Active findings
6Built-in scenario
aws/sample_aws_lambda_deploy_role_plan.jsonLambda Deploy Role Demo
Analyzed sample_aws_lambda_deploy_role_plan.json with 13 normalized resources and 4 trust boundaries.
Trust boundaries
4Resources
13Observations
0Analysis coverage
Audit trail for this run
Resource coverage
- Provider resources considered
- 13
- Normalized resources
- 13
No unsupported AWS resource types were encountered.
Rule coverage
- Registered rules
- 83
- Disabled rules
- 0
- aws-workload-s3-vpc-endpoint-missing1
- aws-vpc-flow-logs-not-configured1
- aws-iam-privileged-role-assignment1
- aws-workload-role-sensitive-permissions1
- aws-role-trust-expansion1
- aws-role-trust-missing-narrowing1
Findings
Severity bands
High
0No high findings.
Medium
6Cross-account or broad role trust lacks narrowing conditions
aws-role-trust-missing-narrowingaws_iam_role.deployer trusts arn:aws:iam::777788889999:role/ci-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on the trusted principal match alone.
- Category
- Elevation of Privilege
- Boundary
- cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer
- Resources
- aws_iam_role.deployer
Evidence
- trust principals: arn:aws:iam::777788889999:role/ci-deployer
- trust scope: principal belongs to foreign account 777788889999
- trust narrowing: supported narrowing conditions present: false; supported narrowing condition keys: none
IAM role has privileged assignment posture
aws-iam-privileged-role-assignmentaws_iam_role.deployer has deterministic privileged IAM assignment posture: privilege-escalation. If this role is attached to a workload or assumable by a control-plane principal, those privileges increase blast radius.
- Category
- Elevation of Privilege
- Boundary
- not-applicable
- Resources
- aws_iam_role.deployer
Evidence
- iam role: address=aws_iam_role.deployer; type=aws_iam_role; arn=arn:aws:iam::333344445555:role/lambda-deployer-role; identifier=lambda-deployer-role
- privileged access: grant_1=categories=[privilege-escalation]; scope=resource; confidence=medium
- privilege categories: privilege-escalation
- permission patterns: iam:PassRole
- grant scopes: scope_kind=resource; scope_value=arn:aws:iam::333344445555:role/lambda-runtime-role,arn:aws:lambda:us-east-1:333344445555:function:release-deployer,arn:aws:s3:::lambda-deploy-artifacts/*
- grant confidence: medium
- inline policy sources: inline_policy_name=lambda-deployer-inline
Role trust relationship expands blast radius
aws-role-trust-expansionaws_iam_role.deployer can be assumed by arn:aws:iam::777788889999:role/ci-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.
- Category
- Elevation of Privilege
- Boundary
- cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer
- Resources
- aws_iam_role.deployer
Evidence
- trust principals: arn:aws:iam::777788889999:role/ci-deployer
- trust path: trust principal belongs to foreign account 777788889999
VPC Flow Logs are not configured for a modeled VPC
aws-vpc-flow-logs-not-configuredaws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.
- Category
- Repudiation
- Boundary
- not-applicable
- Resources
- aws_vpc.main
Evidence
- target vpc: address=aws_vpc.main; type=aws_vpc; identifier=vpc-lambda-001; cidr_block=10.30.0.0/16
- flow log coverage: target_vpc_id=vpc-lambda-001; resolved_vpc_flow_log_count=0; aws_flow_log resources are not modeled
Workload role carries sensitive permissions
aws-workload-role-sensitive-permissionsaws_lambda_function.deployer inherits sensitive privileges from aws_iam_role.deployer, including iam:PassRole. If the workload is compromised, those credentials can be reused for privilege escalation, data access, or role chaining.
- Category
- Elevation of Privilege
- Boundary
- admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer
- Resources
- aws_lambda_function.deployer, aws_iam_role.deployer
Evidence
- iam actions: iam:PassRole
- policy statements: Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]
Workload uses S3 without a VPC endpoint
aws-workload-s3-vpc-endpoint-missingaws_lambda_function.deployer runs in VPC `vpc-lambda-001` and inherits S3 data-plane permissions from aws_iam_role.deployer, but the Terraform plan does not show an S3 VPC endpoint for that VPC. S3 access may therefore depend on public AWS service endpoints, NAT, or another egress path; this does not imply the bucket itself is public.
- Category
- Information Disclosure
- Boundary
- not-applicable
- Resources
- aws_lambda_function.deployer, aws_iam_role.deployer
Evidence
- target workload: address=aws_lambda_function.deployer; type=aws_lambda_function; vpc_id=vpc-lambda-001; subnet_ids=[subnet-lambda-private-app-001]; security_group_ids=[sg-lambda-app-001]
- sensitive service dependency: service=s3; role=aws_iam_role.deployer; actions=[s3:GetObject]; resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]
- vpc endpoint coverage: vpc_id=vpc-lambda-001; service=s3; expected_endpoint_type=gateway_or_interface; vpc_endpoint_coverage=missing
- policy statements: Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]
Low
0No low findings.
Observations
Controls and mitigating signals
No observations were recorded for this plan.
