Active findings
5Built-in scenario
gcp/sample_gcp_serverless_plan.jsonGCP Serverless Demo
Analyzed sample_gcp_serverless_plan.json with 11 normalized resources and 4 trust boundaries.
Trust boundaries
4Resources
11Observations
0Analysis coverage
Audit trail for this run
Resource coverage
- Provider resources considered
- 11
- Normalized resources
- 11
No unsupported GCP resource types were encountered.
Rule coverage
- Registered rules
- 78
- Disabled rules
- 0
- gcp-subnetwork-flow-logs-not-configured1
- gcp-cloud-run-public-invoker1
- gcp-cloud-functions-public-invoker1
- gcp-public-workload-sensitive-data-access2
Findings
Severity bands
High
2Internet-exposed GCP workload can access sensitive data services
gcp-public-workload-sensitive-data-accessgoogle_cloud_run_v2_service.api is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.
- Category
- Information Disclosure
- Boundary
- workload-to-data-store:google_cloud_run_v2_service.api->google_secret_manager_secret.api_key
- Resources
- google_cloud_run_v2_service.api, google_secret_manager_secret.api_key, google_secret_manager_secret_iam_member.run_accessor
Evidence
- public exposure reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers
- workload identity: serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com
- cloud run secret access paths: secret_resource=google_secret_manager_secret.api_key; secret_reference=projects/tfstride-demo/secrets/tfstride-api-key; secret_version=5; service_account=tfstride-run@tfstride-demo.iam.gserviceaccount.com; iam_resource=google_secret_manager_secret_iam_member.run_accessor; role=roles/secretmanager.secretAccessor; grant_scope=secret:projects/tfstride-demo/secrets/tfstride-api-key; access_state=granted; condition_state=not_configured
- resource policy sources: google_secret_manager_secret_iam_member.run_accessor
Internet-exposed GCP workload can access sensitive data services
gcp-public-workload-sensitive-data-accessgoogle_cloudfunctions_function.worker is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.
- Category
- Information Disclosure
- Boundary
- workload-to-data-store:google_cloudfunctions_function.worker->google_secret_manager_secret.api_key
- Resources
- google_cloudfunctions_function.worker, google_secret_manager_secret.api_key, google_secret_manager_secret_iam_member.run_accessor, google_secret_manager_secret_iam_member.function_accessor
Evidence
- public exposure reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers
- workload identity: serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com
- data access path: google_cloudfunctions_function.worker reaches google_secret_manager_secret.api_key
- boundary rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com.
- resource policy sources: google_secret_manager_secret_iam_member.run_accessor; google_secret_manager_secret_iam_member.function_accessor
Medium
3Cloud Functions function is publicly invokable
gcp-cloud-functions-public-invokergoogle_cloudfunctions_function.worker allows public HTTP access and grants Cloud Functions invoke permission to public GCP principals. Unauthenticated internet clients can reach the function entry point without an organization-owned identity boundary.
- Category
- Spoofing
- Boundary
- internet-to-service:internet->google_cloudfunctions_function.worker
- Resources
- google_cloudfunctions_function.worker, google_cloudfunctions_function_iam_member.public_invoker
Evidence
- public invoker bindings: source=google_cloudfunctions_function_iam_member.public_invoker; role=roles/cloudfunctions.invoker; member=allAuthenticatedUsers
- public access reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers
- public exposure reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers
Cloud Run service is publicly invokable
gcp-cloud-run-public-invokergoogle_cloud_run_v2_service.api allows public ingress and grants Cloud Run invoke permission to public GCP principals. Unauthenticated internet clients can reach the service entry point without an organization-owned identity boundary.
- Category
- Spoofing
- Boundary
- internet-to-service:internet->google_cloud_run_v2_service.api
- Resources
- google_cloud_run_v2_service.api, google_cloud_run_v2_service_iam_member.public_invoker
Evidence
- public invoker bindings: source=google_cloud_run_v2_service_iam_member.public_invoker; role=roles/run.invoker; member=allUsers
- public access reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers
- public exposure reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers
GCP subnetwork Flow Logs are not configured
gcp-subnetwork-flow-logs-not-configuredgoogle_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.
- Category
- Repudiation
- Boundary
- not-applicable
- Resources
- google_compute_subnetwork.app
Evidence
- subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo
Low
0No low findings.
Observations
Controls and mitigating signals
No observations were recorded for this plan.
Trust boundaries
Crossings that drive the model
internet-to-service
internet -> google_cloud_run_v2_service.api
The resource is directly reachable or intentionally exposed to unauthenticated network clients.
internet-to-service
internet -> google_cloudfunctions_function.worker
The resource is directly reachable or intentionally exposed to unauthenticated network clients.
workload-to-data-store
google_cloud_run_v2_service.api -> google_secret_manager_secret.api_key
GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.run_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com.
