Active findings
0Built-in scenario
sample_aws_cross_account_trust_constrained_plan.jsonConstrained Trust Demo
Analyzed sample_aws_cross_account_trust_constrained_plan.json with 2 normalized resources and 2 trust boundaries.
Trust boundaries
2Resources
2Observations
1Findings
Severity bands
High
0No high findings.
Medium
0No medium findings.
Low
0No low findings.
Observations
Controls and mitigating signals
Cross-account or broad role trust is narrowed by assume-role conditions
aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer, but supported assume-role conditions narrow when that trust can be exercised.
Trust boundaries
Crossings that drive the model
admin-to-workload-plane
aws_iam_role.deployer -> aws_lambda_function.deployer
IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
cross-account-or-role-access
arn:aws:iam::444455556666:role/github-actions-deployer -> aws_iam_role.deployer
A foreign AWS account can cross into this role's trust boundary.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "cloud-threat-model-report",
"version": "1.1",
"tool": {
"name": "cloud-threat-modeler",
"version": "0.1.0"
},
"title": "Constrained Trust Demo",
"analyzed_file": "sample_aws_cross_account_trust_constrained_plan.json",
"analyzed_path": "/home/fleet/cloud-threat-modeler/fixtures/sample_aws_cross_account_trust_constrained_plan.json",
"summary": {
"normalized_resources": 2,
"unsupported_resources": 0,
"trust_boundaries": 2,
"active_findings": 0,
"total_findings": 0,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 0,
"medium": 0,
"low": 0
}
},
"filtering": {
"total_findings": 0,
"active_findings": 0,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"inventory": {
"provider": "aws",
"unsupported_resources": [],
"metadata": {
"primary_account_id": "111122223333",
"supported_resource_types": [
"aws_db_instance",
"aws_iam_instance_profile",
"aws_iam_policy",
"aws_iam_role",
"aws_iam_role_policy",
"aws_iam_role_policy_attachment",
"aws_instance",
"aws_internet_gateway",
"aws_kms_key",
"aws_lambda_function",
"aws_lambda_permission",
"aws_lb",
"aws_nat_gateway",
"aws_route_table",
"aws_route_table_association",
"aws_s3_bucket",
"aws_s3_bucket_policy",
"aws_s3_bucket_public_access_block",
"aws_secretsmanager_secret",
"aws_secretsmanager_secret_policy",
"aws_security_group",
"aws_security_group_rule",
"aws_sns_topic",
"aws_sqs_queue",
"aws_subnet",
"aws_vpc"
]
},
"resources": [
{
"address": "aws_iam_role.deployer",
"provider": "aws",
"resource_type": "aws_iam_role",
"name": "deployer",
"category": "iam",
"identifier": "release-deployer-role",
"arn": "arn:aws:iam::111122223333:role/release-deployer-role",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"assume_role_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
}
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::444455556666:role/github-actions-deployer"
},
"Condition": {
"StringEquals": {
"sts:ExternalId": "github-actions-release",
"aws:SourceAccount": "444455556666"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:codebuild:us-east-1:444455556666:project/release-*"
}
}
}
]
},
"trust_principals": [
"arn:aws:iam::444455556666:role/github-actions-deployer",
"lambda.amazonaws.com"
],
"trust_statements": [
{
"principals": [
"lambda.amazonaws.com"
],
"narrowing_condition_keys": [],
"narrowing_conditions": [],
"has_narrowing_conditions": false
},
{
"principals": [
"arn:aws:iam::444455556666:role/github-actions-deployer"
],
"narrowing_condition_keys": [
"aws:SourceAccount",
"aws:SourceArn",
"sts:ExternalId"
],
"narrowing_conditions": [
{
"operator": "ArnLike",
"key": "aws:SourceArn",
"values": [
"arn:aws:codebuild:us-east-1:444455556666:project/release-*"
]
},
{
"operator": "StringEquals",
"key": "aws:SourceAccount",
"values": [
"444455556666"
]
},
{
"operator": "StringEquals",
"key": "sts:ExternalId",
"values": [
"github-actions-release"
]
}
],
"has_narrowing_conditions": true
}
],
"inline_policy_names": [],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_lambda_function.deployer",
"provider": "aws",
"resource_type": "aws_lambda_function",
"name": "deployer",
"category": "compute",
"identifier": "release-deployer",
"arn": "arn:aws:lambda:us-east-1:111122223333:function:release-deployer",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [
"arn:aws:iam::111122223333:role/release-deployer-role"
],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"runtime": "python3.12",
"handler": "handler.main",
"vpc_enabled": false,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
}
]
},
"trust_boundaries": [
{
"identifier": "admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer",
"boundary_type": "admin-to-workload-plane",
"source": "aws_iam_role.deployer",
"target": "aws_lambda_function.deployer",
"description": "aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.",
"rationale": "IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries."
},
{
"identifier": "cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer",
"boundary_type": "cross-account-or-role-access",
"source": "arn:aws:iam::444455556666:role/github-actions-deployer",
"target": "aws_iam_role.deployer",
"description": "aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer.",
"rationale": "A foreign AWS account can cross into this role's trust boundary."
}
],
"findings": [],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [
{
"title": "Cross-account or broad role trust is narrowed by assume-role conditions",
"observation_id": "aws-role-trust-narrowed",
"affected_resources": [
"aws_iam_role.deployer"
],
"rationale": "aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer, but supported assume-role conditions narrow when that trust can be exercised.",
"category": "iam",
"evidence": [
{
"key": "trust_principals",
"values": [
"arn:aws:iam::444455556666:role/github-actions-deployer"
]
},
{
"key": "trust_scope",
"values": [
"principal belongs to foreign account 444455556666"
]
},
{
"key": "trust_narrowing",
"values": [
"supported narrowing conditions present: true",
"supported narrowing condition keys: aws:SourceAccount, aws:SourceArn, sts:ExternalId"
]
}
]
}
],
"limitations": [
"AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
"Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
"IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
"Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}Markdown report
# Constrained Trust Demo
- Analyzed file: `sample_aws_cross_account_trust_constrained_plan.json`
- Provider: `aws`
- Normalized resources: `2`
- Unsupported resources: `0`
## Summary
This run identified **2 trust boundaries** and **0 findings** across **2 normalized resources**.
- High severity findings: `0`
- Medium severity findings: `0`
- Low severity findings: `0`
## Discovered Trust Boundaries
### `admin-to-workload-plane`
- Source: `aws_iam_role.deployer`
- Target: `aws_lambda_function.deployer`
- Description: aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.
- Rationale: IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
### `cross-account-or-role-access`
- Source: `arn:aws:iam::444455556666:role/github-actions-deployer`
- Target: `aws_iam_role.deployer`
- Description: aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer.
- Rationale: A foreign AWS account can cross into this role's trust boundary.
## Findings
### High
No findings in this severity band.
### Medium
No findings in this severity band.
### Low
No findings in this severity band.
## Controls Observed
### Cross-account or broad role trust is narrowed by assume-role conditions
- Category: `iam`
- Affected resources: `aws_iam_role.deployer`
- Rationale: aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer, but supported assume-role conditions narrow when that trust can be exercised.
- Evidence:
- trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
- trust scope: principal belongs to foreign account 444455556666
- trust narrowing: supported narrowing conditions present: true; supported narrowing condition keys: aws:SourceAccount, aws:SourceArn, sts:ExternalId
## Limitations / Unsupported Resources
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.