Built-in scenario

aws/sample_aws_cross_account_trust_unconstrained_plan.json

Cross-Account Trust Demo

Analyzed sample_aws_cross_account_trust_unconstrained_plan.json with 2 normalized resources and 2 trust boundaries.

Analyze another plan

Active findings

2

Trust boundaries

2

Resources

2

Observations

0
High 0
Medium 2
Low 0

Analysis coverage

Audit trail for this run

Terraform resources 2
Unsupported 0
Enabled rules 83
Unresolved refs 0

Resource coverage

Provider resources considered
2
Normalized resources
2

No unsupported AWS resource types were encountered.

Rule coverage

Registered rules
83
Disabled rules
0
  • aws-role-trust-expansion1
  • aws-role-trust-missing-narrowing1

Findings

Severity bands

High

0

No high findings.

Medium

2

Cross-account or broad role trust lacks narrowing conditions

aws-role-trust-missing-narrowing

aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on the trusted principal match alone.

Category
Elevation of Privilege
Boundary
cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer
Resources
aws_iam_role.deployer
Evidence
  • trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
  • trust scope: principal belongs to foreign account 444455556666
  • trust narrowing: supported narrowing conditions present: false; supported narrowing condition keys: none

Role trust relationship expands blast radius

aws-role-trust-expansion

aws_iam_role.deployer can be assumed by arn:aws:iam::444455556666:role/github-actions-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.

Category
Elevation of Privilege
Boundary
cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer
Resources
aws_iam_role.deployer
Evidence
  • trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
  • trust path: trust principal belongs to foreign account 444455556666

Low

0

No low findings.

Observations

Controls and mitigating signals

No observations were recorded for this plan.

Trust boundaries

Crossings that drive the model

admin-to-workload-plane

aws_iam_role.deployer -> aws_lambda_function.deployer

IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.

cross-account-or-role-access

arn:aws:iam::444455556666:role/github-actions-deployer -> aws_iam_role.deployer

A foreign AWS account can cross into this role's trust boundary.