workload-to-data-store
google_cloudfunctions_function.worker -> google_secret_manager_secret.api_key
GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "tfstride-report",
"version": "1.1",
"tool": {
"name": "tfstride",
"version": "0.4.23"
},
"title": "GCP Serverless Demo",
"analyzed_file": "sample_gcp_serverless_plan.json",
"analyzed_path": "sample_gcp_serverless_plan.json",
"summary": {
"normalized_resources": 11,
"unsupported_resources": 0,
"trust_boundaries": 4,
"active_findings": 5,
"total_findings": 5,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 2,
"medium": 3,
"low": 0
}
},
"filtering": {
"total_findings": 5,
"active_findings": 5,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"analysis_coverage": {
"resources": {
"total_resources": 11,
"provider_resources": 11,
"normalized_resources": 11,
"unsupported_resources": 0,
"unsupported_resource_types": {}
},
"rules": {
"registered_rule_count": 78,
"enabled_rules": [
"gcp-sensitive-resource-iam-external-access",
"gcp-pubsub-public-access",
"gcp-pubsub-topic-customer-managed-encryption-missing",
"gcp-pubsub-message-retention-insufficient",
"gcp-pubsub-subscription-dead-letter-policy-missing",
"gcp-bigquery-public-access",
"gcp-cloud-sql-public-authorized-network",
"gcp-cloud-sql-backup-disabled",
"gcp-cloud-sql-public-ip-without-private-network",
"gcp-cloud-sql-ssl-not-required",
"gcp-cloud-sql-point-in-time-recovery-disabled",
"gcp-cloud-sql-deletion-protection-disabled",
"gcp-cloud-sql-zonal-availability",
"gcp-cloud-sql-query-insights-disabled",
"gcp-cloud-sql-connector-enforcement-not-required",
"gcp-cloud-sql-private-connectivity-not-modeled",
"gcp-private-workload-private-google-access-disabled",
"gcp-gcs-public-access",
"gcp-gcs-uniform-bucket-level-access-disabled",
"gcp-gcs-public-access-prevention-not-enforced",
"gcp-gcs-versioning-disabled",
"gcp-gcs-customer-managed-encryption-missing",
"gcp-gcs-retention-policy-insufficient",
"gcp-artifact-registry-docker-tags-mutable",
"gcp-artifact-registry-customer-managed-encryption-missing",
"gcp-artifact-registry-vulnerability-scanning-disabled",
"gcp-secret-manager-customer-managed-encryption-missing",
"gcp-secret-manager-lifecycle-posture-incomplete",
"gcp-kms-key-rotation-not-configured-or-too-long",
"gcp-kms-key-destroy-scheduled-duration-too-short",
"gcp-public-compute-broad-ingress",
"gcp-public-load-balanced-workload",
"gcp-load-balancer-http-public-proxy",
"gcp-load-balancer-ssl-policy-missing-or-weak",
"gcp-public-load-balancer-cloud-armor-missing",
"gcp-compute-os-login-disabled",
"gcp-gke-public-control-plane",
"gcp-gke-broad-authorized-networks",
"gcp-gke-workload-identity-disabled",
"gcp-gke-legacy-metadata-endpoints-enabled",
"gcp-gke-broad-node-service-account",
"gcp-gke-control-plane-logging-incomplete",
"gcp-scc-asset-discovery-disabled",
"gcp-logging-exclusion-drops-audit-security-logs",
"gcp-logging-sink-audit-export-incomplete",
"gcp-central-audit-sink-not-modeled",
"gcp-subnetwork-flow-logs-not-configured",
"gcp-subnetwork-flow-log-capture-incomplete",
"gcp-gke-network-policy-disabled",
"gcp-gke-secrets-encryption-not-configured",
"gcp-gke-legacy-abac-enabled-or-unknown",
"gcp-gke-client-certificate-auth-enabled-or-unknown",
"gcp-gke-shielded-nodes-disabled-or-unknown",
"gcp-gke-binary-authorization-not-enabled",
"gcp-cloud-run-public-invoker",
"gcp-cloud-functions-public-invoker",
"gcp-cloud-run-image-not-digest-pinned",
"gcp-cloud-run-artifact-registry-mutable-tag",
"gcp-cloud-run-can-modify-image-repository",
"gcp-cloud-run-sensitive-environment-value-inline",
"gcp-cloud-run-secret-access-blast-radius",
"gcp-public-cloud-run-gcs-mutation-access",
"gcp-public-cloud-run-pubsub-mutation-access",
"gcp-service-account-iam-broad-principal",
"gcp-service-account-iam-privileged-role",
"gcp-service-account-key-hygiene",
"gcp-service-account-key-effective-access",
"gcp-workload-identity-pool-wide-impersonation",
"gcp-workload-identity-provider-unconditioned-broad-trust",
"gcp-workload-identity-privileged-service-account-access",
"gcp-org-folder-iam-broad-principal",
"gcp-org-folder-iam-privileged-role",
"gcp-project-iam-broad-principal",
"gcp-project-iam-privileged-role",
"gcp-iam-privileged-assignment",
"gcp-inherited-iam-sensitive-resource-access",
"gcp-inherited-iam-blast-radius",
"gcp-public-workload-sensitive-data-access"
],
"disabled_rules": [],
"severity_overrides": {},
"finding_counts_by_rule": {
"gcp-sensitive-resource-iam-external-access": 0,
"gcp-pubsub-public-access": 0,
"gcp-pubsub-topic-customer-managed-encryption-missing": 0,
"gcp-pubsub-message-retention-insufficient": 0,
"gcp-pubsub-subscription-dead-letter-policy-missing": 0,
"gcp-bigquery-public-access": 0,
"gcp-cloud-sql-public-authorized-network": 0,
"gcp-cloud-sql-backup-disabled": 0,
"gcp-cloud-sql-public-ip-without-private-network": 0,
"gcp-cloud-sql-ssl-not-required": 0,
"gcp-cloud-sql-point-in-time-recovery-disabled": 0,
"gcp-cloud-sql-deletion-protection-disabled": 0,
"gcp-cloud-sql-zonal-availability": 0,
"gcp-cloud-sql-query-insights-disabled": 0,
"gcp-cloud-sql-connector-enforcement-not-required": 0,
"gcp-cloud-sql-private-connectivity-not-modeled": 0,
"gcp-private-workload-private-google-access-disabled": 0,
"gcp-gcs-public-access": 0,
"gcp-gcs-uniform-bucket-level-access-disabled": 0,
"gcp-gcs-public-access-prevention-not-enforced": 0,
"gcp-gcs-versioning-disabled": 0,
"gcp-gcs-customer-managed-encryption-missing": 0,
"gcp-gcs-retention-policy-insufficient": 0,
"gcp-artifact-registry-docker-tags-mutable": 0,
"gcp-artifact-registry-customer-managed-encryption-missing": 0,
"gcp-artifact-registry-vulnerability-scanning-disabled": 0,
"gcp-secret-manager-customer-managed-encryption-missing": 0,
"gcp-secret-manager-lifecycle-posture-incomplete": 0,
"gcp-kms-key-rotation-not-configured-or-too-long": 0,
"gcp-kms-key-destroy-scheduled-duration-too-short": 0,
"gcp-public-compute-broad-ingress": 0,
