Active findings
0Built-in scenario
aws/sample_aws_cross_account_trust_constrained_plan.jsonConstrained Trust Demo
Analyzed sample_aws_cross_account_trust_constrained_plan.json with 2 normalized resources and 2 trust boundaries.
Trust boundaries
2Resources
2Observations
1Analysis coverage
Audit trail for this run
Resource coverage
- Provider resources considered
- 2
- Normalized resources
- 2
No unsupported AWS resource types were encountered.
Rule coverage
- Registered rules
- 83
- Disabled rules
- 0
No enabled rules produced findings.
Findings
Severity bands
High
0No high findings.
Medium
0No medium findings.
Low
0No low findings.
Observations
Controls and mitigating signals
Cross-account or broad role trust is narrowed by assume-role conditions
aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer, but supported assume-role conditions narrow when that trust can be exercised.
Trust boundaries
Crossings that drive the model
admin-to-workload-plane
aws_iam_role.deployer -> aws_lambda_function.deployer
IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
cross-account-or-role-access
arn:aws:iam::444455556666:role/github-actions-deployer -> aws_iam_role.deployer
A foreign AWS account can cross into this role's trust boundary.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "tfstride-report",
"version": "1.1",
"tool": {
"name": "tfstride",
"version": "0.4.23"
},
"title": "Constrained Trust Demo",
"analyzed_file": "sample_aws_cross_account_trust_constrained_plan.json",
"analyzed_path": "sample_aws_cross_account_trust_constrained_plan.json",
"summary": {
"normalized_resources": 2,
"unsupported_resources": 0,
"trust_boundaries": 2,
"active_findings": 0,
"total_findings": 0,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 0,
"medium": 0,
"low": 0
}
},
"filtering": {
"total_findings": 0,
"active_findings": 0,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"analysis_coverage": {
"resources": {
"total_resources": 2,
"provider_resources": 2,
"normalized_resources": 2,
"unsupported_resources": 0,
"unsupported_resource_types": {}
},
"rules": {
"registered_rule_count": 83,
"enabled_rules": [
"aws-public-compute-broad-ingress",
"aws-lambda-public-invocation",
"aws-load-balancer-http-public-listener",
"aws-load-balancer-listener-tls-certificate-missing",
"aws-load-balancer-listener-ssl-policy-weak-or-unknown",
"aws-public-alb-waf-missing",
"aws-cloudfront-viewer-http-allowed",
"aws-cloudfront-viewer-tls-policy-weak-or-unknown",
"aws-cloudfront-access-logging-not-configured",
"aws-public-cloudfront-waf-missing",
"aws-api-gateway-cors-permissive",
"aws-public-api-gateway-waf-missing",
"aws-api-gateway-public-route-authorization-none",
"aws-api-gateway-stage-access-logs-missing",
"aws-cloudtrail-multi-region-disabled",
"aws-cloudtrail-log-file-validation-disabled",
"aws-cloudtrail-management-events-disabled",
"aws-cloudtrail-data-events-not-modeled",
"aws-cloudtrail-insight-selectors-missing",
"aws-guardduty-detector-disabled-or-missing",
"aws-securityhub-account-missing",
"aws-config-recorder-disabled-or-missing",
"aws-config-delivery-channel-missing",
"aws-access-analyzer-not-configured",
"aws-macie-not-enabled-for-sensitive-storage",
"aws-rds-storage-encryption-disabled",
"aws-rds-public-endpoint-enabled",
"aws-rds-backup-retention-insufficient",
"aws-rds-deletion-protection-disabled",
"aws-rds-customer-managed-kms-key-missing",
"aws-rds-multi-az-disabled",
"aws-rds-performance-insights-disabled",
"aws-rds-cloudwatch-log-exports-missing",
"aws-rds-iam-auth-disabled",