Trust boundaries
Crossings that drive the model
admin-to-workload-plane
aws_iam_role.deployer -> aws_lambda_function.deployer
IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
cross-account-or-role-access
arn:aws:iam::777788889999:role/ci-deployer -> aws_iam_role.deployer
A foreign AWS account can cross into this role's trust boundary.
public-subnet-to-private-subnet
aws_subnet.public_edge -> aws_subnet.private_app
The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.
workload-to-data-store
aws_lambda_function.deployer -> aws_s3_bucket.artifacts
Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "tfstride-report",
"version": "1.1",
"tool": {
"name": "tfstride",
"version": "0.4.23"
},
"title": "Lambda Deploy Role Demo",
"analyzed_file": "sample_aws_lambda_deploy_role_plan.json",
"analyzed_path": "sample_aws_lambda_deploy_role_plan.json",
"summary": {
"normalized_resources": 13,
"unsupported_resources": 0,
"trust_boundaries": 4,
"active_findings": 6,
"total_findings": 6,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 0,
"medium": 6,
"low": 0
}
},
"filtering": {
"total_findings": 6,
"active_findings": 6,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"analysis_coverage": {
"resources": {
"total_resources": 13,
"provider_resources": 13,
"normalized_resources": 13,
"unsupported_resources": 0,
"unsupported_resource_types": {}
},
"rules": {
"registered_rule_count": 83,
"enabled_rules": [
"aws-public-compute-broad-ingress",
"aws-lambda-public-invocation",
"aws-load-balancer-http-public-listener",
"aws-load-balancer-listener-tls-certificate-missing",
"aws-load-balancer-listener-ssl-policy-weak-or-unknown",
"aws-public-alb-waf-missing",
"aws-cloudfront-viewer-http-allowed",
"aws-cloudfront-viewer-tls-policy-weak-or-unknown",
"aws-cloudfront-access-logging-not-configured",
"aws-public-cloudfront-waf-missing",
"aws-api-gateway-cors-permissive",
"aws-public-api-gateway-waf-missing",
"aws-api-gateway-public-route-authorization-none",
"aws-api-gateway-stage-access-logs-missing",
"aws-cloudtrail-multi-region-disabled",
"aws-cloudtrail-log-file-validation-disabled",
"aws-cloudtrail-management-events-disabled",
"aws-cloudtrail-data-events-not-modeled",
"aws-cloudtrail-insight-selectors-missing",
"aws-guardduty-detector-disabled-or-missing",
"aws-securityhub-account-missing",
"aws-config-recorder-disabled-or-missing",
"aws-config-delivery-channel-missing",
"aws-access-analyzer-not-configured",
"aws-macie-not-enabled-for-sensitive-storage",
"aws-rds-storage-encryption-disabled",
"aws-rds-public-endpoint-enabled",
"aws-rds-backup-retention-insufficient",
"aws-rds-deletion-protection-disabled",
"aws-rds-customer-managed-kms-key-missing",
"aws-rds-multi-az-disabled",
"aws-rds-performance-insights-disabled",
"aws-rds-cloudwatch-log-exports-missing",
"aws-rds-iam-auth-disabled",
"aws-s3-public-access",
"aws-s3-customer-managed-encryption-missing",
"aws-s3-versioning-disabled",
"aws-s3-object-lock-retention-missing",
"aws-s3-lifecycle-noncurrent-retention-insufficient",
"aws-ecr-image-tag-mutability-enabled",
"aws-ecr-customer-managed-encryption-missing",
"aws-ecr-repository-scanning-disabled",
"aws-workload-image-not-digest-pinned",
"aws-workload-ecr-mutable-tag",
"aws-workload-can-modify-image-repository",
"aws-ecs-sensitive-environment-value-inline",
"aws-ecs-secret-access-blast-radius",
"aws-public-ecs-secret-access",
"aws-public-ecs-s3-mutation-access",
"aws-public-ecs-messaging-mutation-access",
"aws-sns-customer-managed-encryption-missing",
"aws-sqs-customer-managed-encryption-missing",
"aws-sqs-message-retention-insufficient",
"aws-sqs-dead-letter-queue-not-configured",
"aws-secretsmanager-customer-managed-kms-key-missing",
"aws-secretsmanager-recovery-window-too-short",
"aws-secretsmanager-rotation-not-configured-or-too-long",
"aws-kms-key-rotation-disabled-or-unknown",
"aws-kms-key-deletion-window-too-short",
"aws-workload-secretsmanager-vpc-endpoint-missing",
"aws-workload-kms-vpc-endpoint-missing",
"aws-workload-s3-vpc-endpoint-missing",
"aws-vpc-endpoint-policy-broad-access",
"aws-vpc-flow-logs-not-configured",
"aws-vpc-flow-log-traffic-type-incomplete",
"aws-vpc-flow-log-destination-missing",
"aws-eks-api-endpoint-public-unrestricted",
"aws-eks-private-endpoint-not-enabled",
"aws-eks-secrets-encryption-not-configured",
"aws-eks-control-plane-logging-incomplete",
"aws-eks-authentication-mode-weak-or-unknown",
"aws-eks-vpc-cni-network-policy-not-enabled",
"aws-database-permissive-ingress",
"aws-missing-tier-segmentation",
"aws-sensitive-resource-policy-external-access",
"aws-service-resource-policy-external-access",
"aws-iam-wildcard-permissions",
"aws-iam-privileged-role-assignment",
"aws-workload-role-sensitive-permissions",
"aws-private-data-transitive-exposure",
"aws-control-plane-sensitive-workload-chain",
"aws-role-trust-expansion",
"aws-role-trust-missing-narrowing"
],
"disabled_rules": [],
"severity_overrides": {},
"finding_counts_by_rule": {
"aws-public-compute-broad-ingress": 0,