"gcp-public-load-balanced-workload": 0,
"gcp-load-balancer-http-public-proxy": 0,
"gcp-load-balancer-ssl-policy-missing-or-weak": 0,
"gcp-public-load-balancer-cloud-armor-missing": 0,
"gcp-compute-os-login-disabled": 0,
"gcp-gke-public-control-plane": 0,
"gcp-gke-broad-authorized-networks": 0,
"gcp-gke-workload-identity-disabled": 0,
"gcp-gke-legacy-metadata-endpoints-enabled": 0,
"gcp-gke-broad-node-service-account": 0,
"gcp-gke-control-plane-logging-incomplete": 0,
"gcp-scc-asset-discovery-disabled": 0,
"gcp-logging-exclusion-drops-audit-security-logs": 0,
"gcp-logging-sink-audit-export-incomplete": 0,
"gcp-central-audit-sink-not-modeled": 0,
"gcp-subnetwork-flow-logs-not-configured": 1,
"gcp-subnetwork-flow-log-capture-incomplete": 0,
"gcp-gke-network-policy-disabled": 0,
"gcp-gke-secrets-encryption-not-configured": 0,
"gcp-gke-legacy-abac-enabled-or-unknown": 0,
"gcp-gke-client-certificate-auth-enabled-or-unknown": 0,
"gcp-gke-shielded-nodes-disabled-or-unknown": 0,
"gcp-gke-binary-authorization-not-enabled": 0,
"gcp-cloud-run-public-invoker": 1,
"gcp-cloud-functions-public-invoker": 1,
"gcp-cloud-run-image-not-digest-pinned": 0,
"gcp-cloud-run-artifact-registry-mutable-tag": 0,
"gcp-cloud-run-can-modify-image-repository": 0,
"gcp-cloud-run-sensitive-environment-value-inline": 0,
"gcp-cloud-run-secret-access-blast-radius": 0,
"gcp-public-cloud-run-gcs-mutation-access": 0,
"gcp-public-cloud-run-pubsub-mutation-access": 0,
"gcp-service-account-iam-broad-principal": 0,
"gcp-service-account-iam-privileged-role": 0,
"gcp-service-account-key-hygiene": 0,
"gcp-service-account-key-effective-access": 0,
"gcp-workload-identity-pool-wide-impersonation": 0,
"gcp-workload-identity-provider-unconditioned-broad-trust": 0,
"gcp-workload-identity-privileged-service-account-access": 0,
"gcp-org-folder-iam-broad-principal": 0,
"gcp-org-folder-iam-privileged-role": 0,
"gcp-project-iam-broad-principal": 0,
"gcp-project-iam-privileged-role": 0,
"gcp-iam-privileged-assignment": 0,
"gcp-inherited-iam-sensitive-resource-access": 0,
"gcp-inherited-iam-blast-radius": 0,
"gcp-public-workload-sensitive-data-access": 2
}
},
"references": {
"unresolved_reference_count": 0,
"unresolved_references": []
}
},
"inventory": {
"provider": "gcp",
"unsupported_resources": [],
"metadata": {
"supported_resource_types": [
"google_artifact_registry_repository",
"google_artifact_registry_repository_iam_binding",
"google_artifact_registry_repository_iam_member",
"google_artifact_registry_repository_iam_policy",
"google_bigquery_dataset",
"google_bigquery_dataset_iam_binding",
"google_bigquery_dataset_iam_member",
"google_bigquery_dataset_iam_policy",
"google_bigquery_table",
"google_bigquery_table_iam_binding",
"google_bigquery_table_iam_member",
"google_bigquery_table_iam_policy",
"google_cloud_run_service",
"google_cloud_run_service_iam_binding",
"google_cloud_run_service_iam_member",
"google_cloud_run_service_iam_policy",
"google_cloud_run_v2_service",
"google_cloud_run_v2_service_iam_binding",
"google_cloud_run_v2_service_iam_member",
"google_cloud_run_v2_service_iam_policy",
"google_cloudfunctions2_function",
"google_cloudfunctions2_function_iam_binding",
"google_cloudfunctions2_function_iam_member",
"google_cloudfunctions2_function_iam_policy",
"google_cloudfunctions_function",
"google_cloudfunctions_function_iam_binding",
"google_cloudfunctions_function_iam_member",
"google_cloudfunctions_function_iam_policy",
"google_compute_backend_bucket",
"google_compute_backend_service",
"google_compute_firewall",
"google_compute_firewall_policy",
"google_compute_firewall_policy_association",
"google_compute_firewall_policy_rule",
"google_compute_forwarding_rule",
"google_compute_global_address",
"google_compute_global_forwarding_rule",
"google_compute_instance",
"google_compute_managed_ssl_certificate",
"google_compute_network",
"google_compute_network_endpoint_group",
"google_compute_region_backend_service",
"google_compute_region_network_endpoint_group",
"google_compute_region_security_policy",
"google_compute_region_target_http_proxy",
"google_compute_region_target_https_proxy",
"google_compute_region_url_map",
"google_compute_route",
"google_compute_router",
"google_compute_router_nat",
"google_compute_security_policy",
"google_compute_service_attachment",
"google_compute_ssl_policy",
"google_compute_subnetwork",
"google_compute_target_http_proxy",
"google_compute_target_https_proxy",
"google_compute_url_map",
"google_container_cluster",
"google_container_node_pool",
"google_folder_iam_binding",
"google_folder_iam_member",
"google_folder_iam_policy",
"google_folder_organization_policy",
"google_iam_workload_identity_pool",
"google_iam_workload_identity_pool_provider",
"google_kms_crypto_key",
"google_kms_crypto_key_iam_binding",
"google_kms_crypto_key_iam_member",
"google_kms_crypto_key_iam_policy",
"google_kms_key_ring_iam_binding",
"google_kms_key_ring_iam_member",
"google_kms_key_ring_iam_policy",
"google_logging_organization_exclusion",
"google_logging_organization_sink",
"google_logging_project_exclusion",
"google_logging_project_sink",
"google_network_connectivity_service_connection_policy",
"google_org_policy_policy",
"google_organization_iam_binding",
"google_organization_iam_custom_role",
"google_organization_iam_member",
"google_organization_iam_policy",
"google_organization_policy",
"google_project_iam_binding",
"google_project_iam_custom_role",
"google_project_iam_member",
"google_project_iam_policy",
"google_project_organization_policy",
"google_pubsub_subscription",
"google_pubsub_subscription_iam_binding",
"google_pubsub_subscription_iam_member",
"google_pubsub_subscription_iam_policy",
"google_pubsub_topic",
"google_pubsub_topic_iam_binding",
"google_pubsub_topic_iam_member",
"google_pubsub_topic_iam_policy",
"google_scc_organization_settings",
"google_secret_manager_secret",
"google_secret_manager_secret_iam_binding",
"google_secret_manager_secret_iam_member",
