Built-in scenario

aws/sample_aws_lambda_deploy_role_plan.json

Lambda Deploy Role Demo

Analyzed sample_aws_lambda_deploy_role_plan.json with 13 normalized resources and 4 trust boundaries.

Analyze another plan

Active findings

6

Trust boundaries

4

Resources

13

Observations

0
High 0
Medium 6
Low 0

Analysis coverage

Audit trail for this run

Terraform resources 13
Unsupported 0
Enabled rules 83
Unresolved refs 0

Resource coverage

Provider resources considered
13
Normalized resources
13

No unsupported AWS resource types were encountered.

Rule coverage

Registered rules
83
Disabled rules
0
  • aws-workload-s3-vpc-endpoint-missing1
  • aws-vpc-flow-logs-not-configured1
  • aws-iam-privileged-role-assignment1
  • aws-workload-role-sensitive-permissions1
  • aws-role-trust-expansion1
  • aws-role-trust-missing-narrowing1

Findings

Severity bands

High

0

No high findings.

Medium

6

Cross-account or broad role trust lacks narrowing conditions

aws-role-trust-missing-narrowing

aws_iam_role.deployer trusts arn:aws:iam::777788889999:role/ci-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on the trusted principal match alone.

Category
Elevation of Privilege
Boundary
cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer
Resources
aws_iam_role.deployer
Evidence
  • trust principals: arn:aws:iam::777788889999:role/ci-deployer
  • trust scope: principal belongs to foreign account 777788889999
  • trust narrowing: supported narrowing conditions present: false; supported narrowing condition keys: none

IAM role has privileged assignment posture

aws-iam-privileged-role-assignment

aws_iam_role.deployer has deterministic privileged IAM assignment posture: privilege-escalation. If this role is attached to a workload or assumable by a control-plane principal, those privileges increase blast radius.

Category
Elevation of Privilege
Boundary
not-applicable
Resources
aws_iam_role.deployer
Evidence
  • iam role: address=aws_iam_role.deployer; type=aws_iam_role; arn=arn:aws:iam::333344445555:role/lambda-deployer-role; identifier=lambda-deployer-role
  • privileged access: grant_1=categories=[privilege-escalation]; scope=resource; confidence=medium
  • privilege categories: privilege-escalation
  • permission patterns: iam:PassRole
  • grant scopes: scope_kind=resource; scope_value=arn:aws:iam::333344445555:role/lambda-runtime-role,arn:aws:lambda:us-east-1:333344445555:function:release-deployer,arn:aws:s3:::lambda-deploy-artifacts/*
  • grant confidence: medium
  • inline policy sources: inline_policy_name=lambda-deployer-inline

Role trust relationship expands blast radius

aws-role-trust-expansion

aws_iam_role.deployer can be assumed by arn:aws:iam::777788889999:role/ci-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.

Category
Elevation of Privilege
Boundary
cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer
Resources
aws_iam_role.deployer
Evidence
  • trust principals: arn:aws:iam::777788889999:role/ci-deployer
  • trust path: trust principal belongs to foreign account 777788889999

VPC Flow Logs are not configured for a modeled VPC

aws-vpc-flow-logs-not-configured

aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.

Category
Repudiation
Boundary
not-applicable
Resources
aws_vpc.main
Evidence
  • target vpc: address=aws_vpc.main; type=aws_vpc; identifier=vpc-lambda-001; cidr_block=10.30.0.0/16
  • flow log coverage: target_vpc_id=vpc-lambda-001; resolved_vpc_flow_log_count=0; aws_flow_log resources are not modeled

Workload role carries sensitive permissions

aws-workload-role-sensitive-permissions

aws_lambda_function.deployer inherits sensitive privileges from aws_iam_role.deployer, including iam:PassRole. If the workload is compromised, those credentials can be reused for privilege escalation, data access, or role chaining.

Category
Elevation of Privilege
Boundary
admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer
Resources
aws_lambda_function.deployer, aws_iam_role.deployer
Evidence
  • iam actions: iam:PassRole
  • policy statements: Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]

Workload uses S3 without a VPC endpoint

aws-workload-s3-vpc-endpoint-missing

aws_lambda_function.deployer runs in VPC `vpc-lambda-001` and inherits S3 data-plane permissions from aws_iam_role.deployer, but the Terraform plan does not show an S3 VPC endpoint for that VPC. S3 access may therefore depend on public AWS service endpoints, NAT, or another egress path; this does not imply the bucket itself is public.

Category
Information Disclosure
Boundary
not-applicable
Resources
aws_lambda_function.deployer, aws_iam_role.deployer
Evidence
  • target workload: address=aws_lambda_function.deployer; type=aws_lambda_function; vpc_id=vpc-lambda-001; subnet_ids=[subnet-lambda-private-app-001]; security_group_ids=[sg-lambda-app-001]
  • sensitive service dependency: service=s3; role=aws_iam_role.deployer; actions=[s3:GetObject]; resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]
  • vpc endpoint coverage: vpc_id=vpc-lambda-001; service=s3; expected_endpoint_type=gateway_or_interface; vpc_endpoint_coverage=missing
  • policy statements: Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]

Low

0

No low findings.

Observations

Controls and mitigating signals

No observations were recorded for this plan.

Trust boundaries

Crossings that drive the model

admin-to-workload-plane

aws_iam_role.deployer -> aws_lambda_function.deployer

IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.

cross-account-or-role-access

arn:aws:iam::777788889999:role/ci-deployer -> aws_iam_role.deployer

A foreign AWS account can cross into this role's trust boundary.

public-subnet-to-private-subnet

aws_subnet.public_edge -> aws_subnet.private_app

The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.

workload-to-data-store

aws_lambda_function.deployer -> aws_s3_bucket.artifacts

Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject.