"aws-lambda-public-invocation": 0,
"aws-load-balancer-http-public-listener": 0,
"aws-load-balancer-listener-tls-certificate-missing": 0,
"aws-load-balancer-listener-ssl-policy-weak-or-unknown": 0,
"aws-public-alb-waf-missing": 0,
"aws-cloudfront-viewer-http-allowed": 0,
"aws-cloudfront-viewer-tls-policy-weak-or-unknown": 0,
"aws-cloudfront-access-logging-not-configured": 0,
"aws-public-cloudfront-waf-missing": 0,
"aws-api-gateway-cors-permissive": 0,
"aws-public-api-gateway-waf-missing": 0,
"aws-api-gateway-public-route-authorization-none": 0,
"aws-api-gateway-stage-access-logs-missing": 0,
"aws-cloudtrail-multi-region-disabled": 0,
"aws-cloudtrail-log-file-validation-disabled": 0,
"aws-cloudtrail-management-events-disabled": 0,
"aws-cloudtrail-data-events-not-modeled": 0,
"aws-cloudtrail-insight-selectors-missing": 0,
"aws-guardduty-detector-disabled-or-missing": 0,
"aws-securityhub-account-missing": 0,
"aws-config-recorder-disabled-or-missing": 0,
"aws-config-delivery-channel-missing": 0,
"aws-access-analyzer-not-configured": 0,
"aws-macie-not-enabled-for-sensitive-storage": 0,
"aws-rds-storage-encryption-disabled": 0,
"aws-rds-public-endpoint-enabled": 0,
"aws-rds-backup-retention-insufficient": 0,
"aws-rds-deletion-protection-disabled": 0,
"aws-rds-customer-managed-kms-key-missing": 0,
"aws-rds-multi-az-disabled": 0,
"aws-rds-performance-insights-disabled": 0,
"aws-rds-cloudwatch-log-exports-missing": 0,
"aws-rds-iam-auth-disabled": 0,
"aws-s3-public-access": 0,
"aws-s3-customer-managed-encryption-missing": 0,
"aws-s3-versioning-disabled": 0,
"aws-s3-object-lock-retention-missing": 0,
"aws-s3-lifecycle-noncurrent-retention-insufficient": 0,
"aws-ecr-image-tag-mutability-enabled": 0,
"aws-ecr-customer-managed-encryption-missing": 0,
"aws-ecr-repository-scanning-disabled": 0,
"aws-workload-image-not-digest-pinned": 0,
"aws-workload-ecr-mutable-tag": 0,
"aws-workload-can-modify-image-repository": 0,
"aws-ecs-sensitive-environment-value-inline": 0,
"aws-ecs-secret-access-blast-radius": 0,
"aws-public-ecs-secret-access": 0,
"aws-public-ecs-s3-mutation-access": 0,
"aws-public-ecs-messaging-mutation-access": 0,
"aws-sns-customer-managed-encryption-missing": 0,
"aws-sqs-customer-managed-encryption-missing": 0,
"aws-sqs-message-retention-insufficient": 0,
"aws-sqs-dead-letter-queue-not-configured": 0,
"aws-secretsmanager-customer-managed-kms-key-missing": 0,
"aws-secretsmanager-recovery-window-too-short": 0,
"aws-secretsmanager-rotation-not-configured-or-too-long": 0,
"aws-kms-key-rotation-disabled-or-unknown": 0,
"aws-kms-key-deletion-window-too-short": 0,
"aws-workload-secretsmanager-vpc-endpoint-missing": 0,
"aws-workload-kms-vpc-endpoint-missing": 0,
"aws-workload-s3-vpc-endpoint-missing": 1,
"aws-vpc-endpoint-policy-broad-access": 0,
"aws-vpc-flow-logs-not-configured": 1,
"aws-vpc-flow-log-traffic-type-incomplete": 0,
"aws-vpc-flow-log-destination-missing": 0,
"aws-eks-api-endpoint-public-unrestricted": 0,
"aws-eks-private-endpoint-not-enabled": 0,
"aws-eks-secrets-encryption-not-configured": 0,
"aws-eks-control-plane-logging-incomplete": 0,
"aws-eks-authentication-mode-weak-or-unknown": 0,
"aws-eks-vpc-cni-network-policy-not-enabled": 0,
"aws-database-permissive-ingress": 0,
"aws-missing-tier-segmentation": 0,
"aws-sensitive-resource-policy-external-access": 0,
"aws-service-resource-policy-external-access": 0,
"aws-iam-wildcard-permissions": 0,
"aws-iam-privileged-role-assignment": 1,
"aws-workload-role-sensitive-permissions": 1,
"aws-private-data-transitive-exposure": 0,
"aws-control-plane-sensitive-workload-chain": 0,
"aws-role-trust-expansion": 1,
"aws-role-trust-missing-narrowing": 1
}
},
"references": {
"unresolved_reference_count": 0,
"unresolved_references": []
}
},
"inventory": {
"provider": "aws",
"unsupported_resources": [],
"metadata": {
"primary_account_id": "333344445555",
"supported_resource_types": [
"aws_accessanalyzer_analyzer",
"aws_api_gateway_authorizer",
"aws_api_gateway_method",
"aws_api_gateway_rest_api",
"aws_api_gateway_stage",
"aws_apigatewayv2_api",
"aws_apigatewayv2_route",
"aws_apigatewayv2_stage",
"aws_cloudfront_distribution",
"aws_cloudtrail",
"aws_config_configuration_recorder",
"aws_config_configuration_recorder_status",
"aws_config_delivery_channel",
"aws_db_instance",
"aws_ecr_registry_scanning_configuration",
"aws_ecr_repository",
"aws_ecs_cluster",
"aws_ecs_service",
"aws_ecs_task_definition",
"aws_eks_addon",
"aws_eks_cluster",
"aws_flow_log",
"aws_guardduty_detector",
"aws_iam_instance_profile",
"aws_iam_openid_connect_provider",
"aws_iam_policy",
"aws_iam_role",
"aws_iam_role_policy",
"aws_iam_role_policy_attachment",
"aws_instance",
"aws_internet_gateway",
"aws_kms_key",
"aws_lambda_function",
"aws_lambda_function_url",
"aws_lambda_permission",
"aws_lb",
"aws_lb_listener",
"aws_lb_listener_rule",
"aws_lb_target_group",
"aws_macie2_account",
"aws_nat_gateway",
"aws_route_table",
"aws_route_table_association",
"aws_s3_bucket",
"aws_s3_bucket_lifecycle_configuration",