Raw outputs

Stable contract and markdown

JSON report
{
  "kind": "tfstride-report",
  "version": "1.1",
  "tool": {
    "name": "tfstride",
    "version": "0.4.23"
  },
  "title": "Cross-Account Trust Demo",
  "analyzed_file": "sample_aws_cross_account_trust_unconstrained_plan.json",
  "analyzed_path": "sample_aws_cross_account_trust_unconstrained_plan.json",
  "summary": {
    "normalized_resources": 2,
    "unsupported_resources": 0,
    "trust_boundaries": 2,
    "active_findings": 2,
    "total_findings": 2,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "severity_counts": {
      "high": 0,
      "medium": 2,
      "low": 0
    }
  },
  "filtering": {
    "total_findings": 2,
    "active_findings": 2,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "suppressions_path": null,
    "baseline_path": null
  },
  "analysis_coverage": {
    "resources": {
      "total_resources": 2,
      "provider_resources": 2,
      "normalized_resources": 2,
      "unsupported_resources": 0,
      "unsupported_resource_types": {}
    },
    "rules": {
      "registered_rule_count": 83,
      "enabled_rules": [
        "aws-public-compute-broad-ingress",
        "aws-lambda-public-invocation",
        "aws-load-balancer-http-public-listener",
        "aws-load-balancer-listener-tls-certificate-missing",
        "aws-load-balancer-listener-ssl-policy-weak-or-unknown",
        "aws-public-alb-waf-missing",
        "aws-cloudfront-viewer-http-allowed",
        "aws-cloudfront-viewer-tls-policy-weak-or-unknown",
        "aws-cloudfront-access-logging-not-configured",
        "aws-public-cloudfront-waf-missing",
        "aws-api-gateway-cors-permissive",
        "aws-public-api-gateway-waf-missing",
        "aws-api-gateway-public-route-authorization-none",
        "aws-api-gateway-stage-access-logs-missing",
        "aws-cloudtrail-multi-region-disabled",
        "aws-cloudtrail-log-file-validation-disabled",
        "aws-cloudtrail-management-events-disabled",
        "aws-cloudtrail-data-events-not-modeled",
        "aws-cloudtrail-insight-selectors-missing",
        "aws-guardduty-detector-disabled-or-missing",
        "aws-securityhub-account-missing",
        "aws-config-recorder-disabled-or-missing",
        "aws-config-delivery-channel-missing",
        "aws-access-analyzer-not-configured",
        "aws-macie-not-enabled-for-sensitive-storage",
        "aws-rds-storage-encryption-disabled",
        "aws-rds-public-endpoint-enabled",
        "aws-rds-backup-retention-insufficient",
        "aws-rds-deletion-protection-disabled",
        "aws-rds-customer-managed-kms-key-missing",
        "aws-rds-multi-az-disabled",
        "aws-rds-performance-insights-disabled",
        "aws-rds-cloudwatch-log-exports-missing",
        "aws-rds-iam-auth-disabled",
        "aws-s3-public-access",
        "aws-s3-customer-managed-encryption-missing",
        "aws-s3-versioning-disabled",
        "aws-s3-object-lock-retention-missing",
        "aws-s3-lifecycle-noncurrent-retention-insufficient",
        "aws-ecr-image-tag-mutability-enabled",
        "aws-ecr-customer-managed-encryption-missing",
        "aws-ecr-repository-scanning-disabled",
        "aws-workload-image-not-digest-pinned",
        "aws-workload-ecr-mutable-tag",
        "aws-workload-can-modify-image-repository",
        "aws-ecs-sensitive-environment-value-inline",
        "aws-ecs-secret-access-blast-radius",
        "aws-public-ecs-secret-access",
        "aws-public-ecs-s3-mutation-access",
        "aws-public-ecs-messaging-mutation-access",
        "aws-sns-customer-managed-encryption-missing",
        "aws-sqs-customer-managed-encryption-missing",
        "aws-sqs-message-retention-insufficient",
        "aws-sqs-dead-letter-queue-not-configured",
        "aws-secretsmanager-customer-managed-kms-key-missing",
        "aws-secretsmanager-recovery-window-too-short",
        "aws-secretsmanager-rotation-not-configured-or-too-long",
        "aws-kms-key-rotation-disabled-or-unknown",
        "aws-kms-key-deletion-window-too-short",
        "aws-workload-secretsmanager-vpc-endpoint-missing",
        "aws-workload-kms-vpc-endpoint-missing",
        "aws-workload-s3-vpc-endpoint-missing",
        "aws-vpc-endpoint-policy-broad-access",
        "aws-vpc-flow-logs-not-configured",
        "aws-vpc-flow-log-traffic-type-incomplete",
        "aws-vpc-flow-log-destination-missing",
        "aws-eks-api-endpoint-public-unrestricted",
        "aws-eks-private-endpoint-not-enabled",
        "aws-eks-secrets-encryption-not-configured",
        "aws-eks-control-plane-logging-incomplete",
        "aws-eks-authentication-mode-weak-or-unknown",
        "aws-eks-vpc-cni-network-policy-not-enabled",
        "aws-database-permissive-ingress",
        "aws-missing-tier-segmentation",
        "aws-sensitive-resource-policy-external-access",
        "aws-service-resource-policy-external-access",