Raw outputs

Stable contract and markdown

JSON report
{
  "kind": "tfstride-report",
  "version": "1.1",
  "tool": {
    "name": "tfstride",
    "version": "0.4.23"
  },
  "title": "Lambda Deploy Role Demo",
  "analyzed_file": "sample_aws_lambda_deploy_role_plan.json",
  "analyzed_path": "sample_aws_lambda_deploy_role_plan.json",
  "summary": {
    "normalized_resources": 13,
    "unsupported_resources": 0,
    "trust_boundaries": 4,
    "active_findings": 6,
    "total_findings": 6,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "severity_counts": {
      "high": 0,
      "medium": 6,
      "low": 0
    }
  },
  "filtering": {
    "total_findings": 6,
    "active_findings": 6,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "suppressions_path": null,
    "baseline_path": null
  },
  "analysis_coverage": {
    "resources": {
      "total_resources": 13,
      "provider_resources": 13,
      "normalized_resources": 13,
      "unsupported_resources": 0,
      "unsupported_resource_types": {}
    },
    "rules": {
      "registered_rule_count": 83,
      "enabled_rules": [
        "aws-public-compute-broad-ingress",
        "aws-lambda-public-invocation",
        "aws-load-balancer-http-public-listener",
        "aws-load-balancer-listener-tls-certificate-missing",
        "aws-load-balancer-listener-ssl-policy-weak-or-unknown",
        "aws-public-alb-waf-missing",
        "aws-cloudfront-viewer-http-allowed",
        "aws-cloudfront-viewer-tls-policy-weak-or-unknown",
        "aws-cloudfront-access-logging-not-configured",
        "aws-public-cloudfront-waf-missing",
        "aws-api-gateway-cors-permissive",
        "aws-public-api-gateway-waf-missing",
        "aws-api-gateway-public-route-authorization-none",
        "aws-api-gateway-stage-access-logs-missing",
        "aws-cloudtrail-multi-region-disabled",
        "aws-cloudtrail-log-file-validation-disabled",
        "aws-cloudtrail-management-events-disabled",
        "aws-cloudtrail-data-events-not-modeled",
        "aws-cloudtrail-insight-selectors-missing",
        "aws-guardduty-detector-disabled-or-missing",
        "aws-securityhub-account-missing",
        "aws-config-recorder-disabled-or-missing",
        "aws-config-delivery-channel-missing",
        "aws-access-analyzer-not-configured",
        "aws-macie-not-enabled-for-sensitive-storage",
        "aws-rds-storage-encryption-disabled",
        "aws-rds-public-endpoint-enabled",
        "aws-rds-backup-retention-insufficient",
        "aws-rds-deletion-protection-disabled",
        "aws-rds-customer-managed-kms-key-missing",
        "aws-rds-multi-az-disabled",
        "aws-rds-performance-insights-disabled",
        "aws-rds-cloudwatch-log-exports-missing",
        "aws-rds-iam-auth-disabled",
        "aws-s3-public-access",
        "aws-s3-customer-managed-encryption-missing",
        "aws-s3-versioning-disabled",
        "aws-s3-object-lock-retention-missing",
        "aws-s3-lifecycle-noncurrent-retention-insufficient",
        "aws-ecr-image-tag-mutability-enabled",
        "aws-ecr-customer-managed-encryption-missing",
        "aws-ecr-repository-scanning-disabled",
        "aws-workload-image-not-digest-pinned",
        "aws-workload-ecr-mutable-tag",
        "aws-workload-can-modify-image-repository",
        "aws-ecs-sensitive-environment-value-inline",
        "aws-ecs-secret-access-blast-radius",
        "aws-public-ecs-secret-access",
        "aws-public-ecs-s3-mutation-access",
        "aws-public-ecs-messaging-mutation-access",
        "aws-sns-customer-managed-encryption-missing",
        "aws-sqs-customer-managed-encryption-missing",
        "aws-sqs-message-retention-insufficient",
        "aws-sqs-dead-letter-queue-not-configured",
        "aws-secretsmanager-customer-managed-kms-key-missing",
        "aws-secretsmanager-recovery-window-too-short",
        "aws-secretsmanager-rotation-not-configured-or-too-long",
        "aws-kms-key-rotation-disabled-or-unknown",
        "aws-kms-key-deletion-window-too-short",
        "aws-workload-secretsmanager-vpc-endpoint-missing",
        "aws-workload-kms-vpc-endpoint-missing",
        "aws-workload-s3-vpc-endpoint-missing",
        "aws-vpc-endpoint-policy-broad-access",
        "aws-vpc-flow-logs-not-configured",
        "aws-vpc-flow-log-traffic-type-incomplete",
        "aws-vpc-flow-log-destination-missing",
        "aws-eks-api-endpoint-public-unrestricted",
        "aws-eks-private-endpoint-not-enabled",
        "aws-eks-secrets-encryption-not-configured",
        "aws-eks-control-plane-logging-incomplete",
        "aws-eks-authentication-mode-weak-or-unknown",
        "aws-eks-vpc-cni-network-policy-not-enabled",
        "aws-database-permissive-ingress",
        "aws-missing-tier-segmentation",
        "aws-sensitive-resource-policy-external-access",
        "aws-service-resource-policy-external-access",
        "aws-iam-wildcard-permissions",
        "aws-iam-privileged-role-assignment",
        "aws-workload-role-sensitive-permissions",
        "aws-private-data-transitive-exposure",
        "aws-control-plane-sensitive-workload-chain",
        "aws-role-trust-expansion",
        "aws-role-trust-missing-narrowing"
      ],
      "disabled_rules": [],
      "severity_overrides": {},
      "finding_counts_by_rule": {
        "aws-public-compute-broad-ingress": 0,
        "aws-lambda-public-invocation": 0,
        "aws-load-balancer-http-public-listener": 0,
        "aws-load-balancer-listener-tls-certificate-missing": 0,
        "aws-load-balancer-listener-ssl-policy-weak-or-unknown": 0,
        "aws-public-alb-waf-missing": 0,
        "aws-cloudfront-viewer-http-allowed": 0,
        "aws-cloudfront-viewer-tls-policy-weak-or-unknown": 0,
        "aws-cloudfront-access-logging-not-configured": 0,
        "aws-public-cloudfront-waf-missing": 0,
        "aws-api-gateway-cors-permissive": 0,
        "aws-public-api-gateway-waf-missing": 0,
        "aws-api-gateway-public-route-authorization-none": 0,
        "aws-api-gateway-stage-access-logs-missing": 0,
        "aws-cloudtrail-multi-region-disabled": 0,
        "aws-cloudtrail-log-file-validation-disabled": 0,
        "aws-cloudtrail-management-events-disabled": 0,
        "aws-cloudtrail-data-events-not-modeled": 0,
        "aws-cloudtrail-insight-selectors-missing": 0,
        "aws-guardduty-detector-disabled-or-missing": 0,
        "aws-securityhub-account-missing": 0,
        "aws-config-recorder-disabled-or-missing": 0,
        "aws-config-delivery-channel-missing": 0,
        "aws-access-analyzer-not-configured": 0,
        "aws-macie-not-enabled-for-sensitive-storage": 0,
        "aws-rds-storage-encryption-disabled": 0,
        "aws-rds-public-endpoint-enabled": 0,
        "aws-rds-backup-retention-insufficient": 0,
        "aws-rds-deletion-protection-disabled": 0,
        "aws-rds-customer-managed-kms-key-missing": 0,
        "aws-rds-multi-az-disabled": 0,
        "aws-rds-performance-insights-disabled": 0,