"aws-s3-public-access",
"aws-s3-customer-managed-encryption-missing",
"aws-s3-versioning-disabled",
"aws-s3-object-lock-retention-missing",
"aws-s3-lifecycle-noncurrent-retention-insufficient",
"aws-ecr-image-tag-mutability-enabled",
"aws-ecr-customer-managed-encryption-missing",
"aws-ecr-repository-scanning-disabled",
"aws-workload-image-not-digest-pinned",
"aws-workload-ecr-mutable-tag",
"aws-workload-can-modify-image-repository",
"aws-ecs-sensitive-environment-value-inline",
"aws-ecs-secret-access-blast-radius",
"aws-public-ecs-secret-access",
"aws-public-ecs-s3-mutation-access",
"aws-public-ecs-messaging-mutation-access",
"aws-sns-customer-managed-encryption-missing",
"aws-sqs-customer-managed-encryption-missing",
"aws-sqs-message-retention-insufficient",
"aws-sqs-dead-letter-queue-not-configured",
"aws-secretsmanager-customer-managed-kms-key-missing",
"aws-secretsmanager-recovery-window-too-short",
"aws-secretsmanager-rotation-not-configured-or-too-long",
"aws-kms-key-rotation-disabled-or-unknown",
"aws-kms-key-deletion-window-too-short",
"aws-workload-secretsmanager-vpc-endpoint-missing",
"aws-workload-kms-vpc-endpoint-missing",
"aws-workload-s3-vpc-endpoint-missing",
"aws-vpc-endpoint-policy-broad-access",
"aws-vpc-flow-logs-not-configured",
"aws-vpc-flow-log-traffic-type-incomplete",
"aws-vpc-flow-log-destination-missing",
"aws-eks-api-endpoint-public-unrestricted",
"aws-eks-private-endpoint-not-enabled",
"aws-eks-secrets-encryption-not-configured",
"aws-eks-control-plane-logging-incomplete",
"aws-eks-authentication-mode-weak-or-unknown",
"aws-eks-vpc-cni-network-policy-not-enabled",
"aws-database-permissive-ingress",
"aws-missing-tier-segmentation",
"aws-sensitive-resource-policy-external-access",
"aws-service-resource-policy-external-access",
"aws-iam-wildcard-permissions",
"aws-iam-privileged-role-assignment",
"aws-workload-role-sensitive-permissions",
"aws-private-data-transitive-exposure",
"aws-control-plane-sensitive-workload-chain",
"aws-role-trust-expansion",
"aws-role-trust-missing-narrowing"
],
"disabled_rules": [],
"severity_overrides": {},
"finding_counts_by_rule": {
"aws-public-compute-broad-ingress": 0,
"aws-lambda-public-invocation": 0,
"aws-load-balancer-http-public-listener": 0,
"aws-load-balancer-listener-tls-certificate-missing": 0,
"aws-load-balancer-listener-ssl-policy-weak-or-unknown": 0,
"aws-public-alb-waf-missing": 0,
"aws-cloudfront-viewer-http-allowed": 0,
"aws-cloudfront-viewer-tls-policy-weak-or-unknown": 0,
"aws-cloudfront-access-logging-not-configured": 0,
"aws-public-cloudfront-waf-missing": 0,
"aws-api-gateway-cors-permissive": 0,
"aws-public-api-gateway-waf-missing": 0,
"aws-api-gateway-public-route-authorization-none": 0,
"aws-api-gateway-stage-access-logs-missing": 0,
"aws-cloudtrail-multi-region-disabled": 0,
"aws-cloudtrail-log-file-validation-disabled": 0,
"aws-cloudtrail-management-events-disabled": 0,
"aws-cloudtrail-data-events-not-modeled": 0,
"aws-cloudtrail-insight-selectors-missing": 0,
"aws-guardduty-detector-disabled-or-missing": 0,
"aws-securityhub-account-missing": 0,
"aws-config-recorder-disabled-or-missing": 0,
"aws-config-delivery-channel-missing": 0,
"aws-access-analyzer-not-configured": 0,
"aws-macie-not-enabled-for-sensitive-storage": 0,
"aws-rds-storage-encryption-disabled": 0,
"aws-rds-public-endpoint-enabled": 0,
"aws-rds-backup-retention-insufficient": 0,
"aws-rds-deletion-protection-disabled": 0,
"aws-rds-customer-managed-kms-key-missing": 0,
"aws-rds-multi-az-disabled": 0,
"aws-rds-performance-insights-disabled": 0,