        "aws-iam-wildcard-permissions",
        "aws-iam-privileged-role-assignment",
        "aws-workload-role-sensitive-permissions",
        "aws-private-data-transitive-exposure",
        "aws-control-plane-sensitive-workload-chain",
        "aws-role-trust-expansion",
        "aws-role-trust-missing-narrowing"
      ],
      "disabled_rules": [],
      "severity_overrides": {},
      "finding_counts_by_rule": {
        "aws-public-compute-broad-ingress": 0,
        "aws-lambda-public-invocation": 0,
        "aws-load-balancer-http-public-listener": 0,
        "aws-load-balancer-listener-tls-certificate-missing": 0,
        "aws-load-balancer-listener-ssl-policy-weak-or-unknown": 0,
        "aws-public-alb-waf-missing": 0,
        "aws-cloudfront-viewer-http-allowed": 0,
        "aws-cloudfront-viewer-tls-policy-weak-or-unknown": 0,
        "aws-cloudfront-access-logging-not-configured": 0,
        "aws-public-cloudfront-waf-missing": 0,
        "aws-api-gateway-cors-permissive": 0,
        "aws-public-api-gateway-waf-missing": 0,
        "aws-api-gateway-public-route-authorization-none": 0,
        "aws-api-gateway-stage-access-logs-missing": 0,
        "aws-cloudtrail-multi-region-disabled": 0,
        "aws-cloudtrail-log-file-validation-disabled": 0,
        "aws-cloudtrail-management-events-disabled": 0,
        "aws-cloudtrail-data-events-not-modeled": 0,
        "aws-cloudtrail-insight-selectors-missing": 0,
        "aws-guardduty-detector-disabled-or-missing": 0,
        "aws-securityhub-account-missing": 0,
        "aws-config-recorder-disabled-or-missing": 0,
        "aws-config-delivery-channel-missing": 0,
        "aws-access-analyzer-not-configured": 0,
        "aws-macie-not-enabled-for-sensitive-storage": 0,
        "aws-rds-storage-encryption-disabled": 0,
        "aws-rds-public-endpoint-enabled": 0,
        "aws-rds-backup-retention-insufficient": 0,
        "aws-rds-deletion-protection-disabled": 0,
        "aws-rds-customer-managed-kms-key-missing": 0,
        "aws-rds-multi-az-disabled": 0,
        "aws-rds-performance-insights-disabled": 0,
        "aws-rds-cloudwatch-log-exports-missing": 0,
        "aws-rds-iam-auth-disabled": 0,
        "aws-s3-public-access": 0,
        "aws-s3-customer-managed-encryption-missing": 0,
        "aws-s3-versioning-disabled": 0,
        "aws-s3-object-lock-retention-missing": 0,
        "aws-s3-lifecycle-noncurrent-retention-insufficient": 0,
        "aws-ecr-image-tag-mutability-enabled": 0,
        "aws-ecr-customer-managed-encryption-missing": 0,
        "aws-ecr-repository-scanning-disabled": 0,
        "aws-workload-image-not-digest-pinned": 0,
        "aws-workload-ecr-mutable-tag": 0,
        "aws-workload-can-modify-image-repository": 0,
        "aws-ecs-sensitive-environment-value-inline": 0,
        "aws-ecs-secret-access-blast-radius": 0,
        "aws-public-ecs-secret-access": 0,
        "aws-public-ecs-s3-mutation-access": 0,
        "aws-public-ecs-messaging-mutation-access": 0,
        "aws-sns-customer-managed-encryption-missing": 0,
        "aws-sqs-customer-managed-encryption-missing": 0,
        "aws-sqs-message-retention-insufficient": 0,
        "aws-sqs-dead-letter-queue-not-configured": 0,
        "aws-secretsmanager-customer-managed-kms-key-missing": 0,
        "aws-secretsmanager-recovery-window-too-short": 0,
        "aws-secretsmanager-rotation-not-configured-or-too-long": 0,
        "aws-kms-key-rotation-disabled-or-unknown": 0,
        "aws-kms-key-deletion-window-too-short": 0,
        "aws-workload-secretsmanager-vpc-endpoint-missing": 0,
        "aws-workload-kms-vpc-endpoint-missing": 0,
        "aws-workload-s3-vpc-endpoint-missing": 0,
        "aws-vpc-endpoint-policy-broad-access": 0,
        "aws-vpc-flow-logs-not-configured": 0,
        "aws-vpc-flow-log-traffic-type-incomplete": 0,
        "aws-vpc-flow-log-destination-missing": 0,
        "aws-eks-api-endpoint-public-unrestricted": 0,
        "aws-eks-private-endpoint-not-enabled": 0,
        "aws-eks-secrets-encryption-not-configured": 0,
        "aws-eks-control-plane-logging-incomplete": 0,
        "aws-eks-authentication-mode-weak-or-unknown": 0,
        "aws-eks-vpc-cni-network-policy-not-enabled": 0,
        "aws-database-permissive-ingress": 0,
        "aws-missing-tier-segmentation": 0,
        "aws-sensitive-resource-policy-external-access": 0,
        "aws-service-resource-policy-external-access": 0,
        "aws-iam-wildcard-permissions": 0,
        "aws-iam-privileged-role-assignment": 0,
        "aws-workload-role-sensitive-permissions": 0,
        "aws-private-data-transitive-exposure": 0,
        "aws-control-plane-sensitive-workload-chain": 0,
        "aws-role-trust-expansion": 1,
        "aws-role-trust-missing-narrowing": 1
      }
    },
    "references": {
      "unresolved_reference_count": 0,
      "unresolved_references": []
    }
  },
  "inventory": {