        "aws-rds-cloudwatch-log-exports-missing": 0,
        "aws-rds-iam-auth-disabled": 0,
        "aws-s3-public-access": 0,
        "aws-s3-customer-managed-encryption-missing": 0,
        "aws-s3-versioning-disabled": 0,
        "aws-s3-object-lock-retention-missing": 0,
        "aws-s3-lifecycle-noncurrent-retention-insufficient": 0,
        "aws-ecr-image-tag-mutability-enabled": 0,
        "aws-ecr-customer-managed-encryption-missing": 0,
        "aws-ecr-repository-scanning-disabled": 0,
        "aws-workload-image-not-digest-pinned": 0,
        "aws-workload-ecr-mutable-tag": 0,
        "aws-workload-can-modify-image-repository": 0,
        "aws-ecs-sensitive-environment-value-inline": 0,
        "aws-ecs-secret-access-blast-radius": 0,
        "aws-public-ecs-secret-access": 0,
        "aws-public-ecs-s3-mutation-access": 0,
        "aws-public-ecs-messaging-mutation-access": 0,
        "aws-sns-customer-managed-encryption-missing": 0,
        "aws-sqs-customer-managed-encryption-missing": 0,
        "aws-sqs-message-retention-insufficient": 0,
        "aws-sqs-dead-letter-queue-not-configured": 0,
        "aws-secretsmanager-customer-managed-kms-key-missing": 0,
        "aws-secretsmanager-recovery-window-too-short": 0,
        "aws-secretsmanager-rotation-not-configured-or-too-long": 0,
        "aws-kms-key-rotation-disabled-or-unknown": 0,
        "aws-kms-key-deletion-window-too-short": 0,
        "aws-workload-secretsmanager-vpc-endpoint-missing": 0,
        "aws-workload-kms-vpc-endpoint-missing": 0,
        "aws-workload-s3-vpc-endpoint-missing": 1,
        "aws-vpc-endpoint-policy-broad-access": 0,
        "aws-vpc-flow-logs-not-configured": 1,
        "aws-vpc-flow-log-traffic-type-incomplete": 0,
        "aws-vpc-flow-log-destination-missing": 0,
        "aws-eks-api-endpoint-public-unrestricted": 0,
        "aws-eks-private-endpoint-not-enabled": 0,
        "aws-eks-secrets-encryption-not-configured": 0,
        "aws-eks-control-plane-logging-incomplete": 0,
        "aws-eks-authentication-mode-weak-or-unknown": 0,
        "aws-eks-vpc-cni-network-policy-not-enabled": 0,
        "aws-database-permissive-ingress": 0,
        "aws-missing-tier-segmentation": 0,
        "aws-sensitive-resource-policy-external-access": 0,
        "aws-service-resource-policy-external-access": 0,
        "aws-iam-wildcard-permissions": 0,
        "aws-iam-privileged-role-assignment": 1,
        "aws-workload-role-sensitive-permissions": 1,
        "aws-private-data-transitive-exposure": 0,
        "aws-control-plane-sensitive-workload-chain": 0,
        "aws-role-trust-expansion": 1,
        "aws-role-trust-missing-narrowing": 1
      }
    },
    "references": {
      "unresolved_reference_count": 0,
      "unresolved_references": []
    }
  },
  "inventory": {
    "provider": "aws",
    "unsupported_resources": [],
    "metadata": {
      "primary_account_id": "333344445555",
      "supported_resource_types": [
        "aws_accessanalyzer_analyzer",
        "aws_api_gateway_authorizer",
        "aws_api_gateway_method",
        "aws_api_gateway_rest_api",
        "aws_api_gateway_stage",
        "aws_apigatewayv2_api",
        "aws_apigatewayv2_route",
        "aws_apigatewayv2_stage",
        "aws_cloudfront_distribution",
        "aws_cloudtrail",
        "aws_config_configuration_recorder",
        "aws_config_configuration_recorder_status",
        "aws_config_delivery_channel",
        "aws_db_instance",
        "aws_ecr_registry_scanning_configuration",
        "aws_ecr_repository",
        "aws_ecs_cluster",
        "aws_ecs_service",
        "aws_ecs_task_definition",
        "aws_eks_addon",
        "aws_eks_cluster",
        "aws_flow_log",
        "aws_guardduty_detector",
        "aws_iam_instance_profile",
        "aws_iam_openid_connect_provider",
        "aws_iam_policy",
        "aws_iam_role",
        "aws_iam_role_policy",
        "aws_iam_role_policy_attachment",
        "aws_instance",
        "aws_internet_gateway",
        "aws_kms_key",
        "aws_lambda_function",
        "aws_lambda_function_url",
        "aws_lambda_permission",
        "aws_lb",
        "aws_lb_listener",
        "aws_lb_listener_rule",
        "aws_lb_target_group",
        "aws_macie2_account",
        "aws_nat_gateway",
        "aws_route_table",
        "aws_route_table_association",
        "aws_s3_bucket",
        "aws_s3_bucket_lifecycle_configuration",
        "aws_s3_bucket_object_lock_configuration",
        "aws_s3_bucket_policy",
        "aws_s3_bucket_public_access_block",
        "aws_s3_bucket_server_side_encryption_configuration",
        "aws_s3_bucket_versioning",
        "aws_secretsmanager_secret",
        "aws_secretsmanager_secret_policy",
        "aws_secretsmanager_secret_rotation",
        "aws_security_group",
        "aws_security_group_rule",
        "aws_securityhub_account",
        "aws_sns_topic",
        "aws_sqs_queue",
        "aws_sqs_queue_redrive_policy",
        "aws_subnet",
        "aws_vpc",
        "aws_vpc_endpoint",
        "aws_wafv2_web_acl",
        "aws_wafv2_web_acl_association"
      ],
      "total_input_resources": 13,
      "provider_resource_count": 13,
      "normalized_resource_count": 13,
      "unsupported_resource_types": {}
    },
    "resources": [
      {
        "address": "aws_iam_role.deployer",
        "provider": "aws",
        "resource_type": "aws_iam_role",
        "name": "deployer",
        "category": "iam",
        "identifier": "lambda-deployer-role",
        "arn": "arn:aws:iam::333344445555:role/lambda-deployer-role",
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [
          {
            "effect": "Allow",
            "actions": [
              "lambda:UpdateFunctionCode",
              "lambda:UpdateAlias",
              "iam:PassRole",
              "s3:GetObject"
            ],
            "resources": [
              "arn:aws:lambda:us-east-1:333344445555:function:release-deployer",
              "arn:aws:iam::333344445555:role/lambda-runtime-role",
              "arn:aws:s3:::lambda-deploy-artifacts/*"
            ],
            "principals": [],
            "principal_entries": [],
            "conditions": []
          }
        ],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "assume_role_policy": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Principal": {
                  "Service": "lambda.amazonaws.com"
                }
              },
              {
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Principal": {
                  "AWS": "arn:aws:iam::777788889999:role/ci-deployer"
                }
              }
            ]
          },
          "trust_principals": [
            "arn:aws:iam::777788889999:role/ci-deployer",
            "lambda.amazonaws.com"
          ],
          "trust_statements": [
            {
              "principals": [
                "lambda.amazonaws.com"
              ],
              "principal_entries": [
                {
