instances and manage SSH access through IAM roles, two-factor enforcement, and centralized audit logs instead of metadata SSH keys.
- Evidence:
  - os login posture: metadata.enable-oslogin is false
  - public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress

#### GCP service account user-managed key lacks rotation hygiene

- STRIDE category: Spoofing
- Affected resources: `google_service_account.web`, `google_service_account_key.web`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 4 => medium
- Rationale: google_service_account_key.web creates a user-managed GCP service account key for `google_service_account.web`. User-managed service account keys are portable, long-lived credentials that can be copied outside GCP control, so they need explicit rotation controls or should be replaced with workload identity or impersonation flows.
- Recommended mitigation: Avoid user-managed service account keys where Workload Identity Federation, workload identity, or service-account impersonation can be used; when keys are unavoidable, keep lifetimes short, configure explicit rotation triggers, and store private material outside Terraform state.
- Evidence:
  - key context: source=google_service_account_key.web; service_account_reference=google_service_account.web.email; key_algorithm=KEY_ALG_RSA_2048; public_key_type=TYPE_X509_PEM_FILE
  - key risk: Terraform manages a user-created service-account key; validity window is 365 days and exceeds 180-day threshold; no Terraform keepers rotation trigger observed
  - validity window: valid_after=2026-01-01T00:00:00Z; valid_before=2027-01-01T00:00:00Z; validity_days=365
  - rotation control: no Terraform keepers rotation trigger observed

#### GCP subnetwork Flow Logs are not configured

- STRIDE category: Repudiation
- Affected resources: `google_compute_subnetwork.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +0, lateral_movement +2, blast_radius +1, final_score 3 => medium
- Rationale: google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.
- Recommended mitigation: Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.
- Evidence:
  - subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo

#### GCS bucket does not enforce Public Access Prevention

- STRIDE category: Information Disclosure
- Affected resources: `google_storage_bucket.logs`
- Trust boundary: `internet-to-service:internet->google_storage_bucket.logs`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: google_storage_bucket.logs does not enforce GCS Public Access Prevention. Public principals can still be introduced through bucket IAM unless an organization-level policy blocks them.
- Recommended mitigation: Set GCS Public Access Prevention to `enforced` on sensitive buckets and rely on explicit non-public identities or signed access patterns when objects must be shared.
- Evidence:
  - access control posture: public_access_prevention is unset
  - public exposure reasons: google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers

#### GCS bucket is publicly accessible

- STRIDE category: Information Disclosure
- Affected resources: `google_storage_bucket.logs`
- Trust boundary: `internet-to-service:internet->google_storage_bucket.logs`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 5 => medium
- Rationale: google_storage_bucket.logs is publicly reachable through GCS IAM grants. Public bucket access is a common source of unintended object disclosure.
- Recommended mitigation: Remove `allUsers` and `allAuthenticatedUsers` from bucket-level IAM grants, enforce GCS Public Access Prevention, and use signed URLs, CDN origins, or narrow identities when objects must be distributed.
- Evidence:
  - public exposure reasons: google_storage_bucket_iam_member.public_logs_reader grants roles/storage.objectViewer to allUsers

#### GCS sensitive bucket does not use customer-managed encryption

- STRIDE category: Information Disclosure
- Affected resources: `google_storage_bucket.logs`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_storage_bucket.logs relies on default GCS encryption rather than a customer-managed KMS key. Sensitive buckets lose key ownership, rotation, and separation-of-duties controls that a CMEK can provide.
- Recommended mitigation: Configure a Cloud KMS customer-managed key for sensitive GCS buckets, assign the GCS service agent only the key roles it needs, and manage key rotation separately from bucket IAM.
- Evidence:
  - encryption posture: default_kms_key_name is unset; customer_managed_encryption is false

#### GCS sensitive bucket retention policy is insufficient

- STRIDE category: Denial of Service
- Affected resources: `google_storage_bucket.logs`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_storage_bucket.logs does not have deterministic GCS retention posture that meets the minimum retention threshold and lock expectation. Retention policy and retention lock reduce destructive deletion or overwrite risk, but are distinct from soft-delete recovery controls.
- Recommended mitigation: Configure a GCS retention policy that meets recovery and compliance objectives, and lock the retention policy after operational validation. Treat retention lock as immutability posture, not as a replacement for object versioning or soft-delete recovery.
- Evidence:
  - retention policy issues: retention_policy is missing
  - retention policy posture: retention_policy.retention_period_state=missing; minimum_retention_period_days=7; minimum_retention_period_seconds=604800; retention_policy.is_locked is unset