"aws_s3_bucket_object_lock_configuration",
"aws_s3_bucket_policy",
"aws_s3_bucket_public_access_block",
"aws_s3_bucket_server_side_encryption_configuration",
"aws_s3_bucket_versioning",
"aws_secretsmanager_secret",
"aws_secretsmanager_secret_policy",
"aws_secretsmanager_secret_rotation",
"aws_security_group",
"aws_security_group_rule",
"aws_securityhub_account",
"aws_sns_topic",
"aws_sqs_queue",
"aws_sqs_queue_redrive_policy",
"aws_subnet",
"aws_vpc",
"aws_vpc_endpoint",
"aws_wafv2_web_acl",
"aws_wafv2_web_acl_association"
],
"total_input_resources": 13,
"provider_resource_count": 13,
"normalized_resource_count": 13,
"unsupported_resource_types": {}
},
"resources": [
{
"address": "aws_iam_role.deployer",
"provider": "aws",
"resource_type": "aws_iam_role",
"name": "deployer",
"category": "iam",
"identifier": "lambda-deployer-role",
"arn": "arn:aws:iam::333344445555:role/lambda-deployer-role",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [
{
"effect": "Allow",
"actions": [
"lambda:UpdateFunctionCode",
"lambda:UpdateAlias",
"iam:PassRole",
"s3:GetObject"
],
"resources": [
"arn:aws:lambda:us-east-1:333344445555:function:release-deployer",
"arn:aws:iam::333344445555:role/lambda-runtime-role",
"arn:aws:s3:::lambda-deploy-artifacts/*"
],
"principals": [],
"principal_entries": [],
"conditions": []
}
],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"assume_role_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
}
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::777788889999:role/ci-deployer"
}
}
]
},
"trust_principals": [
"arn:aws:iam::777788889999:role/ci-deployer",
"lambda.amazonaws.com"
],
"trust_statements": [
{
"principals": [
"lambda.amazonaws.com"
],
"principal_entries": [
{
"kind": "Service",
"value": "lambda.amazonaws.com"
}
],
"narrowing_condition_keys": [],
"narrowing_conditions": [],
"has_narrowing_conditions": false
},
{
"principals": [
"arn:aws:iam::777788889999:role/ci-deployer"
],
"principal_entries": [
{
"kind": "AWS",
"value": "arn:aws:iam::777788889999:role/ci-deployer"
}
],
"narrowing_condition_keys": [],
"narrowing_conditions": [],
"has_narrowing_conditions": false
}
],
"inline_policy_names": [
"lambda-deployer-inline"
],
"privileged_access_grants": [
{
"provider": "aws",
"principal_type": "role",
"principal_identifier": "arn:aws:iam::333344445555:role/lambda-deployer-role",
"principal_display_name": "aws_iam_role.deployer",
"principal_source_address": "aws_iam_role.deployer",
"scope_kind": "resource",
"scope_value": "arn:aws:iam::333344445555:role/lambda-runtime-role,arn:aws:lambda:us-east-1:333344445555:function:release-deployer,arn:aws:s3:::lambda-deploy-artifacts/*",
"scope_source_address": null,
"privilege_categories": [
"privilege-escalation"
],
"confidence": "medium",
"assignment_source_address": "aws_iam_role.deployer",
"role_name": "lambda-deployer-role",
"role_id": "arn:aws:iam::333344445555:role/lambda-deployer-role",
"permission_patterns": [
"iam:PassRole"
],
"evidence": [
"action=lambda:UpdateFunctionCode",
"action=lambda:UpdateAlias",
"action=iam:PassRole",
"action=s3:GetObject",
"resource=arn:aws:lambda:us-east-1:333344445555:function:release-deployer",
"resource=arn:aws:iam::333344445555:role/lambda-runtime-role",
"resource=arn:aws:s3:::lambda-deploy-artifacts/*"
],
"uncertainties": []
}
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_internet_gateway.main",
"provider": "aws",
"resource_type": "aws_internet_gateway",
"name": "main",
"category": "network",
"identifier": "igw-lambda-001",
"arn": null,
"vpc_id": "vpc-lambda-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_lambda_function.deployer",
"provider": "aws",
"resource_type": "aws_lambda_function",
"name": "deployer",
"category": "compute",
"identifier": "release-deployer",
"arn": "arn:aws:lambda:us-east-1:333344445555:function:release-deployer",
"vpc_id": "vpc-lambda-001",
"subnet_ids": [
"subnet-lambda-private-app-001"
],
"security_group_ids": [
"sg-lambda-app-001"
],
"attached_role_arns": [
"arn:aws:iam::333344445555:role/lambda-deployer-role"
],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"runtime": "python3.12",
"handler": "handler.main",
"vpc_enabled": true,
"container_image_references": [],
"container_image_posture_uncertainties": [],
"ecr_write_paths": [],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": true,
"direct_internet_reachable": false
}
},
{
"address": "aws_nat_gateway.main",
"provider": "aws",
"resource_type": "aws_nat_gateway",
"name": "main",
"category": "network",
"identifier": "nat-lambda-001",
"arn": null,
"vpc_id": "vpc-lambda-001",
"subnet_ids": [
"subnet-lambda-public-001"
],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"allocation_id": "eipalloc-lambda-001",
"connectivity_type": "public",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": true,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table.private",
"provider": "aws",
"resource_type": "aws_route_table",
"name": "private",
"category": "network",
"identifier": "rtb-lambda-private-001",
"arn": null,
