Active findings
0Built-in scenario
sample_aws_cross_account_trust_constrained_plan.jsonConstrained Trust Demo
Analyzed sample_aws_cross_account_trust_constrained_plan.json with 2 normalized resources and 2 trust boundaries.
Trust boundaries
2Resources
2Observations
1Analysis coverage
Audit trail for this run
Terraform resources
2
Unsupported
0
Enabled rules
29
Unresolved refs
0
Resource coverage
- Provider resources considered
- 2
- Normalized resources
- 2
No unsupported AWS resource types were encountered.
Rule coverage
- Registered rules
- 29
- Disabled rules
- 0
No enabled rules produced findings.
Findings
Severity bands
High
0No high findings.
Medium
0No medium findings.
Low
0No low findings.
Observations
Controls and mitigating signals
Cross-account or broad role trust is narrowed by assume-role conditions
aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer, but supported assume-role conditions narrow when that trust can be exercised.
Trust boundaries
Crossings that drive the model
admin-to-workload-plane
aws_iam_role.deployer -> aws_lambda_function.deployer
IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
cross-account-or-role-access
arn:aws:iam::444455556666:role/github-actions-deployer -> aws_iam_role.deployer
A foreign AWS account can cross into this role's trust boundary.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "tfstride-report",
"version": "1.1",
"tool": {
"name": "tfstride",
"version": "0.2.8"
},
"title": "Constrained Trust Demo",
"analyzed_file": "sample_aws_cross_account_trust_constrained_plan.json",
"analyzed_path": "sample_aws_cross_account_trust_constrained_plan.json",
"summary": {
"normalized_resources": 2,
"unsupported_resources": 0,
"trust_boundaries": 2,
"active_findings": 0,
"total_findings": 0,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 0,
"medium": 0,
"low": 0
}
},
"filtering": {
"total_findings": 0,
"active_findings": 0,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"analysis_coverage": {
"resources": {
"total_resources": 2,
"provider_resources": 2,
"normalized_resources": 2,
"unsupported_resources": 0,
"unsupported_resource_types": {}
},
"rules": {
"registered_rule_count": 29,
"enabled_rules": [
"aws-public-compute-broad-ingress",
"aws-database-permissive-ingress",
"aws-rds-storage-encryption-disabled",
"aws-s3-public-access",
"aws-sensitive-resource-policy-external-access",
"aws-service-resource-policy-external-access",
"aws-iam-wildcard-permissions",
"aws-workload-role-sensitive-permissions",
"aws-missing-tier-segmentation",
"aws-private-data-transitive-exposure",
"aws-control-plane-sensitive-workload-chain",
"aws-role-trust-expansion",
"aws-role-trust-missing-narrowing",
"gcp-sensitive-resource-iam-external-access",
"gcp-public-workload-sensitive-data-access",
"gcp-cloud-sql-public-authorized-network",
"gcp-cloud-sql-backup-disabled",
"gcp-cloud-sql-public-ip-without-private-network",
"gcp-cloud-sql-ssl-not-required",
"gcp-cloud-sql-point-in-time-recovery-disabled",
"gcp-cloud-sql-deletion-protection-disabled",
"gcp-gcs-public-access",
"gcp-gcs-uniform-bucket-level-access-disabled",
"gcp-gcs-public-access-prevention-not-enforced",
"gcp-gcs-versioning-disabled",
"gcp-gcs-customer-managed-encryption-missing",
"gcp-public-compute-broad-ingress",
"gcp-project-iam-broad-principal",
"gcp-project-iam-privileged-role"
],
"disabled_rules": [],
"severity_overrides": {},
"finding_counts_by_rule": {
"aws-public-compute-broad-ingress": 0,
"aws-database-permissive-ingress": 0,
"aws-rds-storage-encryption-disabled": 0,
"aws-s3-public-access": 0,
"aws-sensitive-resource-policy-external-access": 0,
"aws-service-resource-policy-external-access": 0,
"aws-iam-wildcard-permissions": 0,
"aws-workload-role-sensitive-permissions": 0,
"aws-missing-tier-segmentation": 0,
"aws-private-data-transitive-exposure": 0,
"aws-control-plane-sensitive-workload-chain": 0,
"aws-role-trust-expansion": 0,
"aws-role-trust-missing-narrowing": 0,
"gcp-sensitive-resource-iam-external-access": 0,
"gcp-public-workload-sensitive-data-access": 0,
"gcp-cloud-sql-public-authorized-network": 0,
"gcp-cloud-sql-backup-disabled": 0,
"gcp-cloud-sql-public-ip-without-private-network": 0,