                  "kind": "Service",
                  "value": "lambda.amazonaws.com"
                }
              ],
              "narrowing_condition_keys": [],
              "narrowing_conditions": [],
              "has_narrowing_conditions": false
            },
            {
              "principals": [
                "arn:aws:iam::777788889999:role/ci-deployer"
              ],
              "principal_entries": [
                {
                  "kind": "AWS",
                  "value": "arn:aws:iam::777788889999:role/ci-deployer"
                }
              ],
              "narrowing_condition_keys": [],
              "narrowing_conditions": [],
              "has_narrowing_conditions": false
            }
          ],
          "inline_policy_names": [
            "lambda-deployer-inline"
          ],
          "privileged_access_grants": [
            {
              "provider": "aws",
              "principal_type": "role",
              "principal_identifier": "arn:aws:iam::333344445555:role/lambda-deployer-role",
              "principal_display_name": "aws_iam_role.deployer",
              "principal_source_address": "aws_iam_role.deployer",
              "scope_kind": "resource",
              "scope_value": "arn:aws:iam::333344445555:role/lambda-runtime-role,arn:aws:lambda:us-east-1:333344445555:function:release-deployer,arn:aws:s3:::lambda-deploy-artifacts/*",
              "scope_source_address": null,
              "privilege_categories": [
                "privilege-escalation"
              ],
              "confidence": "medium",
              "assignment_source_address": "aws_iam_role.deployer",
              "role_name": "lambda-deployer-role",
              "role_id": "arn:aws:iam::333344445555:role/lambda-deployer-role",
              "permission_patterns": [
                "iam:PassRole"
              ],
              "evidence": [
                "action=lambda:UpdateFunctionCode",
                "action=lambda:UpdateAlias",
                "action=iam:PassRole",
                "action=s3:GetObject",
                "resource=arn:aws:lambda:us-east-1:333344445555:function:release-deployer",
                "resource=arn:aws:iam::333344445555:role/lambda-runtime-role",
                "resource=arn:aws:s3:::lambda-deploy-artifacts/*"
              ],
              "uncertainties": []
            }
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_internet_gateway.main",
        "provider": "aws",
        "resource_type": "aws_internet_gateway",
        "name": "main",
        "category": "network",
        "identifier": "igw-lambda-001",
        "arn": null,
        "vpc_id": "vpc-lambda-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_lambda_function.deployer",
        "provider": "aws",
        "resource_type": "aws_lambda_function",
        "name": "deployer",
        "category": "compute",
        "identifier": "release-deployer",
        "arn": "arn:aws:lambda:us-east-1:333344445555:function:release-deployer",
        "vpc_id": "vpc-lambda-001",
        "subnet_ids": [
          "subnet-lambda-private-app-001"
        ],
        "security_group_ids": [
          "sg-lambda-app-001"
        ],
        "attached_role_arns": [
          "arn:aws:iam::333344445555:role/lambda-deployer-role"
        ],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "runtime": "python3.12",
          "handler": "handler.main",
          "vpc_enabled": true,
          "container_image_references": [],
          "container_image_posture_uncertainties": [],
          "ecr_write_paths": [],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": true,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_nat_gateway.main",
        "provider": "aws",
        "resource_type": "aws_nat_gateway",
        "name": "main",
        "category": "network",
        "identifier": "nat-lambda-001",
        "arn": null,
        "vpc_id": "vpc-lambda-001",
        "subnet_ids": [
          "subnet-lambda-public-001"
        ],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "allocation_id": "eipalloc-lambda-001",
          "connectivity_type": "public",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": true,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table.private",
        "provider": "aws",
        "resource_type": "aws_route_table",
        "name": "private",
        "category": "network",
        "identifier": "rtb-lambda-private-001",
        "arn": null,
        "vpc_id": "vpc-lambda-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "routes": [
            {
              "cidr_block": "0.0.0.0/0",
              "nat_gateway_id": "nat-lambda-001"
            }
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table.public",
        "provider": "aws",
        "resource_type": "aws_route_table",
        "name": "public",
        "category": "network",
        "identifier": "rtb-lambda-public-001",
        "arn": null,
        "vpc_id": "vpc-lambda-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "routes": [
            {
              "cidr_block": "0.0.0.0/0",
              "gateway_id": "igw-lambda-001"
            }
          ],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table_association.private_app",
        "provider": "aws",
        "resource_type": "aws_route_table_association",
        "name": "private_app",
        "category": "network",
        "identifier": "rtassoc-lambda-private-app-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "route_table_id": "rtb-lambda-private-001",
          "subnet_id": "subnet-lambda-private-app-001",
          "gateway_id": null,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_route_table_association.public_edge",
        "provider": "aws",
        "resource_type": "aws_route_table_association",
        "name": "public_edge",
        "category": "network",
        "identifier": "rtassoc-lambda-public-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "route_table_id": "rtb-lambda-public-001",
          "subnet_id": "subnet-lambda-public-001",
          "gateway_id": null,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_s3_bucket.artifacts",
        "provider": "aws",
        "resource_type": "aws_s3_bucket",
        "name": "artifacts",
        "category": "data",
        "identifier": "lambda-deploy-artifacts",
        "arn": "arn:aws:s3:::lambda-deploy-artifacts",
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "bucket": "lambda-deploy-artifacts",
          "acl": "private",
          "policy_document": {},
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_security_group.lambda",
        "provider": "aws",
        "resource_type": "aws_security_group",
        "name": "lambda",
        "category": "network",
        "identifier": "sg-lambda-app-001",
        "arn": null,
        "vpc_id": "vpc-lambda-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "egress",
            "protocol": "-1",
            "from_port": 0,