"vpc_id": "vpc-lambda-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"routes": [
{
"cidr_block": "0.0.0.0/0",
"nat_gateway_id": "nat-lambda-001"
}
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table.public",
"provider": "aws",
"resource_type": "aws_route_table",
"name": "public",
"category": "network",
"identifier": "rtb-lambda-public-001",
"arn": null,
"vpc_id": "vpc-lambda-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"routes": [
{
"cidr_block": "0.0.0.0/0",
"gateway_id": "igw-lambda-001"
}
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table_association.private_app",
"provider": "aws",
"resource_type": "aws_route_table_association",
"name": "private_app",
"category": "network",
"identifier": "rtassoc-lambda-private-app-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"route_table_id": "rtb-lambda-private-001",
"subnet_id": "subnet-lambda-private-app-001",
"gateway_id": null,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table_association.public_edge",
"provider": "aws",
"resource_type": "aws_route_table_association",
"name": "public_edge",
"category": "network",
"identifier": "rtassoc-lambda-public-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"route_table_id": "rtb-lambda-public-001",
"subnet_id": "subnet-lambda-public-001",
"gateway_id": null,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_s3_bucket.artifacts",
"provider": "aws",
"resource_type": "aws_s3_bucket",
"name": "artifacts",
"category": "data",
"identifier": "lambda-deploy-artifacts",
"arn": "arn:aws:s3:::lambda-deploy-artifacts",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"bucket": "lambda-deploy-artifacts",
"acl": "private",
"policy_document": {},
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group.lambda",
"provider": "aws",
"resource_type": "aws_security_group",
"name": "lambda",
"category": "network",
"identifier": "sg-lambda-app-001",
"arn": null,
"vpc_id": "vpc-lambda-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "egress",
"protocol": "-1",
"from_port": 0,
"to_port": 0,
"cidr_blocks": [
"0.0.0.0/0"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": null
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"description": "Private Lambda egress only",
"group_name": "lambda-app-sg",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_subnet.private_app",
"provider": "aws",
"resource_type": "aws_subnet",
"name": "private_app",
"category": "network",
"identifier": "subnet-lambda-private-app-001",
"arn": null,
"vpc_id": "vpc-lambda-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.30.2.0/24",
"availability_zone": "us-east-1a",
"map_public_ip_on_launch": false,
"tags": {
"Tier": "app"
},
"is_public_subnet": false,
"route_table_ids": [
"rtb-lambda-private-001"
],
"has_public_route": false,
"has_nat_gateway_egress": true,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"direct_internet_reachable": false
}
},
{
"address": "aws_subnet.public_edge",
"provider": "aws",
"resource_type": "aws_subnet",
"name": "public_edge",
"category": "network",
"identifier": "subnet-lambda-public-001",
"arn": null,
"vpc_id": "vpc-lambda-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.30.1.0/24",
"availability_zone": "us-east-1a",
"map_public_ip_on_launch": true,
"tags": {
"Tier": "edge"
},
"is_public_subnet": true,
"route_table_ids": [
"rtb-lambda-public-001"
],
"has_public_route": true,
"has_nat_gateway_egress": false,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"direct_internet_reachable": false
}
},
{
"address": "aws_vpc.main",
"provider": "aws",
"resource_type": "aws_vpc",
"name": "main",
"category": "network",
"identifier": "vpc-lambda-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.30.0.0/16",
"tags": {
"Name": "lambda-main"
},
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
}
]
},
"trust_boundaries": [
{
"identifier": "admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer",
"boundary_type": "admin-to-workload-plane",
"source": "aws_iam_role.deployer",
"target": "aws_lambda_function.deployer",
"description": "aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.",
"rationale": "IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries."
},
{
"identifier": "cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer",
"boundary_type": "cross-account-or-role-access",
"source": "arn:aws:iam::777788889999:role/ci-deployer",
"target": "aws_iam_role.deployer",
"description": "aws_iam_role.deployer trusts arn:aws:iam::777788889999:role/ci-deployer.",
"rationale": "A foreign AWS account can cross into this role's trust boundary."
},
{
"identifier": "public-subnet-to-private-subnet:aws_subnet.public_edge->aws_subnet.private_app",
"boundary_type": "public-subnet-to-private-subnet",
"source": "aws_subnet.public_edge",
"target": "aws_subnet.private_app",
"description": "Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.",
"rationale": "The VPC contains both publicly routable and private network segments that should be treated as separate trust zones."