"aws-rds-cloudwatch-log-exports-missing": 0,
"aws-rds-iam-auth-disabled": 0,
"aws-s3-public-access": 0,
"aws-s3-customer-managed-encryption-missing": 0,
"aws-s3-versioning-disabled": 0,
"aws-s3-object-lock-retention-missing": 0,
"aws-s3-lifecycle-noncurrent-retention-insufficient": 0,
"aws-ecr-image-tag-mutability-enabled": 0,
"aws-ecr-customer-managed-encryption-missing": 0,
"aws-ecr-repository-scanning-disabled": 0,
"aws-workload-image-not-digest-pinned": 0,
"aws-workload-ecr-mutable-tag": 0,
"aws-workload-can-modify-image-repository": 0,
"aws-ecs-sensitive-environment-value-inline": 0,
"aws-ecs-secret-access-blast-radius": 0,
"aws-public-ecs-secret-access": 0,
"aws-public-ecs-s3-mutation-access": 0,
"aws-public-ecs-messaging-mutation-access": 0,
"aws-sns-customer-managed-encryption-missing": 0,
"aws-sqs-customer-managed-encryption-missing": 0,
"aws-sqs-message-retention-insufficient": 0,
"aws-sqs-dead-letter-queue-not-configured": 0,
"aws-secretsmanager-customer-managed-kms-key-missing": 0,
"aws-secretsmanager-recovery-window-too-short": 0,
"aws-secretsmanager-rotation-not-configured-or-too-long": 0,
"aws-kms-key-rotation-disabled-or-unknown": 0,
"aws-kms-key-deletion-window-too-short": 0,
"aws-workload-secretsmanager-vpc-endpoint-missing": 0,
"aws-workload-kms-vpc-endpoint-missing": 0,
"aws-workload-s3-vpc-endpoint-missing": 0,
"aws-vpc-endpoint-policy-broad-access": 0,
"aws-vpc-flow-logs-not-configured": 0,
"aws-vpc-flow-log-traffic-type-incomplete": 0,
"aws-vpc-flow-log-destination-missing": 0,
"aws-eks-api-endpoint-public-unrestricted": 0,
"aws-eks-private-endpoint-not-enabled": 0,
"aws-eks-secrets-encryption-not-configured": 0,
"aws-eks-control-plane-logging-incomplete": 0,
"aws-eks-authentication-mode-weak-or-unknown": 0,
"aws-eks-vpc-cni-network-policy-not-enabled": 0,
"aws-database-permissive-ingress": 0,
"aws-missing-tier-segmentation": 0,
"aws-sensitive-resource-policy-external-access": 0,
"aws-service-resource-policy-external-access": 0,
"aws-iam-wildcard-permissions": 0,
"aws-iam-privileged-role-assignment": 0,
"aws-workload-role-sensitive-permissions": 0,
"aws-private-data-transitive-exposure": 0,
"aws-control-plane-sensitive-workload-chain": 0,
"aws-role-trust-expansion": 0,
"aws-role-trust-missing-narrowing": 0
}
},
"references": {
"unresolved_reference_count": 0,
"unresolved_references": []
}
},
"inventory": {
"provider": "aws",
"unsupported_resources": [],
"metadata": {
"primary_account_id": "111122223333",
"supported_resource_types": [
"aws_accessanalyzer_analyzer",
"aws_api_gateway_authorizer",
"aws_api_gateway_method",
"aws_api_gateway_rest_api",
"aws_api_gateway_stage",
"aws_apigatewayv2_api",
"aws_apigatewayv2_route",
"aws_apigatewayv2_stage",
"aws_cloudfront_distribution",
"aws_cloudtrail",
"aws_config_configuration_recorder",
"aws_config_configuration_recorder_status",
"aws_config_delivery_channel",
"aws_db_instance",
"aws_ecr_registry_scanning_configuration",
"aws_ecr_repository",
"aws_ecs_cluster",
"aws_ecs_service",
"aws_ecs_task_definition",
"aws_eks_addon",
"aws_eks_cluster",
"aws_flow_log",
"aws_guardduty_detector",
"aws_iam_instance_profile",
"aws_iam_openid_connect_provider",
"aws_iam_policy",
"aws_iam_role",
"aws_iam_role_policy",
"aws_iam_role_policy_attachment",
"aws_instance",
"aws_internet_gateway",
"aws_kms_key",
"aws_lambda_function",
"aws_lambda_function_url",
"aws_lambda_permission",
"aws_lb",
"aws_lb_listener",
"aws_lb_listener_rule",
"aws_lb_target_group",
"aws_macie2_account",
"aws_nat_gateway",
"aws_route_table",
"aws_route_table_association",