            "to_port": 0,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": null
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "description": "Private Lambda egress only",
          "group_name": "lambda-app-sg",
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_subnet.private_app",
        "provider": "aws",
        "resource_type": "aws_subnet",
        "name": "private_app",
        "category": "network",
        "identifier": "subnet-lambda-private-app-001",
        "arn": null,
        "vpc_id": "vpc-lambda-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.30.2.0/24",
          "availability_zone": "us-east-1a",
          "map_public_ip_on_launch": false,
          "tags": {
            "Tier": "app"
          },
          "is_public_subnet": false,
          "route_table_ids": [
            "rtb-lambda-private-001"
          ],
          "has_public_route": false,
          "has_nat_gateway_egress": true,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_subnet.public_edge",
        "provider": "aws",
        "resource_type": "aws_subnet",
        "name": "public_edge",
        "category": "network",
        "identifier": "subnet-lambda-public-001",
        "arn": null,
        "vpc_id": "vpc-lambda-001",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.30.1.0/24",
          "availability_zone": "us-east-1a",
          "map_public_ip_on_launch": true,
          "tags": {
            "Tier": "edge"
          },
          "is_public_subnet": true,
          "route_table_ids": [
            "rtb-lambda-public-001"
          ],
          "has_public_route": true,
          "has_nat_gateway_egress": false,
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_vpc.main",
        "provider": "aws",
        "resource_type": "aws_vpc",
        "name": "main",
        "category": "network",
        "identifier": "vpc-lambda-001",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cidr_block": "10.30.0.0/16",
          "tags": {
            "Name": "lambda-main"
          },
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      }
    ]
  },
  "trust_boundaries": [
    {
      "identifier": "admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer",
      "boundary_type": "admin-to-workload-plane",
      "source": "aws_iam_role.deployer",
      "target": "aws_lambda_function.deployer",
      "description": "aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.",
      "rationale": "IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries."
    },
    {
      "identifier": "cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer",
      "boundary_type": "cross-account-or-role-access",
      "source": "arn:aws:iam::777788889999:role/ci-deployer",
      "target": "aws_iam_role.deployer",
      "description": "aws_iam_role.deployer trusts arn:aws:iam::777788889999:role/ci-deployer.",
      "rationale": "A foreign AWS account can cross into this role's trust boundary."
    },
    {
      "identifier": "public-subnet-to-private-subnet:aws_subnet.public_edge->aws_subnet.private_app",
      "boundary_type": "public-subnet-to-private-subnet",
      "source": "aws_subnet.public_edge",
      "target": "aws_subnet.private_app",
      "description": "Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.",
      "rationale": "The VPC contains both publicly routable and private network segments that should be treated as separate trust zones."
    },
    {
      "identifier": "workload-to-data-store:aws_lambda_function.deployer->aws_s3_bucket.artifacts",
      "boundary_type": "workload-to-data-store",
      "source": "aws_lambda_function.deployer",
      "target": "aws_s3_bucket.artifacts",
      "description": "aws_lambda_function.deployer can interact with aws_s3_bucket.artifacts.",
      "rationale": "Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject."
    }
  ],
  "findings": [
    {
      "fingerprint": "sha256:779d6edce767dff9f916fcc604a983e2422f5cbec06afa1ee3628e7c7f333836",
      "title": "Cross-account or broad role trust lacks narrowing conditions",
      "rule_id": "aws-role-trust-missing-narrowing",
      "category": "Elevation of Privilege",
      "severity": "medium",
      "affected_resources": [
        "aws_iam_role.deployer"
      ],
      "trust_boundary_id": "cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer",
      "rationale": "aws_iam_role.deployer trusts arn:aws:iam::777788889999:role/ci-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on the trusted principal match alone.",
      "recommended_mitigation": "Keep the trusted principal as specific as possible and add supported assume-role conditions such as `ExternalId`, `SourceArn`, `SourceAccount`, `SAML:aud`, or provider-specific OIDC `aud` and `sub` checks when crossing accounts or trusting broad or federated principals.",
      "evidence": [
        {
          "key": "trust_principals",
          "values": [
            "arn:aws:iam::777788889999:role/ci-deployer"
          ]
        },
        {
          "key": "trust_scope",
          "values": [
            "principal belongs to foreign account 777788889999"
          ]
        },
        {
          "key": "trust_narrowing",
          "values": [
            "supported narrowing conditions present: false",
            "supported narrowing condition keys: none"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 4,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:af1071c3ecb319ef54ec290d8cb30dcfcc3a056506c390371aa24a8ca58d0b13",
      "title": "IAM role has privileged assignment posture",
      "rule_id": "aws-iam-privileged-role-assignment",
      "category": "Elevation of Privilege",
      "severity": "medium",
      "affected_resources": [
        "aws_iam_role.deployer"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_iam_role.deployer has deterministic privileged IAM assignment posture: privilege-escalation. If this role is attached to a workload or assumable by a control-plane principal, those privileges increase blast radius.",
      "recommended_mitigation": "Review high-impact IAM role permissions, split administrative and runtime duties, scope resources to named ARNs, and avoid attaching broad IAM, role-passing, secrets, KMS, data, network, or audit administration permissions to general workload roles.",
      "evidence": [
        {
          "key": "iam_role",
          "values": [
            "address=aws_iam_role.deployer",
            "type=aws_iam_role",
            "arn=arn:aws:iam::333344445555:role/lambda-deployer-role",
            "identifier=lambda-deployer-role"
          ]
        },
        {
          "key": "privileged_access",
          "values": [
            "grant_1=categories=[privilege-escalation]; scope=resource; confidence=medium"
          ]
        },
        {
          "key": "privilege_categories",
          "values": [
            "privilege-escalation"
          ]
        },
        {
          "key": "permission_patterns",
          "values": [