},
{
"identifier": "workload-to-data-store:aws_lambda_function.deployer->aws_s3_bucket.artifacts",
"boundary_type": "workload-to-data-store",
"source": "aws_lambda_function.deployer",
"target": "aws_s3_bucket.artifacts",
"description": "aws_lambda_function.deployer can interact with aws_s3_bucket.artifacts.",
"rationale": "Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject."
}
],
"findings": [
{
"fingerprint": "sha256:779d6edce767dff9f916fcc604a983e2422f5cbec06afa1ee3628e7c7f333836",
"title": "Cross-account or broad role trust lacks narrowing conditions",
"rule_id": "aws-role-trust-missing-narrowing",
"category": "Elevation of Privilege",
"severity": "medium",
"affected_resources": [
"aws_iam_role.deployer"
],
"trust_boundary_id": "cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer",
"rationale": "aws_iam_role.deployer trusts arn:aws:iam::777788889999:role/ci-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on the trusted principal match alone.",
"recommended_mitigation": "Keep the trusted principal as specific as possible and add supported assume-role conditions such as `ExternalId`, `SourceArn`, `SourceAccount`, `SAML:aud`, or provider-specific OIDC `aud` and `sub` checks when crossing accounts or trusting broad or federated principals.",
"evidence": [
{
"key": "trust_principals",
"values": [
"arn:aws:iam::777788889999:role/ci-deployer"
]
},
{
"key": "trust_scope",
"values": [
"principal belongs to foreign account 777788889999"
]
},
{
"key": "trust_narrowing",
"values": [
"supported narrowing conditions present: false",
"supported narrowing condition keys: none"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 1,
"data_sensitivity": 0,
"lateral_movement": 1,
"blast_radius": 2,
"final_score": 4,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:af1071c3ecb319ef54ec290d8cb30dcfcc3a056506c390371aa24a8ca58d0b13",
"title": "IAM role has privileged assignment posture",
"rule_id": "aws-iam-privileged-role-assignment",
"category": "Elevation of Privilege",
"severity": "medium",
"affected_resources": [
"aws_iam_role.deployer"
],
"trust_boundary_id": null,
"rationale": "aws_iam_role.deployer has deterministic privileged IAM assignment posture: privilege-escalation. If this role is attached to a workload or assumable by a control-plane principal, those privileges increase blast radius.",
"recommended_mitigation": "Review high-impact IAM role permissions, split administrative and runtime duties, scope resources to named ARNs, and avoid attaching broad IAM, role-passing, secrets, KMS, data, network, or audit administration permissions to general workload roles.",
"evidence": [
{
"key": "iam_role",
"values": [
"address=aws_iam_role.deployer",
"type=aws_iam_role",
"arn=arn:aws:iam::333344445555:role/lambda-deployer-role",
"identifier=lambda-deployer-role"
]
},
{
"key": "privileged_access",
"values": [
"grant_1=categories=[privilege-escalation]; scope=resource; confidence=medium"
]
},
{
"key": "privilege_categories",
"values": [
"privilege-escalation"
]
},
{
"key": "permission_patterns",
"values": [
"iam:PassRole"
]
},
{
"key": "grant_scopes",
"values": [
"scope_kind=resource; scope_value=arn:aws:iam::333344445555:role/lambda-runtime-role,arn:aws:lambda:us-east-1:333344445555:function:release-deployer,arn:aws:s3:::lambda-deploy-artifacts/*"
]
},
{
"key": "grant_confidence",
"values": [
"medium"
]
},
{
"key": "inline_policy_sources",
"values": [
"inline_policy_name=lambda-deployer-inline"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 2,
"data_sensitivity": 0,
"lateral_movement": 2,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:cb6a7038bd28599e007499cbe69c1732053517b65bebb50ece21368f29197124",
"title": "Role trust relationship expands blast radius",
"rule_id": "aws-role-trust-expansion",
"category": "Elevation of Privilege",
"severity": "medium",
"affected_resources": [
"aws_iam_role.deployer"
],
"trust_boundary_id": "cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer",
"rationale": "aws_iam_role.deployer can be assumed by arn:aws:iam::777788889999:role/ci-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.",
"recommended_mitigation": "Limit trust policies to the exact service principals or roles required, prefer role ARNs over account root where possible, and add conditions such as `ExternalId`, source ARN, SAML audience, or OIDC audience and subject checks.",
"evidence": [
{
"key": "trust_principals",
"values": [
"arn:aws:iam::777788889999:role/ci-deployer"
]
},
{
"key": "trust_path",
"values": [
"trust principal belongs to foreign account 777788889999"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 1,
"data_sensitivity": 0,
"lateral_movement": 2,
"blast_radius": 2,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:c2dad77f15c57ff9b288847015b64eb1504039f1eeae0aa0312b748ec4410f40",
"title": "VPC Flow Logs are not configured for a modeled VPC",
"rule_id": "aws-vpc-flow-logs-not-configured",
"category": "Repudiation",
"severity": "medium",
"affected_resources": [
"aws_vpc.main"
],
"trust_boundary_id": null,
"rationale": "aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.",
"recommended_mitigation": "Enable VPC Flow Logs for production VPCs, route them to a retained CloudWatch Logs, S3, or Firehose destination, and manage Flow Log resources in Terraform so network telemetry posture is reviewable.",
"evidence": [
{
"key": "target_vpc",
"values": [
"address=aws_vpc.main",
"type=aws_vpc",
"identifier=vpc-lambda-001",
"cidr_block=10.30.0.0/16"