#### GCS sensitive bucket versioning is disabled

- STRIDE category: Denial of Service
- Affected resources: `google_storage_bucket.logs`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_storage_bucket.logs stores sensitive GCS data without bucket versioning. Accidental overwrites, deletes, or destructive changes have fewer object-level recovery options.
- Recommended mitigation: Enable bucket versioning for sensitive GCS buckets and pair it with lifecycle retention rules that match recovery objectives and storage cost constraints.
- Evidence:
  - data protection posture: versioning.enabled is false; data_sensitivity is sensitive

#### Inherited GCP IAM grant expands descendant blast radius

- STRIDE category: Elevation of Privilege
- Affected resources: `google_project_iam_member.web_viewer`, `google_bigquery_dataset.analytics`, `google_bigquery_table.events`, `google_compute_firewall.public_app`, `google_compute_firewall.public_ssh`, `google_compute_instance.web`, `google_compute_network.main`, `google_compute_route.default_internet`, `google_compute_subnetwork.app`, `google_kms_crypto_key.customer`, `google_logging_project_sink.processor`, `google_pubsub_subscription.events`, `google_pubsub_topic.events`, `google_secret_manager_secret.api_key`, `google_service_account.web`, `google_service_account_key.web`, `google_sql_database_instance.app`, `google_storage_bucket.logs`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 4 => medium
- Rationale: google_project_iam_member.web_viewer grants `roles/viewer` to `serviceAccount:tfstride-web@example.iam.gserviceaccount.com` at project scope `tfstride-demo`, and that inherited grant applies to 17 concrete descendant resource(s). A high-level IAM grant with broad, external, or high-impact access increases control-plane blast radius because compromise or misuse can affect resources below the inherited scope.
- Recommended mitigation: Avoid broad or high-impact IAM grants at organization, folder, and project scope when narrower resource-level or workload-specific bindings are possible; split inherited roles by service and review descendant resources before assigning public, external, or administrator principals.
- Evidence:
  - iam binding: source=google_project_iam_member.web_viewer; scope=project:tfstride-demo; member=serviceAccount:tfstride-web@example.iam.gserviceaccount.com; role=roles/viewer
  - trust scope: service account belongs to project `example`, outside resource project `tfstride-demo`
  - descendant scope: scope=project:tfstride-demo; descendant_count=17; resource_type_count=16; projects=tfstride-demo
  - descendant resource types: google_bigquery_dataset: 1; google_bigquery_table: 1; google_compute_firewall: 2; google_compute_instance: 1; google_compute_network: 1; google_compute_route: 1; google_compute_subnetwork: 1; google_kms_crypto_key: 1; google_logging_project_sink: 1; google_pubsub_subscription: 1; google_pubsub_topic: 1; google_secret_manager_secret: 1; google_service_account: 1; google_service_account_key: 1; google_sql_database_instance: 1; google_storage_bucket: 1
  - descendant resources: google_bigquery_dataset.analytics; google_bigquery_table.events; google_compute_firewall.public_app; google_compute_firewall.public_ssh; google_compute_instance.web; google_compute_network.main; google_compute_route.default_internet; google_compute_subnetwork.app; google_kms_crypto_key.customer; google_logging_project_sink.processor; and 7 more descendant resources

#### Internet-exposed GCP compute instance permits broad ingress

- STRIDE category: Spoofing
- Affected resources: `google_compute_instance.web`, `google_compute_firewall.public_ssh`
- Trust boundary: `internet-to-service:internet->google_compute_instance.web`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +0, lateral_movement +1, blast_radius +1, final_score 4 => medium
- Rationale: google_compute_instance.web has an external access config and matching GCP firewall rules allow administrative access or all ports from the public internet. That broad ingress raises the chance of unauthenticated probing and credential attacks.
- Recommended mitigation: Restrict GCP firewall source ranges and exposed ports, remove external IP access where possible, and use Identity-Aware Proxy, VPN, or a controlled bastion for administration.
- Evidence:
  - firewall rules: google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0
  - network tags: web
  - internet ingress reasons: google_compute_firewall.public_ssh ingress tcp 22 from 0.0.0.0/0; google_compute_firewall.public_app ingress tcp 8080 from 0.0.0.0/0
  - public exposure reasons: compute instance has an external access config and matching firewall rules allow internet ingress