            "iam:PassRole"
          ]
        },
        {
          "key": "grant_scopes",
          "values": [
            "scope_kind=resource; scope_value=arn:aws:iam::333344445555:role/lambda-runtime-role,arn:aws:lambda:us-east-1:333344445555:function:release-deployer,arn:aws:s3:::lambda-deploy-artifacts/*"
          ]
        },
        {
          "key": "grant_confidence",
          "values": [
            "medium"
          ]
        },
        {
          "key": "inline_policy_sources",
          "values": [
            "inline_policy_name=lambda-deployer-inline"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 2,
        "data_sensitivity": 0,
        "lateral_movement": 2,
        "blast_radius": 1,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:cb6a7038bd28599e007499cbe69c1732053517b65bebb50ece21368f29197124",
      "title": "Role trust relationship expands blast radius",
      "rule_id": "aws-role-trust-expansion",
      "category": "Elevation of Privilege",
      "severity": "medium",
      "affected_resources": [
        "aws_iam_role.deployer"
      ],
      "trust_boundary_id": "cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer",
      "rationale": "aws_iam_role.deployer can be assumed by arn:aws:iam::777788889999:role/ci-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.",
      "recommended_mitigation": "Limit trust policies to the exact service principals or roles required, prefer role ARNs over account root where possible, and add conditions such as `ExternalId`, source ARN, SAML audience, or OIDC audience and subject checks.",
      "evidence": [
        {
          "key": "trust_principals",
          "values": [
            "arn:aws:iam::777788889999:role/ci-deployer"
          ]
        },
        {
          "key": "trust_path",
          "values": [
            "trust principal belongs to foreign account 777788889999"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 0,
        "lateral_movement": 2,
        "blast_radius": 2,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:c2dad77f15c57ff9b288847015b64eb1504039f1eeae0aa0312b748ec4410f40",
      "title": "VPC Flow Logs are not configured for a modeled VPC",
      "rule_id": "aws-vpc-flow-logs-not-configured",
      "category": "Repudiation",
      "severity": "medium",
      "affected_resources": [
        "aws_vpc.main"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.",
      "recommended_mitigation": "Enable VPC Flow Logs for production VPCs, route them to a retained CloudWatch Logs, S3, or Firehose destination, and manage Flow Log resources in Terraform so network telemetry posture is reviewable.",
      "evidence": [
        {
          "key": "target_vpc",
          "values": [
            "address=aws_vpc.main",
            "type=aws_vpc",
            "identifier=vpc-lambda-001",
            "cidr_block=10.30.0.0/16"
          ]
        },
        {
          "key": "flow_log_coverage",
          "values": [
            "target_vpc_id=vpc-lambda-001",
            "resolved_vpc_flow_log_count=0",
            "aws_flow_log resources are not modeled"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:2c115ec74630511b2ca95853b6925217b80aacdf2b1aeeeb17b5311ee39408d5",
      "title": "Workload role carries sensitive permissions",
      "rule_id": "aws-workload-role-sensitive-permissions",
      "category": "Elevation of Privilege",
      "severity": "medium",
      "affected_resources": [
        "aws_lambda_function.deployer",
        "aws_iam_role.deployer"
      ],
      "trust_boundary_id": "admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer",
      "rationale": "aws_lambda_function.deployer inherits sensitive privileges from aws_iam_role.deployer, including iam:PassRole. If the workload is compromised, those credentials can be reused for privilege escalation, data access, or role chaining.",
      "recommended_mitigation": "Split high-privilege actions into separate roles, scope permissions to named resources, and remove role-passing or cross-role permissions from general application identities.",
      "evidence": [
        {
          "key": "iam_actions",
          "values": [
            "iam:PassRole"
          ]
        },
        {
          "key": "policy_statements",
          "values": [
            "Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 1,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:cb4e2d35e543a498f0aebfc022638b85e104158165d342d46e8c7f39664a7a57",
      "title": "Workload uses S3 without a VPC endpoint",
      "rule_id": "aws-workload-s3-vpc-endpoint-missing",
      "category": "Information Disclosure",
      "severity": "medium",
      "affected_resources": [
        "aws_lambda_function.deployer",
        "aws_iam_role.deployer"
      ],
      "trust_boundary_id": null,
      "rationale": "aws_lambda_function.deployer runs in VPC `vpc-lambda-001` and inherits S3 data-plane permissions from aws_iam_role.deployer, but the Terraform plan does not show an S3 VPC endpoint for that VPC. S3 access may therefore depend on public AWS service endpoints, NAT, or another egress path; this does not imply the bucket itself is public.",
      "recommended_mitigation": "Add an S3 gateway or interface VPC endpoint for VPC workloads that access S3, route expected private subnets through it, and use endpoint policies where possible.",
      "evidence": [
        {
          "key": "target_workload",
          "values": [
            "address=aws_lambda_function.deployer",
            "type=aws_lambda_function",
            "vpc_id=vpc-lambda-001",
            "subnet_ids=[subnet-lambda-private-app-001]",
            "security_group_ids=[sg-lambda-app-001]"
          ]
        },
        {
          "key": "sensitive_service_dependency",
          "values": [
            "service=s3",
            "role=aws_iam_role.deployer",
            "actions=[s3:GetObject]",
            "resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]"
          ]
        },
        {
          "key": "vpc_endpoint_coverage",
          "values": [
            "vpc_id=vpc-lambda-001",
            "service=s3",
            "expected_endpoint_type=gateway_or_interface",
            "vpc_endpoint_coverage=missing"
          ]
        },
        {
          "key": "policy_statements",
          "values": [
            "Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 1,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 4,
        "severity": "medium",
        "computed_severity": null
      }
    }
  ],
  "suppressed_findings": [],
  "baselined_findings": [],
  "observations": [],
  "limitations": [
    "AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
    "Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
    "IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
    "Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
    "The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
  ]
}
Markdown report
# Lambda Deploy Role Demo

