Active findings
2Built-in scenario
sample_aws_cross_account_trust_unconstrained_plan.jsonCross-Account Trust Demo
Analyzed sample_aws_cross_account_trust_unconstrained_plan.json with 2 normalized resources and 2 trust boundaries.
Trust boundaries
2Resources
2Observations
0Findings
Severity bands
High
0No high findings.
Medium
2Cross-account or broad role trust lacks narrowing conditions
aws-role-trust-missing-narrowingaws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on a broad or external principal match alone.
- Category
- Elevation of Privilege
- Boundary
- cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer
- Resources
- aws_iam_role.deployer
Evidence
- trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
- trust scope: principal belongs to foreign account 444455556666
- trust narrowing: supported narrowing conditions present: false; supported narrowing condition keys: none
Role trust relationship expands blast radius
aws-role-trust-expansionaws_iam_role.deployer can be assumed by arn:aws:iam::444455556666:role/github-actions-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.
- Category
- Elevation of Privilege
- Boundary
- cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer
- Resources
- aws_iam_role.deployer
Evidence
- trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
- trust path: trust principal belongs to foreign account 444455556666
Low
0No low findings.
Observations
Controls and mitigating signals
No observations were recorded for this plan.
Trust boundaries
Crossings that drive the model
admin-to-workload-plane
aws_iam_role.deployer -> aws_lambda_function.deployer
IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
cross-account-or-role-access
arn:aws:iam::444455556666:role/github-actions-deployer -> aws_iam_role.deployer
A foreign AWS account can cross into this role's trust boundary.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "cloud-threat-model-report",
"version": "1.1",
"tool": {
"name": "cloud-threat-modeler",
"version": "0.1.0"
},
"title": "Cross-Account Trust Demo",
"analyzed_file": "sample_aws_cross_account_trust_unconstrained_plan.json",
"analyzed_path": "/home/fleet/cloud-threat-modeler/fixtures/sample_aws_cross_account_trust_unconstrained_plan.json",
"summary": {
"normalized_resources": 2,
"unsupported_resources": 0,
"trust_boundaries": 2,
"active_findings": 2,
"total_findings": 2,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 0,
"medium": 2,
"low": 0
}
},
"filtering": {
"total_findings": 2,
"active_findings": 2,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"inventory": {
"provider": "aws",
"unsupported_resources": [],
"metadata": {
"primary_account_id": "111122223333",
"supported_resource_types": [
"aws_db_instance",
"aws_iam_instance_profile",
"aws_iam_policy",
"aws_iam_role",
"aws_iam_role_policy",
"aws_iam_role_policy_attachment",
"aws_instance",
"aws_internet_gateway",
"aws_kms_key",
"aws_lambda_function",
"aws_lambda_permission",
"aws_lb",
"aws_nat_gateway",
"aws_route_table",
"aws_route_table_association",
"aws_s3_bucket",
"aws_s3_bucket_policy",
"aws_s3_bucket_public_access_block",
"aws_secretsmanager_secret",
"aws_secretsmanager_secret_policy",
"aws_security_group",
"aws_security_group_rule",
"aws_sns_topic",
"aws_sqs_queue",
"aws_subnet",
"aws_vpc"
]
},
"resources": [
{
"address": "aws_iam_role.deployer",
"provider": "aws",
"resource_type": "aws_iam_role",
"name": "deployer",
"category": "iam",
"identifier": "release-deployer-role",
"arn": "arn:aws:iam::111122223333:role/release-deployer-role",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"assume_role_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
}
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::444455556666:role/github-actions-deployer"
}
}
]
},
"trust_principals": [
"arn:aws:iam::444455556666:role/github-actions-deployer",
"lambda.amazonaws.com"
],
"trust_statements": [
{
"principals": [
"lambda.amazonaws.com"
],
"narrowing_condition_keys": [],
"narrowing_conditions": [],
"has_narrowing_conditions": false
},
{
"principals": [
"arn:aws:iam::444455556666:role/github-actions-deployer"
],
"narrowing_condition_keys": [],
"narrowing_conditions": [],
"has_narrowing_conditions": false
}
],
"inline_policy_names": [],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_lambda_function.deployer",
"provider": "aws",
"resource_type": "aws_lambda_function",
"name": "deployer",
"category": "compute",
"identifier": "release-deployer",
"arn": "arn:aws:lambda:us-east-1:111122223333:function:release-deployer",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [
"arn:aws:iam::111122223333:role/release-deployer-role"
],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"runtime": "python3.12",
"handler": "handler.main",
"vpc_enabled": false,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
}
]
},
"trust_boundaries": [
{
"identifier": "admin-to-workload-plane:aws_iam_role.deployer->aws_lambda_function.deployer",
"boundary_type": "admin-to-workload-plane",
"source": "aws_iam_role.deployer",
"target": "aws_lambda_function.deployer",
"description": "aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.",
"rationale": "IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries."
},
{
"identifier": "cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer",
"boundary_type": "cross-account-or-role-access",
"source": "arn:aws:iam::444455556666:role/github-actions-deployer",
"target": "aws_iam_role.deployer",
"description": "aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer.",
"rationale": "A foreign AWS account can cross into this role's trust boundary."