    "provider": "aws",
    "unsupported_resources": [],
    "metadata": {
      "primary_account_id": "111122223333",
      "supported_resource_types": [
        "aws_accessanalyzer_analyzer",
        "aws_api_gateway_authorizer",
        "aws_api_gateway_method",
        "aws_api_gateway_rest_api",
        "aws_api_gateway_stage",
        "aws_apigatewayv2_api",
        "aws_apigatewayv2_route",
        "aws_apigatewayv2_stage",
        "aws_cloudfront_distribution",
        "aws_cloudtrail",
        "aws_config_configuration_recorder",
        "aws_config_configuration_recorder_status",
        "aws_config_delivery_channel",
        "aws_db_instance",
        "aws_ecr_registry_scanning_configuration",
        "aws_ecr_repository",
        "aws_ecs_cluster",
        "aws_ecs_service",
        "aws_ecs_task_definition",
        "aws_eks_addon",
        "aws_eks_cluster",
        "aws_flow_log",
        "aws_guardduty_detector",
        "aws_iam_instance_profile",
        "aws_iam_openid_connect_provider",
        "aws_iam_policy",
        "aws_iam_role",
        "aws_iam_role_policy",
        "aws_iam_role_policy_attachment",
        "aws_instance",
        "aws_internet_gateway",
        "aws_kms_key",
        "aws_lambda_function",
        "aws_lambda_function_url",
        "aws_lambda_permission",
        "aws_lb",
        "aws_lb_listener",
        "aws_lb_listener_rule",
        "aws_lb_target_group",
        "aws_macie2_account",
        "aws_nat_gateway",
        "aws_route_table",
        "aws_route_table_association",
        "aws_s3_bucket",
        "aws_s3_bucket_lifecycle_configuration",
        "aws_s3_bucket_object_lock_configuration",
        "aws_s3_bucket_policy",
        "aws_s3_bucket_public_access_block",
        "aws_s3_bucket_server_side_encryption_configuration",
        "aws_s3_bucket_versioning",
        "aws_secretsmanager_secret",
        "aws_secretsmanager_secret_policy",
        "aws_secretsmanager_secret_rotation",
        "aws_security_group",
        "aws_security_group_rule",
        "aws_securityhub_account",
        "aws_sns_topic",
        "aws_sqs_queue",
        "aws_sqs_queue_redrive_policy",
        "aws_subnet",
        "aws_vpc",
        "aws_vpc_endpoint",
        "aws_wafv2_web_acl",
        "aws_wafv2_web_acl_association"
      ],
      "total_input_resources": 2,
      "provider_resource_count": 2,
      "normalized_resource_count": 2,
      "unsupported_resource_types": {}
    },
    "resources": [
      {
        "address": "aws_iam_role.deployer",
        "provider": "aws",
        "resource_type": "aws_iam_role",
        "name": "deployer",
        "category": "iam",
        "identifier": "release-deployer-role",
        "arn": "arn:aws:iam::111122223333:role/release-deployer-role",
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "assume_role_policy": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Principal": {
                  "Service": "lambda.amazonaws.com"
                }
              },
              {
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Principal": {
                  "AWS": "arn:aws:iam::444455556666:role/github-actions-deployer"
                }
              }
            ]
          },
          "trust_principals": [
            "arn:aws:iam::444455556666:role/github-actions-deployer",
            "lambda.amazonaws.com"
          ],
          "trust_statements": [
            {
              "principals": [
                "lambda.amazonaws.com"
              ],
              "principal_entries": [
                {
                  "kind": "Service",
                  "value": "lambda.amazonaws.com"
                }
              ],
              "narrowing_condition_keys": [],
              "narrowing_conditions": [],
              "has_narrowing_conditions": false
            },
            {
              "principals": [
                "arn:aws:iam::444455556666:role/github-actions-deployer"
              ],
              "principal_entries": [
                {
                  "kind": "AWS",
                  "value": "arn:aws:iam::444455556666:role/github-actions-deployer"
                }
              ],
              "narrowing_condition_keys": [],
              "narrowing_conditions": [],
              "has_narrowing_conditions": false
            }
          ],
          "inline_policy_names": [],
          "privileged_access_grants": [],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      },
      {
        "address": "aws_lambda_function.deployer",
        "provider": "aws",
        "resource_type": "aws_lambda_function",
        "name": "deployer",
        "category": "compute",
        "identifier": "release-deployer",
        "arn": "arn:aws:lambda:us-east-1:111122223333:function:release-deployer",
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [
          "arn:aws:iam::111122223333:role/release-deployer-role"