#### Pub/Sub subscription does not configure a dead-letter policy

- STRIDE category: Denial of Service
- Affected resources: `google_pubsub_subscription.events`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_pubsub_subscription.events does not configure a Pub/Sub dead-letter policy. Poison messages or repeated delivery failures can consume subscriber capacity and reduce recovery options for failed processing.
- Recommended mitigation: Configure a reviewed Pub/Sub dead-letter topic and delivery-attempt threshold for subscriptions where poison messages or repeated delivery failures could disrupt processing.
- Evidence:
  - target resource: address=google_pubsub_subscription.events; resource_type=google_pubsub_subscription
  - dead letter posture: dead_letter_policy_state=not_configured; dead_letter_topic=unset

#### Pub/Sub topic does not use customer-managed encryption

- STRIDE category: Information Disclosure
- Affected resources: `google_pubsub_topic.events`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_pubsub_topic.events relies on Google-managed Pub/Sub encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still protects message data; this finding concerns key ownership, rotation, audit separation, and compliance posture.
- Recommended mitigation: Configure a customer-managed Cloud KMS key for sensitive Pub/Sub topics where key ownership, rotation, audit separation, or compliance requirements warrant it.
- Evidence:
  - target resource: address=google_pubsub_topic.events; resource_type=google_pubsub_topic
  - encryption ownership: cmek_state=not_configured; kms_key_name=unset

#### Secret Manager lifecycle posture is incomplete

- STRIDE category: Denial of Service
- Affected resources: `google_secret_manager_secret.api_key`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_secret_manager_secret.api_key does not show deterministic Secret Manager lifecycle posture for secret expiry or delayed version destruction. Expiry and version-destroy TTL controls reduce the lifetime of stale or accidentally destroyed secret material, but do not replace access review or rotation.
- Recommended mitigation: Configure Secret Manager `ttl` or `expire_time` where secret-level expiry is expected, and set `version_destroy_ttl` to a retention window that gives operators enough time to recover from accidental or malicious secret version destruction.
- Evidence:
  - target resource: address=google_secret_manager_secret.api_key; type=google_secret_manager_secret; identifier=projects/tfstride-demo/secrets/tfstride-api-key
  - lifecycle issues: secret has no ttl, expire_time, or version_destroy_ttl lifecycle guardrail; version_destroy_ttl is missing
  - lifecycle posture: ttl=unset; expire_time=unset; version_destroy_ttl=unset; minimum_version_destroy_ttl_days=7; minimum_version_destroy_ttl_seconds=604800

#### Secret Manager secret does not use customer-managed encryption

- STRIDE category: Information Disclosure
- Affected resources: `google_secret_manager_secret.api_key`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_secret_manager_secret.api_key relies on Google-managed Secret Manager encryption rather than a customer-managed Cloud KMS key. Google-managed encryption still applies; this finding concerns customer key ownership, rotation, audit separation, and compliance posture for sensitive secrets.
- Recommended mitigation: Configure Secret Manager replication with Cloud KMS customer-managed encryption for secrets that require customer key ownership, independent rotation, audit separation, or compliance controls.
- Evidence:
  - target resource: address=google_secret_manager_secret.api_key; type=google_secret_manager_secret; identifier=projects/tfstride-demo/secrets/tfstride-api-key
  - encryption ownership: customer_managed_encryption is false; secret_manager_replication_mode=automatic; secret_manager_kms_key_names is empty
  - replication posture: replication.mode=automatic

#### Sensitive GCP resource IAM binding allows broad or external access

- STRIDE category: Information Disclosure
- Affected resources: `google_kms_crypto_key.customer`, `google_kms_crypto_key_iam_member.partner_decrypter`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +2, lateral_movement +1, blast_radius +1, final_score 5 => medium
- Rationale: google_kms_crypto_key.customer grants `roles/cloudkms.cryptoKeyDecrypter` to `serviceAccount:decryptor@partner-project.iam.gserviceaccount.com` through GCP IAM. Public, broad-domain, or foreign-project principals can access sensitive secrets or cryptographic key operations outside the expected project trust boundary.
- Recommended mitigation: Grant Secret Manager and Cloud KMS IAM roles only to specific in-project service accounts or groups, remove public principals, and require explicit cross-project access reviews for partner identities.
- Evidence:
  - iam binding: source=google_kms_crypto_key_iam_member.partner_decrypter; role=roles/cloudkms.cryptoKeyDecrypter; member=serviceAccount:decryptor@partner-project.iam.gserviceaccount.com
  - trust scope: service account belongs to project `partner-project`, outside resource project `tfstride-demo`
  - resource policy sources: google_kms_crypto_key_iam_member.partner_decrypter

### Low

No findings in this severity band.

## Limitations / Unsupported Resources

- GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.

Limits

Unsupported or intentionally scoped areas

  • GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
  • The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.