"aws_s3_bucket",
"aws_s3_bucket_lifecycle_configuration",
"aws_s3_bucket_object_lock_configuration",
"aws_s3_bucket_policy",
"aws_s3_bucket_public_access_block",
"aws_s3_bucket_server_side_encryption_configuration",
"aws_s3_bucket_versioning",
"aws_secretsmanager_secret",
"aws_secretsmanager_secret_policy",
"aws_secretsmanager_secret_rotation",
"aws_security_group",
"aws_security_group_rule",
"aws_securityhub_account",
"aws_sns_topic",
"aws_sqs_queue",
"aws_sqs_queue_redrive_policy",
"aws_subnet",
"aws_vpc",
"aws_vpc_endpoint",
"aws_wafv2_web_acl",
"aws_wafv2_web_acl_association"
],
"total_input_resources": 2,
"provider_resource_count": 2,
"normalized_resource_count": 2,
"unsupported_resource_types": {}
},
"resources": [
{
"address": "aws_iam_role.deployer",
"provider": "aws",
"resource_type": "aws_iam_role",
"name": "deployer",
"category": "iam",
"identifier": "release-deployer-role",
"arn": "arn:aws:iam::111122223333:role/release-deployer-role",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"assume_role_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
}
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::444455556666:role/github-actions-deployer"
},
"Condition": {
"StringEquals": {
"sts:ExternalId": "github-actions-release",
"aws:SourceAccount": "444455556666"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:codebuild:us-east-1:444455556666:project/release-*"
}
}
}
]
},
"trust_principals": [
"arn:aws:iam::444455556666:role/github-actions-deployer",
"lambda.amazonaws.com"
],
"trust_statements": [
{
"principals": [
"lambda.amazonaws.com"
],
"principal_entries": [
{
"kind": "Service",
"value": "lambda.amazonaws.com"
}
],
"narrowing_condition_keys": [],
"narrowing_conditions": [],
"has_narrowing_conditions": false
},
{
"principals": [
"arn:aws:iam::444455556666:role/github-actions-deployer"
],
"principal_entries": [
{
"kind": "AWS",
"value": "arn:aws:iam::444455556666:role/github-actions-deployer"
}
],
"narrowing_condition_keys": [
"aws:SourceAccount",
"aws:SourceArn",
"sts:ExternalId"
],
"narrowing_conditions": [
{
"operator": "ArnLike",
"key": "aws:SourceArn",
"values": [
"arn:aws:codebuild:us-east-1:444455556666:project/release-*"
]
},
{
"operator": "StringEquals",
"key": "aws:SourceAccount",
"values": [
"444455556666"
]
},
{
"operator": "StringEquals",
"key": "sts:ExternalId",
"values": [
"github-actions-release"
]
}
],
"has_narrowing_conditions": true
}
],
"inline_policy_names": [],
"privileged_access_grants": [],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_lambda_function.deployer",
"provider": "aws",
"resource_type": "aws_lambda_function",
"name": "deployer",
"category": "compute",
"identifier": "release-deployer",
"arn": "arn:aws:lambda:us-east-1:111122223333:function:release-deployer",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [
"arn:aws:iam::111122223333:role/release-deployer-role"
],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"runtime": "python3.12",
"handler": "handler.main",
"vpc_enabled": false,
"container_image_references": [],
"container_image_posture_uncertainties": [],
"ecr_write_paths": [],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
}
]
},
"trust_boundaries": [
{
"identifier": "admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer",
"boundary_type": "admin-to-workload-plane",
"source": "aws_iam_role.deployer",
"target": "aws_lambda_function.deployer",
"description": "aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.",
"rationale": "IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries."