- Analyzed file: `sample_aws_lambda_deploy_role_plan.json`
- Provider: `aws`
- Normalized resources: `13`
- Unsupported resources: `0`

## Summary

This run identified **4 trust boundaries** and **6 findings** across **13 normalized resources**.

- High severity findings: `0`
- Medium severity findings: `6`
- Low severity findings: `0`

## Analysis Coverage

- Terraform resources seen: `13`
- Provider resources considered: `13`
- Normalized resources: `13`
- Unsupported resources: `0`
- Registered provider rules (AWS): `83`
- Enabled provider rules (AWS): `83`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
  - `aws-workload-s3-vpc-endpoint-missing`: `1`
  - `aws-vpc-flow-logs-not-configured`: `1`
  - `aws-iam-privileged-role-assignment`: `1`
  - `aws-workload-role-sensitive-permissions`: `1`
  - `aws-role-trust-expansion`: `1`
  - `aws-role-trust-missing-narrowing`: `1`

## Discovered Trust Boundaries

### `public-subnet-to-private-subnet`

- Source: `aws_subnet.public_edge`
- Target: `aws_subnet.private_app`
- Description: Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.
- Rationale: The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.

### `workload-to-data-store`

- Source: `aws_lambda_function.deployer`
- Target: `aws_s3_bucket.artifacts`
- Description: aws_lambda_function.deployer can interact with aws_s3_bucket.artifacts.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject.

### `admin-to-workload-plane`

- Source: `aws_iam_role.deployer`
- Target: `aws_lambda_function.deployer`
- Description: aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.
- Rationale: IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.

### `cross-account-or-role-access`

- Source: `arn:aws:iam::777788889999:role/ci-deployer`
- Target: `aws_iam_role.deployer`
- Description: aws_iam_role.deployer trusts arn:aws:iam::777788889999:role/ci-deployer.
- Rationale: A foreign AWS account can cross into this role's trust boundary.

## Findings

### High

No findings in this severity band.