"google_secret_manager_secret_iam_policy",
"google_service_account",
"google_service_account_iam_binding",
"google_service_account_iam_member",
"google_service_account_iam_policy",
"google_service_account_key",
"google_service_networking_connection",
"google_sql_database_instance",
"google_storage_bucket",
"google_storage_bucket_iam_binding",
"google_storage_bucket_iam_member",
"google_storage_bucket_iam_policy"
],
"total_input_resources": 11,
"provider_resource_count": 11,
"normalized_resource_count": 11,
"unsupported_resource_types": {}
},
"resources": [
{
"address": "google_bigquery_dataset.analytics",
"provider": "gcp",
"resource_type": "google_bigquery_dataset",
"name": "analytics",
"category": "data",
"identifier": "projects/tfstride-demo/datasets/tfstride_analytics",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "projects/tfstride-demo/datasets/tfstride_analytics",
"project": "tfstride-demo",
"bigquery_dataset_id": "tfstride_analytics",
"bigquery_dataset_reference": "projects/tfstride-demo/datasets/tfstride_analytics",
"labels": {
"app": "tfstride"
},
"delete_contents_on_destroy": false,
"default_table_expiration_ms": null,
"description": null,
"friendly_name": null,
"location": "US",
"max_time_travel_hours": null,
"storage_billing_model": null,
"customer_managed_encryption": false,
"storage_encrypted": true
}
},
{
"address": "google_bigquery_table.events",
"provider": "gcp",
"resource_type": "google_bigquery_table",
"name": "events",
"category": "data",
"identifier": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
"project": "tfstride-demo",
"bigquery_dataset_id": "google_bigquery_dataset.analytics.dataset_id",
"bigquery_dataset_reference": "google_bigquery_dataset.analytics.dataset_id",
"bigquery_table_id": "events",
"bigquery_table_reference": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
"labels": {},
"clustering": [],
"deletion_protection": true,
"description": null,
"friendly_name": null,
"schema": null,
"time_partitioning": [],
"view": [],
"customer_managed_encryption": false,
"storage_encrypted": true
}
},
{
"address": "google_cloud_run_v2_service.api",
"provider": "gcp",
"resource_type": "google_cloud_run_v2_service",
"name": "api",
"category": "compute",
"identifier": "tfstride-api",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": true,
"public_exposure": true,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-api",
"project": "tfstride-demo",
"service_account_email": "tfstride-run@tfstride-demo.iam.gserviceaccount.com",
"service_account_member": "serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com",
"service_accounts": [
{
"email": "tfstride-run@tfstride-demo.iam.gserviceaccount.com"
}
],
"labels": {},
"vpc_enabled": false,
"provider_managed_egress": true,
"cloud_run_service_reference": "tfstride-api",
"region": "us-central1",
"serverless_ingress": "INGRESS_TRAFFIC_ALL",
"uri": "https://tfstride-api.run.app",
"container_image_references": [],
"container_image_posture_uncertainties": [],
"cloud_run_secret_references": [
{
"source": "google_cloud_run_v2_service",
"path": "template[0].containers[0].env[0]",
"value_path": "template[0].containers[0].env[0].value_source",
"container_name": "api",
"setting_name": "DB_PASSWORD",
"state": "reference",
"is_resolved": true,
"normalized_setting_name": "db_password",
"sensitive_category": "password",
"reference": "projects/tfstride-demo/secrets/tfstride-api-key",
"reference_kind": "secret_manager",
"secret_reference": "projects/tfstride-demo/secrets/tfstride-api-key",
"secret_name": "projects/tfstride-demo/secrets/tfstride-api-key",
"secret_version": "5",
"version": "5",
"secret_version_state": "configured",
"version_path": "template[0].containers[0].env[0].value_source[0].secret_key_ref.version",
"secret_reference_path": "template[0].containers[0].env[0].value_source[0].secret_key_ref.secret",
"target_resolution": "resolved"
}
],
"cloud_run_secret_posture_uncertainties": [],
"public_access_reasons": [
"google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers"
],
"direct_internet_reachable": true,
"public_exposure_reasons": [
"google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers"
],
"iam_bindings": [
{
"role": "roles/run.invoker",
"members": [
"allUsers"
],
"source": "google_cloud_run_v2_service_iam_member.public_invoker"
}
],
"gcp_resource_policy_source_addresses": [
"google_cloud_run_v2_service_iam_member.public_invoker"
],
"cloud_run_gcs_access_paths": [],
"cloud_run_pubsub_access_paths": [],
"cloud_run_secret_access_paths": [
{
"workload_address": "google_cloud_run_v2_service.api",
"workload_type": "google_cloud_run_v2_service",
"secret_reference": "projects/tfstride-demo/secrets/tfstride-api-key",
"secret_reference_path": "template[0].containers[0].env[0].value_source[0].secret_key_ref.secret",
"secret_resource_name": "projects/tfstride-demo/secrets/tfstride-api-key",
"secret_resource_address": "google_secret_manager_secret.api_key",
"secret_target_resolution": "resolved_in_plan",
"secret_resolution_basis": "canonical_resource_name",
"secret_version": "5",
"secret_version_state": "configured",
"version_path": "template[0].containers[0].env[0].value_source[0].secret_key_ref.version",
"container_name": "api",
"setting_name": "DB_PASSWORD",
"service_account_email": "tfstride-run@tfstride-demo.iam.gserviceaccount.com",
"service_account_member": "serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com",
"identity_kind": "cloud_run_service_account",
"credential_context": "workload_runtime",
"iam_resource_address": "google_secret_manager_secret_iam_member.run_accessor",
"iam_resource_type": "google_secret_manager_secret_iam_member",
"role": "roles/secretmanager.secretAccessor",
"role_kind": "built_in",
"custom_role_permissions": [],
"grant_scope_type": "secret",
"grant_scope": "projects/tfstride-demo/secrets/tfstride-api-key",
"grant_basis": "secret_resource_iam",
"condition": {},