},
{
"identifier": "cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer",
"boundary_type": "cross-account-or-role-access",
"source": "arn:aws:iam::444455556666:role/github-actions-deployer",
"target": "aws_iam_role.deployer",
"description": "aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer.",
"rationale": "A foreign AWS account can cross into this role's trust boundary."
}
],
"findings": [],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [
{
"title": "Cross-account or broad role trust is narrowed by assume-role conditions",
"observation_id": "aws-role-trust-narrowed",
"affected_resources": [
"aws_iam_role.deployer"
],
"rationale": "aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer, but supported assume-role conditions narrow when that trust can be exercised.",
"category": "iam",
"evidence": [
{
"key": "trust_principals",
"values": [
"arn:aws:iam::444455556666:role/github-actions-deployer"
]
},
{
"key": "trust_scope",
"values": [
"principal belongs to foreign account 444455556666"
]
},
{
"key": "trust_narrowing",
"values": [
"supported narrowing conditions present: true",
"supported narrowing condition keys: aws:SourceAccount, aws:SourceArn, sts:ExternalId"
]
}
]
}
],
"limitations": [
"AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
"Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
"IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
"Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}
Markdown report
# Constrained Trust Demo
- Analyzed file: `sample_aws_cross_account_trust_constrained_plan.json`
- Provider: `aws`
- Normalized resources: `2`
- Unsupported resources: `0`
## Summary
This run identified **2 trust boundaries** and **0 findings** across **2 normalized resources**.
- High severity findings: `0`
- Medium severity findings: `0`
- Low severity findings: `0`
## Analysis Coverage
- Terraform resources seen: `2`
- Provider resources considered: `2`
- Normalized resources: `2`
- Unsupported resources: `0`
- Registered provider rules (AWS): `83`
- Enabled provider rules (AWS): `83`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
## Discovered Trust Boundaries
### `admin-to-workload-plane`
- Source: `aws_iam_role.deployer`
- Target: `aws_lambda_function.deployer`
- Description: aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.
- Rationale: IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
### `cross-account-or-role-access`
- Source: `arn:aws:iam::444455556666:role/github-actions-deployer`
- Target: `aws_iam_role.deployer`
- Description: aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer.
- Rationale: A foreign AWS account can cross into this role's trust boundary.
## Findings
### High
No findings in this severity band.
### Medium
No findings in this severity band.
### Low
No findings in this severity band.
## Controls Observed
### Cross-account or broad role trust is narrowed by assume-role conditions
- Category: `iam`
- Affected resources: `aws_iam_role.deployer`
- Rationale: aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer, but supported assume-role conditions narrow when that trust can be exercised.
- Evidence:
- trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
- trust scope: principal belongs to foreign account 444455556666
- trust narrowing: supported narrowing conditions present: true; supported narrowing condition keys: aws:SourceAccount, aws:SourceArn, sts:ExternalId
## Limitations / Unsupported Resources
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.