        ],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "runtime": "python3.12",
          "handler": "handler.main",
          "vpc_enabled": false,
          "container_image_references": [],
          "container_image_posture_uncertainties": [],
          "ecr_write_paths": [],
          "public_access_reasons": [],
          "public_exposure_reasons": [],
          "public_access_configured": false,
          "internet_ingress": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": false,
          "direct_internet_reachable": false
        }
      }
    ]
  },
  "trust_boundaries": [
    {
      "identifier": "admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer",
      "boundary_type": "admin-to-workload-plane",
      "source": "aws_iam_role.deployer",
      "target": "aws_lambda_function.deployer",
      "description": "aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.",
      "rationale": "IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries."
    },
    {
      "identifier": "cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer",
      "boundary_type": "cross-account-or-role-access",
      "source": "arn:aws:iam::444455556666:role/github-actions-deployer",
      "target": "aws_iam_role.deployer",
      "description": "aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer.",
      "rationale": "A foreign AWS account can cross into this role's trust boundary."
    }
  ],
  "findings": [
    {
      "fingerprint": "sha256:60299a231fe096b74b8babb729e994789afdee7376e066dedeae2ea15198e399",
      "title": "Cross-account or broad role trust lacks narrowing conditions",
      "rule_id": "aws-role-trust-missing-narrowing",
      "category": "Elevation of Privilege",
      "severity": "medium",
      "affected_resources": [
        "aws_iam_role.deployer"
      ],
      "trust_boundary_id": "cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer",
      "rationale": "aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on the trusted principal match alone.",
      "recommended_mitigation": "Keep the trusted principal as specific as possible and add supported assume-role conditions such as `ExternalId`, `SourceArn`, `SourceAccount`, `SAML:aud`, or provider-specific OIDC `aud` and `sub` checks when crossing accounts or trusting broad or federated principals.",
      "evidence": [
        {
          "key": "trust_principals",
          "values": [
            "arn:aws:iam::444455556666:role/github-actions-deployer"
          ]
        },
        {
          "key": "trust_scope",
          "values": [
            "principal belongs to foreign account 444455556666"
          ]
        },
        {
          "key": "trust_narrowing",
          "values": [
            "supported narrowing conditions present: false",
            "supported narrowing condition keys: none"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 0,
        "lateral_movement": 1,
        "blast_radius": 2,
        "final_score": 4,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:3c81458a2802d71611ccf7a1c27a31662a31f0698aa3d7bf1583f1c85d6896fd",
      "title": "Role trust relationship expands blast radius",
      "rule_id": "aws-role-trust-expansion",
      "category": "Elevation of Privilege",
      "severity": "medium",
      "affected_resources": [
        "aws_iam_role.deployer"
      ],
      "trust_boundary_id": "cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer",
      "rationale": "aws_iam_role.deployer can be assumed by arn:aws:iam::444455556666:role/github-actions-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.",
      "recommended_mitigation": "Limit trust policies to the exact service principals or roles required, prefer role ARNs over account root where possible, and add conditions such as `ExternalId`, source ARN, SAML audience, or OIDC audience and subject checks.",
      "evidence": [
        {
          "key": "trust_principals",
          "values": [
            "arn:aws:iam::444455556666:role/github-actions-deployer"
          ]
        },
        {
          "key": "trust_path",
          "values": [
            "trust principal belongs to foreign account 444455556666"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 1,
        "data_sensitivity": 0,
        "lateral_movement": 2,
        "blast_radius": 2,
        "final_score": 5,
        "severity": "medium",
        "computed_severity": null
      }
    }
  ],
  "suppressed_findings": [],
  "baselined_findings": [],
  "observations": [],
  "limitations": [
    "AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
    "Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
    "IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
    "Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
    "The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
  ]
}
Markdown report
# Cross-Account Trust Demo