"condition_state": "not_configured",
"access_state": "granted"
}
],
"artifact_registry_write_paths": []
}
},
{
"address": "google_cloud_run_v2_service_iam_member.public_invoker",
"provider": "gcp",
"resource_type": "google_cloud_run_v2_service_iam_member",
"name": "public_invoker",
"category": "iam",
"identifier": "tfstride-api:roles/run.invoker:allUsers",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cloud_run_service_reference": "tfstride-api",
"region": "us-central1",
"iam_role": "roles/run.invoker",
"iam_member": "allUsers",
"iam_members": [
"allUsers"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "roles/run.invoker",
"members": [
"allUsers"
]
}
],
"privileged_access_grants": []
}
},
{
"address": "google_cloudfunctions_function.worker",
"provider": "gcp",
"resource_type": "google_cloudfunctions_function",
"name": "worker",
"category": "compute",
"identifier": "tfstride-worker",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": true,
"public_exposure": true,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-worker",
"project": "tfstride-demo",
"service_account_email": "tfstride-fn@tfstride-demo.iam.gserviceaccount.com",
"service_account_member": "serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com",
"service_accounts": [
{
"email": "tfstride-fn@tfstride-demo.iam.gserviceaccount.com"
}
],
"labels": {},
"vpc_enabled": false,
"provider_managed_egress": true,
"cloud_function_reference": "tfstride-worker",
"region": "us-central1",
"runtime": "python312",
"trigger_http": true,
"https_trigger_url": null,
"public_access_reasons": [
"google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers"
],
"direct_internet_reachable": true,
"public_exposure_reasons": [
"google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers"
],
"iam_bindings": [
{
"role": "roles/cloudfunctions.invoker",
"members": [
"allAuthenticatedUsers"
],
"source": "google_cloudfunctions_function_iam_member.public_invoker"
}
],
"gcp_resource_policy_source_addresses": [
"google_cloudfunctions_function_iam_member.public_invoker"
]
}
},
{
"address": "google_cloudfunctions_function_iam_member.public_invoker",
"provider": "gcp",
"resource_type": "google_cloudfunctions_function_iam_member",
"name": "public_invoker",
"category": "iam",
"identifier": "tfstride-worker:roles/cloudfunctions.invoker:allAuthenticatedUsers",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cloud_function_reference": "tfstride-worker",
"region": "us-central1",
"iam_role": "roles/cloudfunctions.invoker",
"iam_member": "allAuthenticatedUsers",
"iam_members": [
"allAuthenticatedUsers"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "roles/cloudfunctions.invoker",
"members": [
"allAuthenticatedUsers"
]
}
],
"privileged_access_grants": []
}
},
{
"address": "google_compute_network.main",
"provider": "gcp",
"resource_type": "google_compute_network",
"name": "main",
"category": "network",
"identifier": "tfstride-main",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-main",
"project": "tfstride-demo",
"auto_create_subnetworks": false,
"routing_mode": "REGIONAL",
"description": null
}
},
{
"address": "google_compute_subnetwork.app",
"provider": "gcp",
"resource_type": "google_compute_subnetwork",
"name": "app",
"category": "network",
"identifier": "tfstride-app",
"arn": null,
"vpc_id": "google_compute_network.main.id",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "tfstride-app",
"project": "tfstride-demo",
"region": "us-central1",
"network": "google_compute_network.main.id",
"cidr_range": "10.10.1.0/24",
"private_ip_google_access": true,
"purpose": null,
"stack_type": null,
"secondary_ip_ranges": [],
"subnetwork_flow_log_state": "not_configured",
"subnetwork_flow_log_config": {},
"subnetwork_flow_log_metadata_fields": [],
"network_telemetry_posture_uncertainties": [],
"has_public_route": false,
"is_public_subnet": false,
"has_nat_gateway_egress": false
}
},
{
"address": "google_secret_manager_secret.api_key",
"provider": "gcp",
"resource_type": "google_secret_manager_secret",
"name": "api_key",
"category": "data",
"identifier": "projects/tfstride-demo/secrets/tfstride-api-key",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "projects/tfstride-demo/secrets/tfstride-api-key",
"secret_id": "tfstride-api-key",
"project": "tfstride-demo",
"labels": {
"app": "tfstride"
},
"secret_manager_replication_mode": "automatic",
"secret_manager_kms_key_names": [
"projects/tfstride-demo/locations/global/keyRings/tfstride-app/cryptoKeys/tfstride-secret-manager"
],
"secret_manager_replication": {
"mode": "automatic",
"kms_key_names": [
"projects/tfstride-demo/locations/global/keyRings/tfstride-app/cryptoKeys/tfstride-secret-manager"
]
},
"secret_manager_posture_uncertainties": [],
"secret_manager_ttl": "2592000s",
"secret_manager_version_destroy_ttl": "604800s",
"annotations": {},
"topics": [],
"customer_managed_encryption": true,
"storage_encrypted": true,
"iam_bindings": [
{
"role": "roles/secretmanager.secretAccessor",
"members": [
"serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com"
],
"source": "google_secret_manager_secret_iam_member.run_accessor"
},
{
"role": "roles/secretmanager.secretAccessor",
"members": [
"serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com"
],
"source": "google_secret_manager_secret_iam_member.function_accessor"
}
],
"gcp_resource_policy_source_addresses": [
"google_secret_manager_secret_iam_member.run_accessor",
"google_secret_manager_secret_iam_member.function_accessor"
]
}
},
{
"address": "google_secret_manager_secret_iam_member.function_accessor",
"provider": "gcp",
"resource_type": "google_secret_manager_secret_iam_member",
"name": "function_accessor",
"category": "iam",
"identifier": "google_secret_manager_secret.api_key.id:roles/secretmanager.secretAccessor:serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"secret_reference": "google_secret_manager_secret.api_key.id",
"project": "tfstride-demo",