]
},
{
"key": "flow_log_coverage",
"values": [
"target_vpc_id=vpc-lambda-001",
"resolved_vpc_flow_log_count=0",
"aws_flow_log resources are not modeled"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 0,
"lateral_movement": 1,
"blast_radius": 2,
"final_score": 3,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:2c115ec74630511b2ca95853b6925217b80aacdf2b1aeeeb17b5311ee39408d5",
"title": "Workload role carries sensitive permissions",
"rule_id": "aws-workload-role-sensitive-permissions",
"category": "Elevation of Privilege",
"severity": "medium",
"affected_resources": [
"aws_lambda_function.deployer",
"aws_iam_role.deployer"
],
"trust_boundary_id": "admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer",
"rationale": "aws_lambda_function.deployer inherits sensitive privileges from aws_iam_role.deployer, including iam:PassRole. If the workload is compromised, those credentials can be reused for privilege escalation, data access, or role chaining.",
"recommended_mitigation": "Split high-privilege actions into separate roles, scope permissions to named resources, and remove role-passing or cross-role permissions from general application identities.",
"evidence": [
{
"key": "iam_actions",
"values": [
"iam:PassRole"
]
},
{
"key": "policy_statements",
"values": [
"Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 1,
"data_sensitivity": 1,
"lateral_movement": 1,
"blast_radius": 2,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:cb4e2d35e543a498f0aebfc022638b85e104158165d342d46e8c7f39664a7a57",
"title": "Workload uses S3 without a VPC endpoint",
"rule_id": "aws-workload-s3-vpc-endpoint-missing",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"aws_lambda_function.deployer",
"aws_iam_role.deployer"
],
"trust_boundary_id": null,
"rationale": "aws_lambda_function.deployer runs in VPC `vpc-lambda-001` and inherits S3 data-plane permissions from aws_iam_role.deployer, but the Terraform plan does not show an S3 VPC endpoint for that VPC. S3 access may therefore depend on public AWS service endpoints, NAT, or another egress path; this does not imply the bucket itself is public.",
"recommended_mitigation": "Add an S3 gateway or interface VPC endpoint for VPC workloads that access S3, route expected private subnets through it, and use endpoint policies where possible.",
"evidence": [
{
"key": "target_workload",
"values": [
"address=aws_lambda_function.deployer",
"type=aws_lambda_function",
"vpc_id=vpc-lambda-001",
"subnet_ids=[subnet-lambda-private-app-001]",
"security_group_ids=[sg-lambda-app-001]"
]
},
{
"key": "sensitive_service_dependency",
"values": [
"service=s3",
"role=aws_iam_role.deployer",
"actions=[s3:GetObject]",
"resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]"
]
},
{
"key": "vpc_endpoint_coverage",
"values": [
"vpc_id=vpc-lambda-001",
"service=s3",
"expected_endpoint_type=gateway_or_interface",
"vpc_endpoint_coverage=missing"
]
},
{
"key": "policy_statements",
"values": [
"Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 1,
"data_sensitivity": 1,
"lateral_movement": 1,
"blast_radius": 1,
"final_score": 4,
"severity": "medium",
"computed_severity": null
}
}
],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [],
"limitations": [
"AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
"Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
"IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
"Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}
Markdown report
# Lambda Deploy Role Demo
- Analyzed file: `sample_aws_lambda_deploy_role_plan.json`
- Provider: `aws`
- Normalized resources: `13`
- Unsupported resources: `0`
## Summary
This run identified **4 trust boundaries** and **6 findings** across **13 normalized resources**.
- High severity findings: `0`
- Medium severity findings: `6`
- Low severity findings: `0`
## Analysis Coverage
- Terraform resources seen: `13`
- Provider resources considered: `13`
- Normalized resources: `13`
- Unsupported resources: `0`
- Registered provider rules (AWS): `83`
- Enabled provider rules (AWS): `83`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
- `aws-workload-s3-vpc-endpoint-missing`: `1`
- `aws-vpc-flow-logs-not-configured`: `1`
- `aws-iam-privileged-role-assignment`: `1`
- `aws-workload-role-sensitive-permissions`: `1`
- `aws-role-trust-expansion`: `1`
- `aws-role-trust-missing-narrowing`: `1`
## Discovered Trust Boundaries
### `public-subnet-to-private-subnet`
- Source: `aws_subnet.public_edge`
- Target: `aws_subnet.private_app`
- Description: Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.
- Rationale: The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.
### `workload-to-data-store`
- Source: `aws_lambda_function.deployer`
- Target: `aws_s3_bucket.artifacts`
- Description: aws_lambda_function.deployer can interact with aws_s3_bucket.artifacts.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject.
### `admin-to-workload-plane`
- Source: `aws_iam_role.deployer`
- Target: `aws_lambda_function.deployer`
- Description: aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.
- Rationale: IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
### `cross-account-or-role-access`
- Source: `arn:aws:iam::777788889999:role/ci-deployer`
- Target: `aws_iam_role.deployer`
- Description: aws_iam_role.deployer trusts arn:aws:iam::777788889999:role/ci-deployer.
- Rationale: A foreign AWS account can cross into this role's trust boundary.
## Findings
### High
No findings in this severity band.