- Analyzed file: `sample_aws_cross_account_trust_unconstrained_plan.json`
- Provider: `aws`
- Normalized resources: `2`
- Unsupported resources: `0`

## Summary

This run identified **2 trust boundaries** and **2 findings** across **2 normalized resources**.

- High severity findings: `0`
- Medium severity findings: `2`
- Low severity findings: `0`

## Analysis Coverage

- Terraform resources seen: `2`
- Provider resources considered: `2`
- Normalized resources: `2`
- Unsupported resources: `0`
- Registered provider rules (AWS): `83`
- Enabled provider rules (AWS): `83`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
  - `aws-role-trust-expansion`: `1`
  - `aws-role-trust-missing-narrowing`: `1`

## Discovered Trust Boundaries

### `admin-to-workload-plane`

- Source: `aws_iam_role.deployer`
- Target: `aws_lambda_function.deployer`
- Description: aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.
- Rationale: IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.

### `cross-account-or-role-access`

- Source: `arn:aws:iam::444455556666:role/github-actions-deployer`
- Target: `aws_iam_role.deployer`
- Description: aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer.
- Rationale: A foreign AWS account can cross into this role's trust boundary.

## Findings

### High

No findings in this severity band.

### Medium

#### Cross-account or broad role trust lacks narrowing conditions

- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_role.deployer`
- Trust boundary: `cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 4 => medium
- Rationale: aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on the trusted principal match alone.
- Recommended mitigation: Keep the trusted principal as specific as possible and add supported assume-role conditions such as `ExternalId`, `SourceArn`, `SourceAccount`, `SAML:aud`, or provider-specific OIDC `aud` and `sub` checks when crossing accounts or trusting broad or federated principals.
- Evidence:
  - trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
  - trust scope: principal belongs to foreign account 444455556666
  - trust narrowing: supported narrowing conditions present: false; supported narrowing condition keys: none

#### Role trust relationship expands blast radius

- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_role.deployer`
- Trust boundary: `cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +2, blast_radius +2, final_score 5 => medium
- Rationale: aws_iam_role.deployer can be assumed by arn:aws:iam::444455556666:role/github-actions-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.
- Recommended mitigation: Limit trust policies to the exact service principals or roles required, prefer role ARNs over account root where possible, and add conditions such as `ExternalId`, source ARN, SAML audience, or OIDC audience and subject checks.
- Evidence:
  - trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
  - trust path: trust principal belongs to foreign account 444455556666

### Low

No findings in this severity band.

## Limitations / Unsupported Resources

- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.

Limits

Unsupported or intentionally scoped areas

  • AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
  • Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
  • IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
  • Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
  • The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.