"iam_role": "roles/secretmanager.secretAccessor",
"iam_member": "serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com",
"iam_members": [
"serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "roles/secretmanager.secretAccessor",
"members": [
"serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com"
]
}
],
"privileged_access_grants": []
}
},
{
"address": "google_secret_manager_secret_iam_member.run_accessor",
"provider": "gcp",
"resource_type": "google_secret_manager_secret_iam_member",
"name": "run_accessor",
"category": "iam",
"identifier": "google_secret_manager_secret.api_key.id:roles/secretmanager.secretAccessor:serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"secret_reference": "google_secret_manager_secret.api_key.id",
"project": "tfstride-demo",
"iam_role": "roles/secretmanager.secretAccessor",
"iam_member": "serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com",
"iam_members": [
"serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com"
],
"iam_condition": {},
"iam_bindings": [
{
"role": "roles/secretmanager.secretAccessor",
"members": [
"serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com"
]
}
],
"privileged_access_grants": []
}
}
]
},
"trust_boundaries": [
{
"identifier": "internet-to-service:internet->google_cloud_run_v2_service.api",
"boundary_type": "internet-to-service",
"source": "internet",
"target": "google_cloud_run_v2_service.api",
"description": "Traffic can cross from the public internet to google_cloud_run_v2_service.api.",
"rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
},
{
"identifier": "internet-to-service:internet->google_cloudfunctions_function.worker",
"boundary_type": "internet-to-service",
"source": "internet",
"target": "google_cloudfunctions_function.worker",
"description": "Traffic can cross from the public internet to google_cloudfunctions_function.worker.",
"rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
},
{
"identifier": "workload-to-data-store:google_cloud_run_v2_service.api->google_secret_manager_secret.api_key",
"boundary_type": "workload-to-data-store",
"source": "google_cloud_run_v2_service.api",
"target": "google_secret_manager_secret.api_key",
"description": "google_cloud_run_v2_service.api can interact with google_secret_manager_secret.api_key.",
"rationale": "GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.run_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com."
},
{
"identifier": "workload-to-data-store:google_cloudfunctions_function.worker->google_secret_manager_secret.api_key",
"boundary_type": "workload-to-data-store",
"source": "google_cloudfunctions_function.worker",
"target": "google_secret_manager_secret.api_key",
"description": "google_cloudfunctions_function.worker can interact with google_secret_manager_secret.api_key.",
"rationale": "GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com."
}
],
"findings": [
{
"fingerprint": "sha256:f04001c2e8493937559935380c234dbbba2f0569bd188b4b7037ec8597d14fa5",
"title": "Internet-exposed GCP workload can access sensitive data services",
"rule_id": "gcp-public-workload-sensitive-data-access",
"category": "Information Disclosure",
"severity": "high",
"affected_resources": [
"google_cloud_run_v2_service.api",
"google_secret_manager_secret.api_key",
"google_secret_manager_secret_iam_member.run_accessor"
],
"trust_boundary_id": "workload-to-data-store:google_cloud_run_v2_service.api->google_secret_manager_secret.api_key",
"rationale": "google_cloud_run_v2_service.api is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.",
"recommended_mitigation": "Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.",
"evidence": [
{
"key": "public_exposure_reasons",
"values": [
"google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers"
]
},
{
"key": "workload_identity",
"values": [
"serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com"
]
},
{
"key": "cloud_run_secret_access_paths",
"values": [
"secret_resource=google_secret_manager_secret.api_key; secret_reference=projects/tfstride-demo/secrets/tfstride-api-key; secret_version=5; service_account=tfstride-run@tfstride-demo.iam.gserviceaccount.com; iam_resource=google_secret_manager_secret_iam_member.run_accessor; role=roles/secretmanager.secretAccessor; grant_scope=secret:projects/tfstride-demo/secrets/tfstride-api-key; access_state=granted; condition_state=not_configured"
]
},
{
"key": "resource_policy_sources",
"values": [
"google_secret_manager_secret_iam_member.run_accessor"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 1,
"data_sensitivity": 2,
"lateral_movement": 1,
"blast_radius": 1,
"final_score": 7,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:6a8fba2f6eb1f9409d6f281891d9c1a34d53cbf01e3f05ad0fcc88af1150aa35",
"title": "Internet-exposed GCP workload can access sensitive data services",
"rule_id": "gcp-public-workload-sensitive-data-access",
"category": "Information Disclosure",
"severity": "high",
"affected_resources": [
"google_cloudfunctions_function.worker",
"google_secret_manager_secret.api_key",
"google_secret_manager_secret_iam_member.run_accessor",
"google_secret_manager_secret_iam_member.function_accessor"
],
"trust_boundary_id": "workload-to-data-store:google_cloudfunctions_function.worker->google_secret_manager_secret.api_key",
"rationale": "google_cloudfunctions_function.worker is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.",
"recommended_mitigation": "Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.",
"evidence": [
{
"key": "public_exposure_reasons",
"values": [
"google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers"
]
},
{
"key": "workload_identity",
"values": [
"serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com"
]
},
{
"key": "data_access_path",
"values": [
"google_cloudfunctions_function.worker reaches google_secret_manager_secret.api_key"
]
},
{
"key": "boundary_rationale",
"values": [
"GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com."