}
],
"findings": [
{
"fingerprint": "sha256:60299a231fe096b74b8babb729e994789afdee7376e066dedeae2ea15198e399",
"title": "Cross-account or broad role trust lacks narrowing conditions",
"rule_id": "aws-role-trust-missing-narrowing",
"category": "Elevation of Privilege",
"severity": "medium",
"affected_resources": [
"aws_iam_role.deployer"
],
"trust_boundary_id": "cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer",
"rationale": "aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on a broad or external principal match alone.",
"recommended_mitigation": "Keep the trusted principal as specific as possible and add supported assume-role conditions such as `ExternalId`, `SourceArn`, or `SourceAccount` when crossing accounts or trusting broad principals.",
"evidence": [
{
"key": "trust_principals",
"values": [
"arn:aws:iam::444455556666:role/github-actions-deployer"
]
},
{
"key": "trust_scope",
"values": [
"principal belongs to foreign account 444455556666"
]
},
{
"key": "trust_narrowing",
"values": [
"supported narrowing conditions present: false",
"supported narrowing condition keys: none"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 1,
"data_sensitivity": 0,
"lateral_movement": 1,
"blast_radius": 2,
"final_score": 4,
"severity": "medium",
"computed_severity": null
}
},
{
"fingerprint": "sha256:3c81458a2802d71611ccf7a1c27a31662a31f0698aa3d7bf1583f1c85d6896fd",
"title": "Role trust relationship expands blast radius",
"rule_id": "aws-role-trust-expansion",
"category": "Elevation of Privilege",
"severity": "medium",
"affected_resources": [
"aws_iam_role.deployer"
],
"trust_boundary_id": "cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer",
"rationale": "aws_iam_role.deployer can be assumed by arn:aws:iam::444455556666:role/github-actions-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.",
"recommended_mitigation": "Limit trust policies to the exact service principals or roles required, prefer role ARNs over account root where possible, and add conditions such as `ExternalId` or source ARN checks.",
"evidence": [
{
"key": "trust_principals",
"values": [
"arn:aws:iam::444455556666:role/github-actions-deployer"
]
},
{
"key": "trust_path",
"values": [
"trust principal belongs to foreign account 444455556666"
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 1,
"data_sensitivity": 0,
"lateral_movement": 2,
"blast_radius": 2,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
}
],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [],
"limitations": [
"AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
"Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
"IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
"Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}Markdown report
# Cross-Account Trust Demo
- Analyzed file: `sample_aws_cross_account_trust_unconstrained_plan.json`
- Provider: `aws`
- Normalized resources: `2`
- Unsupported resources: `0`
## Summary
This run identified **2 trust boundaries** and **2 findings** across **2 normalized resources**.
- High severity findings: `0`
- Medium severity findings: `2`
- Low severity findings: `0`
## Discovered Trust Boundaries
### `admin-to-workload-plane`
- Source: `aws_iam_role.deployer`
- Target: `aws_lambda_function.deployer`
- Description: aws_iam_role.deployer governs actions performed by aws_lambda_function.deployer.
- Rationale: IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
### `cross-account-or-role-access`
- Source: `arn:aws:iam::444455556666:role/github-actions-deployer`
- Target: `aws_iam_role.deployer`
- Description: aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer.
- Rationale: A foreign AWS account can cross into this role's trust boundary.
## Findings
### High
No findings in this severity band.
### Medium
#### Cross-account or broad role trust lacks narrowing conditions
- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_role.deployer`
- Trust boundary: `cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +1, blast_radius +2, final_score 4 => medium
- Rationale: aws_iam_role.deployer trusts arn:aws:iam::444455556666:role/github-actions-deployer without supported narrowing conditions such as `sts:ExternalId`, `aws:SourceArn`, or `aws:SourceAccount`. That leaves the assume-role path dependent on a broad or external principal match alone.
- Recommended mitigation: Keep the trusted principal as specific as possible and add supported assume-role conditions such as `ExternalId`, `SourceArn`, or `SourceAccount` when crossing accounts or trusting broad principals.
- Evidence:
- trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
- trust scope: principal belongs to foreign account 444455556666
- trust narrowing: supported narrowing conditions present: false; supported narrowing condition keys: none
#### Role trust relationship expands blast radius
- STRIDE category: Elevation of Privilege
- Affected resources: `aws_iam_role.deployer`
- Trust boundary: `cross-account-or-role-access:arn:aws:iam::444455556666:role/github-actions-deployer->aws_iam_role.deployer`
- Severity reasoning: internet_exposure +0, privilege_breadth +1, data_sensitivity +0, lateral_movement +2, blast_radius +2, final_score 5 => medium
- Rationale: aws_iam_role.deployer can be assumed by arn:aws:iam::444455556666:role/github-actions-deployer. Broad or foreign-account trust relationships increase the chance that compromise in one identity domain spills into another.
- Recommended mitigation: Limit trust policies to the exact service principals or roles required, prefer role ARNs over account root where possible, and add conditions such as `ExternalId` or source ARN checks.
- Evidence:
- trust principals: arn:aws:iam::444455556666:role/github-actions-deployer
- trust path: trust principal belongs to foreign account 444455556666
### Low
No findings in this severity band.
## Limitations / Unsupported Resources
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.