"gcp-cloud-sql-ssl-not-required": 0,
"gcp-cloud-sql-point-in-time-recovery-disabled": 0,
"gcp-cloud-sql-deletion-protection-disabled": 0,
"gcp-gcs-public-access": 0,
"gcp-gcs-uniform-bucket-level-access-disabled": 0,
"gcp-gcs-public-access-prevention-not-enforced": 0,
"gcp-gcs-versioning-disabled": 0,
"gcp-gcs-customer-managed-encryption-missing": 0,
"gcp-public-compute-broad-ingress": 0,
"gcp-project-iam-broad-principal": 0,
"gcp-project-iam-privileged-role": 0
}
},
"references": {
"unresolved_reference_count": 0,
"unresolved_references": []
}
},
"inventory": {
"provider": "aws",
"unsupported_resources": [],
"metadata": {
"primary_account_id": "111122223333",
"supported_resource_types": [
"aws_db_instance",
"aws_ecs_cluster",
"aws_ecs_service",
"aws_ecs_task_definition",
"aws_iam_instance_profile",
"aws_iam_policy",
"aws_iam_role",
"aws_iam_role_policy",
"aws_iam_role_policy_attachment",
"aws_instance",
"aws_internet_gateway",
"aws_kms_key",
"aws_lambda_function",
"aws_lambda_permission",
"aws_lb",
"aws_nat_gateway",
"aws_route_table",
"aws_route_table_association",
"aws_s3_bucket",
"aws_s3_bucket_policy",
"aws_s3_bucket_public_access_block",
"aws_secretsmanager_secret",
"aws_secretsmanager_secret_policy",
"aws_security_group",
"aws_security_group_rule",
"aws_sns_topic",
"aws_sqs_queue",
"aws_subnet",
"aws_vpc"
],
"total_input_resources": 2,
"provider_resource_count": 2,
"normalized_resource_count": 2,
"unsupported_resource_types": {}
},
"resources": [
{
"address": "aws_iam_role.deployer",
"provider": "aws",
"resource_type": "aws_iam_role",
"name": "deployer",
"category": "iam",
"identifier": "release-deployer-role",
"arn": "arn:aws:iam::111122223333:role/release-deployer-role",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"assume_role_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
}
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::444455556666:role/github-actions-deployer"
},
"Condition": {
"StringEquals": {
"sts:ExternalId": "github-actions-release",
"aws:SourceAccount": "444455556666"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:codebuild:us-east-1:444455556666:project/release-*"
}
}
}
]
},
"trust_principals": [
"arn:aws:iam::444455556666:role/github-actions-deployer",
"lambda.amazonaws.com"
],
"trust_statements": [
{
"principals": [
"lambda.amazonaws.com"
],
"principal_entries": [
{
"kind": "Service",
"value": "lambda.amazonaws.com"
}
],
"narrowing_condition_keys": [],
"narrowing_conditions": [],
"has_narrowing_conditions": false
},
{
"principals": [
"arn:aws:iam::444455556666:role/github-actions-deployer"
],
"principal_entries": [
{
"kind": "AWS",
"value": "arn:aws:iam::444455556666:role/github-actions-deployer"
}
],
"narrowing_condition_keys": [
"aws:SourceAccount",
"aws:SourceArn",
"sts:ExternalId"
],
"narrowing_conditions": [
{
"operator": "ArnLike",
"key": "aws:SourceArn",
"values": [
"arn:aws:codebuild:us-east-1:444455556666:project/release-*"
]
},
{
"operator": "StringEquals",
"key": "aws:SourceAccount",
"values": [
"444455556666"
]
},
{
"operator": "StringEquals",
"key": "sts:ExternalId",
"values": [
"github-actions-release"
]
}
],
"has_narrowing_conditions": true
}
],
"inline_policy_names": [],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_lambda_function.deployer",
"provider": "aws",
"resource_type": "aws_lambda_function",
"name": "deployer",
"category": "compute",
"identifier": "release-deployer",
"arn": "arn:aws:lambda:us-east-1:111122223333:function:release-deployer",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [
"arn:aws:iam::111122223333:role/release-deployer-role"
],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"runtime": "python3.12",
"handler": "handler.main",
"vpc_enabled": false,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
}
]
},
"trust_boundaries": [
{
"identifier": "admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer",
"boundary_type": "admin-to-workload-plane",
"source": "aws_iam_role.deployer",
"target": "aws_lambda_function.deployer",
"description": "aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.",
"rationale": "IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries."