]
},
{
"key": "resource_policy_sources",
"values": [
"google_secret_manager_secret_iam_member.run_accessor",
"google_secret_manager_secret_iam_member.function_accessor"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 1,
"data_sensitivity": 2,
"lateral_movement": 1,
"blast_radius": 1,
"final_score": 7,
"severity": "high",
"computed_severity": null
}
},
{
"fingerprint": "sha256:26d830ba0ec2a53756c3eaced1c3be81057169315b2b42d8c7419e083cfc77d6",
"title": "Cloud Functions function is publicly invokable",
"rule_id": "gcp-cloud-functions-public-invoker",
"category": "Spoofing",
"severity": "medium",
"affected_resources": [
"google_cloudfunctions_function.worker",
"google_cloudfunctions_function_iam_member.public_invoker"
],
"trust_boundary_id": "internet-to-service:internet->google_cloudfunctions_function.worker",
"rationale": "google_cloudfunctions_function.worker allows public HTTP access and grants Cloud Functions invoke permission to public GCP principals. Unauthenticated internet clients can reach the function entry point without an organization-owned identity boundary.",
"recommended_mitigation": "Remove `allUsers` and `allAuthenticatedUsers` from Cloud Functions invoker bindings unless anonymous access is intentional, and require authentication, IAP, API Gateway, or a controlled edge policy for public HTTP functions.",
"evidence": [
{
"key": "public_invoker_bindings",
"values": [
"source=google_cloudfunctions_function_iam_member.public_invoker; role=roles/cloudfunctions.invoker; member=allAuthenticatedUsers"
]
},
{
"key": "public_access_reasons",
"values": [
"google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers"
]
},
{
"key": "public_exposure_reasons",
"values": [
"google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 0,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:fdfa137966c89eb875eb160f45285149877d78495eec49c0a7250ae0a64e7a28",
"title": "Cloud Run service is publicly invokable",
"rule_id": "gcp-cloud-run-public-invoker",
"category": "Spoofing",
"severity": "medium",
"affected_resources": [
"google_cloud_run_v2_service.api",
"google_cloud_run_v2_service_iam_member.public_invoker"
],
"trust_boundary_id": "internet-to-service:internet->google_cloud_run_v2_service.api",
"rationale": "google_cloud_run_v2_service.api allows public ingress and grants Cloud Run invoke permission to public GCP principals. Unauthenticated internet clients can reach the service entry point without an organization-owned identity boundary.",
"recommended_mitigation": "Remove `allUsers` and `allAuthenticatedUsers` from Cloud Run invoker bindings unless anonymous access is intentional, and front public services with authentication, IAP, API Gateway, or a controlled edge policy.",
"evidence": [
{
"key": "public_invoker_bindings",
"values": [
"source=google_cloud_run_v2_service_iam_member.public_invoker; role=roles/run.invoker; member=allUsers"
]
},
{
"key": "public_access_reasons",
"values": [
"google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers"
]
},
{
"key": "public_exposure_reasons",
"values": [
"google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers"
]
}
],
"severity_reasoning": {
"internet_exposure": 2,
"privilege_breadth": 0,
"data_sensitivity": 0,
"lateral_movement": 0,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:d7380b4b3e19c2f29c68019a1757075b9455a4465c9cf613a0fd4a3a2d8dc9e9",
"title": "GCP subnetwork Flow Logs are not configured",
"rule_id": "gcp-subnetwork-flow-logs-not-configured",
"category": "Repudiation",
"severity": "medium",
"affected_resources": [
"google_compute_subnetwork.app"
],
"trust_boundary_id": null,
"rationale": "google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.",
"recommended_mitigation": "Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.",
"evidence": [
{
"key": "subnetwork_flow_log_posture",
"values": [
"address=google_compute_subnetwork.app",
"type=google_compute_subnetwork",
"name=app",
"identifier=tfstride-app",
"flow_log_state=not_configured",
"network=google_compute_network.main.id",
"project=tfstride-demo"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 0,
"lateral_movement": 2,
"blast_radius": 1,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
}
],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [],
"limitations": [
"GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}
Markdown report
# GCP Serverless Demo
- Analyzed file: `sample_gcp_serverless_plan.json`
- Provider: `gcp`
- Normalized resources: `11`
- Unsupported resources: `0`
## Summary
This run identified **4 trust boundaries** and **5 findings** across **11 normalized resources**.