### Medium
#### Cross-account or broad role trust lacks narrowing conditions
- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_role.deployer`
- Trust boundary: `cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 4 => medium
- Rationale: aws_iam_role.deployer trusts arn:aws:iam::777788889999:role/ci-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on the trusted principal match alone.
- Recommended mitigation: Keep the trusted principal as specific as possible and add supported assume-role conditions such as `ExternalId`, `SourceArn`, `SourceAccount`, `SAML:aud`, or provider-specific OIDC `aud` and `sub` checks when crossing accounts or trusting broad or federated principals.
- Evidence:
- trust principals: arn:aws:iam::777788889999:role/ci-deployer
- trust scope: principal belongs to foreign account 777788889999
- trust narrowing: supported narrowing conditions present: false; supported narrowing condition keys: none
#### IAM role has privileged assignment posture
- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_role.deployer`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +2, data_sensitivity +0, lateral_movement +2, blast_radius +1, final_score 5 => medium
- Rationale: aws_iam_role.deployer has deterministic privileged IAM assignment posture: privilege-escalation. If this role is attached to a workload or assumable by a control-plane principal, those privileges increase blast radius.
- Recommended mitigation: Review high-impact IAM role permissions, split administrative and runtime duties, scope resources to named ARNs, and avoid attaching broad IAM, role-passing, secrets, KMS, data, network, or audit administration permissions to general workload roles.
- Evidence:
- iam role: address=aws_iam_role.deployer; type=aws_iam_role; arn=arn:aws:iam::333344445555:role/lambda-deployer-role; identifier=lambda-deployer-role
- privileged access: grant_1=categories=[privilege-escalation]; scope=resource; confidence=medium
- privilege categories: privilege-escalation
- permission patterns: iam:PassRole
- grant scopes: scope_kind=resource; scope_value=arn:aws:iam::333344445555:role/lambda-runtime-role,arn:aws:lambda:us-east-1:333344445555:function:release-deployer,arn:aws:s3:::lambda-deploy-artifacts/*
- grant confidence: medium
- inline policy sources: inline_policy_name=lambda-deployer-inline
#### Role trust relationship expands blast radius
- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_role.deployer`
- Trust boundary: `cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +2, blast_radius +2, final_score 5 => medium
- Rationale: aws_iam_role.deployer can be assumed by arn:aws:iam::777788889999:role/ci-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.
- Recommended mitigation: Limit trust policies to the exact service principals or roles required, prefer role ARNs over account root where possible, and add conditions such as `ExternalId`, source ARN, SAML audience, or OIDC audience and subject checks.
- Evidence:
- trust principals: arn:aws:iam::777788889999:role/ci-deployer
- trust path: trust principal belongs to foreign account 777788889999
#### VPC Flow Logs are not configured for a modeled VPC
- STRIDE category: Repudiation
- Affected resources: `aws_vpc.main`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 3 => medium
- Rationale: aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.
- Recommended mitigation: Enable VPC Flow Logs for production VPCs, route them to a retained CloudWatch Logs, S3, or Firehose destination, and manage Flow Log resources in Terraform so network telemetry posture is reviewable.
- Evidence:
- target vpc: address=aws_vpc.main; type=aws_vpc; identifier=vpc-lambda-001; cidr_block=10.30.0.0/16
- flow log coverage: target_vpc_id=vpc-lambda-001; resolved_vpc_flow_log_count=0; aws_flow_log resources are not modeled
#### Workload role carries sensitive permissions
- STRIDE category: Elevation of Privilege
- Affected resources: `aws_lambda_function.deployer`, `aws_iam_role.deployer`
- Trust boundary: `admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +1, lateral_movement +1, blast_radius +2, final_score 5 => medium
- Rationale: aws_lambda_function.deployer inherits sensitive privileges from aws_iam_role.deployer, including iam:PassRole. If the workload is compromised, those credentials can be reused for privilege escalation, data access, or role chaining.
- Recommended mitigation: Split high-privilege actions into separate roles, scope permissions to named resources, and remove role-passing or cross-role permissions from general application identities.
- Evidence:
- iam actions: iam:PassRole
- policy statements: Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]
#### Workload uses S3 without a VPC endpoint
- STRIDE category: Information Disclosure
- Affected resources: `aws_lambda_function.deployer`, `aws_iam_role.deployer`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +1, lateral_movement +1, blast_radius +1, final_score 4 => medium
- Rationale: aws_lambda_function.deployer runs in VPC `vpc-lambda-001` and inherits S3 data-plane permissions from aws_iam_role.deployer, but the Terraform plan does not show an S3 VPC endpoint for that VPC. S3 access may therefore depend on public AWS service endpoints, NAT, or another egress path; this does not imply the bucket itself is public.
- Recommended mitigation: Add an S3 gateway or interface VPC endpoint for VPC workloads that access S3, route expected private subnets through it, and use endpoint policies where possible.
- Evidence:
- target workload: address=aws_lambda_function.deployer; type=aws_lambda_function; vpc_id=vpc-lambda-001; subnet_ids=[subnet-lambda-private-app-001]; security_group_ids=[sg-lambda-app-001]
- sensitive service dependency: service=s3; role=aws_iam_role.deployer; actions=[s3:GetObject]; resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]
- vpc endpoint coverage: vpc_id=vpc-lambda-001; service=s3; expected_endpoint_type=gateway_or_interface; vpc_endpoint_coverage=missing
- policy statements: Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]
### Low
No findings in this severity band.
## Limitations / Unsupported Resources
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.