### Medium

#### Cross-account or broad role trust lacks narrowing conditions

- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_role.deployer`
- Trust boundary: `cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 4 => medium
- Rationale: aws_iam_role.deployer trusts arn:aws:iam::777788889999:role/ci-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on the trusted principal match alone.
- Recommended mitigation: Keep the trusted principal as specific as possible and add supported assume-role conditions such as `ExternalId`, `SourceArn`, `SourceAccount`, `SAML:aud`, or provider-specific OIDC `aud` and `sub` checks when crossing accounts or trusting broad or federated principals.
- Evidence:
  - trust principals: arn:aws:iam::777788889999:role/ci-deployer
  - trust scope: principal belongs to foreign account 777788889999
  - trust narrowing: supported narrowing conditions present: false; supported narrowing condition keys: none

#### IAM role has privileged assignment posture

- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_role.deployer`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +2, data_sensitivity +0, lateral_movement +2, blast_radius +1, final_score 5 => medium
- Rationale: aws_iam_role.deployer has deterministic privileged IAM assignment posture: privilege-escalation. If this role is attached to a workload or assumable by a control-plane principal, those privileges increase blast radius.
- Recommended mitigation: Review high-impact IAM role permissions, split administrative and runtime duties, scope resources to named ARNs, and avoid attaching broad IAM, role-passing, secrets, KMS, data, network, or audit administration permissions to general workload roles.
- Evidence:
  - iam role: address=aws_iam_role.deployer; type=aws_iam_role; arn=arn:aws:iam::333344445555:role/lambda-deployer-role; identifier=lambda-deployer-role
  - privileged access: grant_1=categories=[privilege-escalation]; scope=resource; confidence=medium
  - privilege categories: privilege-escalation
  - permission patterns: iam:PassRole
  - grant scopes: scope_kind=resource; scope_value=arn:aws:iam::333344445555:role/lambda-runtime-role,arn:aws:lambda:us-east-1:333344445555:function:release-deployer,arn:aws:s3:::lambda-deploy-artifacts/*
  - grant confidence: medium
  - inline policy sources: inline_policy_name=lambda-deployer-inline

#### Role trust relationship expands blast radius

- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_role.deployer`
- Trust boundary: `cross-account-or-role-access:arn:aws:iam::777788889999:role/ci-deployer->aws_iam_role.deployer`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +2, blast_radius +2, final_score 5 => medium
- Rationale: aws_iam_role.deployer can be assumed by arn:aws:iam::777788889999:role/ci-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.
- Recommended mitigation: Limit trust policies to the exact service principals or roles required, prefer role ARNs over account root where possible, and add conditions such as `ExternalId`, source ARN, SAML audience, or OIDC audience and subject checks.
- Evidence:
  - trust principals: arn:aws:iam::777788889999:role/ci-deployer
  - trust path: trust principal belongs to foreign account 777788889999

#### VPC Flow Logs are not configured for a modeled VPC

- STRIDE category: Repudiation
- Affected resources: `aws_vpc.main`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 3 => medium
- Rationale: aws_vpc.main does not have a resolved aws_flow_log targeting the VPC in this Terraform plan. Network traffic metadata for incident response, threat hunting, and segmentation review may be unavailable unless Flow Logs are configured elsewhere.
- Recommended mitigation: Enable VPC Flow Logs for production VPCs, route them to a retained CloudWatch Logs, S3, or Firehose destination, and manage Flow Log resources in Terraform so network telemetry posture is reviewable.
- Evidence:
  - target vpc: address=aws_vpc.main; type=aws_vpc; identifier=vpc-lambda-001; cidr_block=10.30.0.0/16
  - flow log coverage: target_vpc_id=vpc-lambda-001; resolved_vpc_flow_log_count=0; aws_flow_log resources are not modeled

#### Workload role carries sensitive permissions

- STRIDE category: Elevation of Privilege
- Affected resources: `aws_lambda_function.deployer`, `aws_iam_role.deployer`
- Trust boundary: `admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +1, lateral_movement +1, blast_radius +2, final_score 5 => medium
- Rationale: aws_lambda_function.deployer inherits sensitive privileges from aws_iam_role.deployer, including iam:PassRole. If the workload is compromised, those credentials can be reused for privilege escalation, data access, or role chaining.
- Recommended mitigation: Split high-privilege actions into separate roles, scope permissions to named resources, and remove role-passing or cross-role permissions from general application identities.
- Evidence:
  - iam actions: iam:PassRole
  - policy statements: Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]

#### Workload uses S3 without a VPC endpoint

- STRIDE category: Information Disclosure
- Affected resources: `aws_lambda_function.deployer`, `aws_iam_role.deployer`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +1, lateral_movement +1, blast_radius +1, final_score 4 => medium
- Rationale: aws_lambda_function.deployer runs in VPC `vpc-lambda-001` and inherits S3 data-plane permissions from aws_iam_role.deployer, but the Terraform plan does not show an S3 VPC endpoint for that VPC. S3 access may therefore depend on public AWS service endpoints, NAT, or another egress path; this does not imply the bucket itself is public.
- Recommended mitigation: Add an S3 gateway or interface VPC endpoint for VPC workloads that access S3, route expected private subnets through it, and use endpoint policies where possible.
- Evidence:
  - target workload: address=aws_lambda_function.deployer; type=aws_lambda_function; vpc_id=vpc-lambda-001; subnet_ids=[subnet-lambda-private-app-001]; security_group_ids=[sg-lambda-app-001]
  - sensitive service dependency: service=s3; role=aws_iam_role.deployer; actions=[s3:GetObject]; resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]
  - vpc endpoint coverage: vpc_id=vpc-lambda-001; service=s3; expected_endpoint_type=gateway_or_interface; vpc_endpoint_coverage=missing
  - policy statements: Allow actions=[lambda:UpdateFunctionCode, lambda:UpdateAlias, iam:PassRole, s3:GetObject] resources=[arn:aws:lambda:us-east-1:333344445555:function:release-deployer, arn:aws:iam::333344445555:role/lambda-runtime-role, arn:aws:s3:::lambda-deploy-artifacts/*]

### Low

No findings in this severity band.

## Limitations / Unsupported Resources

- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.

Limits

Unsupported or intentionally scoped areas

  • AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
  • Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
  • IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
  • Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
  • The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.