- High severity findings: `2`
- Medium severity findings: `3`
- Low severity findings: `0`
## Analysis Coverage
- Terraform resources seen: `11`
- Provider resources considered: `11`
- Normalized resources: `11`
- Unsupported resources: `0`
- Registered provider rules (GCP): `78`
- Enabled provider rules (GCP): `78`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
- `gcp-subnetwork-flow-logs-not-configured`: `1`
- `gcp-cloud-run-public-invoker`: `1`
- `gcp-cloud-functions-public-invoker`: `1`
- `gcp-public-workload-sensitive-data-access`: `2`
## Discovered Trust Boundaries
### `internet-to-service`
- Source: `internet`
- Target: `google_cloud_run_v2_service.api`
- Description: Traffic can cross from the public internet to google_cloud_run_v2_service.api.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.
### `internet-to-service`
- Source: `internet`
- Target: `google_cloudfunctions_function.worker`
- Description: Traffic can cross from the public internet to google_cloudfunctions_function.worker.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.
### `workload-to-data-store`
- Source: `google_cloud_run_v2_service.api`
- Target: `google_secret_manager_secret.api_key`
- Description: google_cloud_run_v2_service.api can interact with google_secret_manager_secret.api_key.
- Rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.run_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com.
### `workload-to-data-store`
- Source: `google_cloudfunctions_function.worker`
- Target: `google_secret_manager_secret.api_key`
- Description: google_cloudfunctions_function.worker can interact with google_secret_manager_secret.api_key.
- Rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com.
## Findings
### High
#### Internet-exposed GCP workload can access sensitive data services
- STRIDE category: Information Disclosure
- Affected resources: `google_cloud_run_v2_service.api`, `google_secret_manager_secret.api_key`, `google_secret_manager_secret_iam_member.run_accessor`
- Trust boundary: `workload-to-data-store:google_cloud_run_v2_service.api->google_secret_manager_secret.api_key`
- Severity reasoning: internet_exposure +2, privilege_breadth +1, data_sensitivity +2, lateral_movement +1, blast_radius +1, final_score 7 => high
- Rationale: google_cloud_run_v2_service.api is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.
- Recommended mitigation: Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.
- Evidence:
- public exposure reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers
- workload identity: serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com
- cloud run secret access paths: secret_resource=google_secret_manager_secret.api_key; secret_reference=projects/tfstride-demo/secrets/tfstride-api-key; secret_version=5; service_account=tfstride-run@tfstride-demo.iam.gserviceaccount.com; iam_resource=google_secret_manager_secret_iam_member.run_accessor; role=roles/secretmanager.secretAccessor; grant_scope=secret:projects/tfstride-demo/secrets/tfstride-api-key; access_state=granted; condition_state=not_configured
- resource policy sources: google_secret_manager_secret_iam_member.run_accessor
#### Internet-exposed GCP workload can access sensitive data services
- STRIDE category: Information Disclosure
- Affected resources: `google_cloudfunctions_function.worker`, `google_secret_manager_secret.api_key`, `google_secret_manager_secret_iam_member.run_accessor`, `google_secret_manager_secret_iam_member.function_accessor`
- Trust boundary: `workload-to-data-store:google_cloudfunctions_function.worker->google_secret_manager_secret.api_key`
- Severity reasoning: internet_exposure +2, privilege_breadth +1, data_sensitivity +2, lateral_movement +1, blast_radius +1, final_score 7 => high
- Rationale: google_cloudfunctions_function.worker is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.
- Recommended mitigation: Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.
- Evidence:
- public exposure reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers
- workload identity: serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com
- data access path: google_cloudfunctions_function.worker reaches google_secret_manager_secret.api_key
- boundary rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com.
- resource policy sources: google_secret_manager_secret_iam_member.run_accessor; google_secret_manager_secret_iam_member.function_accessor
### Medium
#### Cloud Functions function is publicly invokable
- STRIDE category: Spoofing
- Affected resources: `google_cloudfunctions_function.worker`, `google_cloudfunctions_function_iam_member.public_invoker`
- Trust boundary: `internet-to-service:internet->google_cloudfunctions_function.worker`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +0, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_cloudfunctions_function.worker allows public HTTP access and grants Cloud Functions invoke permission to public GCP principals. Unauthenticated internet clients can reach the function entry point without an organization-owned identity boundary.
- Recommended mitigation: Remove `allUsers` and `allAuthenticatedUsers` from Cloud Functions invoker bindings unless anonymous access is intentional, and require authentication, IAP, API Gateway, or a controlled edge policy for public HTTP functions.
- Evidence:
- public invoker bindings: source=google_cloudfunctions_function_iam_member.public_invoker; role=roles/cloudfunctions.invoker; member=allAuthenticatedUsers
- public access reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers
- public exposure reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers
#### Cloud Run service is publicly invokable
- STRIDE category: Spoofing
- Affected resources: `google_cloud_run_v2_service.api`, `google_cloud_run_v2_service_iam_member.public_invoker`
- Trust boundary: `internet-to-service:internet->google_cloud_run_v2_service.api`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +0, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_cloud_run_v2_service.api allows public ingress and grants Cloud Run invoke permission to public GCP principals. Unauthenticated internet clients can reach the service entry point without an organization-owned identity boundary.
- Recommended mitigation: Remove `allUsers` and `allAuthenticatedUsers` from Cloud Run invoker bindings unless anonymous access is intentional, and front public services with authentication, IAP, API Gateway, or a controlled edge policy.
- Evidence:
- public invoker bindings: source=google_cloud_run_v2_service_iam_member.public_invoker; role=roles/run.invoker; member=allUsers
- public access reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers
- public exposure reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers
#### GCP subnetwork Flow Logs are not configured
- STRIDE category: Repudiation
- Affected resources: `google_compute_subnetwork.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +0, lateral_movement +2, blast_radius +1, final_score 3 => medium
- Rationale: google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.
- Recommended mitigation: Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.
- Evidence:
- subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo
### Low
No findings in this severity band.
## Limitations / Unsupported Resources
- GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.