},
{
"identifier": "cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer",
"boundary_type": "cross-account-or-role-access",
"source": "arn:aws:iam::444455556666:role/github-actions-deployer",
"target": "aws_iam_role.deployer",
"description": "aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer.",
"rationale": "A foreign AWS account can cross into this role's trust boundary."
}
],
"findings": [],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [
{
"title": "Cross-account or broad role trust is narrowed by assume-role conditions",
"observation_id": "aws-role-trust-narrowed",
"affected_resources": [
"aws_iam_role.deployer"
],
"rationale": "aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer, but supported assume-role conditions narrow when that trust can be exercised.",
"category": "iam",
"evidence": [
{
"key": "trust_principals",
"values": [
"arn:aws:iam::444455556666:role/github-actions-deployer"
]
},
{
"key": "trust_scope",
"values": [
"principal belongs to foreign account 444455556666"
]
},
{
"key": "trust_narrowing",
"values": [
"supported narrowing conditions present: true",
"supported narrowing condition keys: aws:SourceAccount, aws:SourceArn, sts:ExternalId"
]
}
]
}
],
"limitations": [
"AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
"Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
"IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
"Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}Markdown report
# Constrained Trust Demo
- Analyzed file: `sample_aws_cross_account_trust_constrained_plan.json`
- Provider: `aws`
- Normalized resources: `2`
- Unsupported resources: `0`
## Summary
This run identified **2 trust boundaries** and **0 findings** across **2 normalized resources**.
- High severity findings: `0`
- Medium severity findings: `0`
- Low severity findings: `0`
## Analysis Coverage
- Terraform resources seen: `2`
- Provider resources considered: `2`
- Normalized resources: `2`
- Unsupported resources: `0`
- Registered rules: `29`
- Enabled rules: `29`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
## Discovered Trust Boundaries
### `admin-to-workload-plane`
- Source: `aws_iam_role.deployer`
- Target: `aws_lambda_function.deployer`
- Description: aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.
- Rationale: IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
### `cross-account-or-role-access`
- Source: `arn:aws:iam::444455556666:role/github-actions-deployer`
- Target: `aws_iam_role.deployer`
- Description: aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer.
- Rationale: A foreign AWS account can cross into this role's trust boundary.
## Findings
### High
No findings in this severity band.
### Medium
No findings in this severity band.
### Low
No findings in this severity band.
## Controls Observed
### Cross-account or broad role trust is narrowed by assume-role conditions
- Category: `iam`
- Affected resources: `aws_iam_role.deployer`
- Rationale: aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer, but supported assume-role conditions narrow when that trust can be exercised.
- Evidence:
- trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
- trust scope: principal belongs to foreign account 444455556666
- trust narrowing: supported narrowing conditions present: true; supported narrowing condition keys: aws:SourceAccount, aws:SourceArn, sts:ExternalId
## Limitations / Unsupported Resources
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.