Active findings
1Built-in scenario
sample_aws_alb_ec2_rds_plan.jsonALB / EC2 / RDS Demo
Analyzed sample_aws_alb_ec2_rds_plan.json with 19 normalized resources and 4 trust boundaries.
Trust boundaries
4Resources
19Observations
1Findings
Severity bands
High
0No high findings.
Medium
1Sensitive data tier is transitively reachable from an internet-exposed path
aws-private-data-transitive-exposureaws_db_instance.app is not directly public, but internet traffic can first reach aws_lb.web, move through aws_lb.web can reach aws_instance.app, and then cross into the private data tier through aws_instance.app. That creates a quieter transitive exposure path than a directly public data store.
- Category
- Information Disclosure
- Boundary
- workload-to-data-store:aws_instance.app->aws_db_instance.app
- Resources
- aws_lb.web, aws_instance.app, aws_db_instance.app, aws_security_group.app
Evidence
- network path: internet reaches aws_lb.web; aws_lb.web reaches aws_instance.app; aws_instance.app reaches aws_db_instance.app
- security group rules: aws_security_group.app ingress tcp 8080 from sg-web-lb-001 (Application traffic from the ALB)
- subnet posture: aws_lb.web sits in public subnet aws_subnet.public_edge with an internet route; aws_instance.app sits in private subnet aws_subnet.private_app with NAT-backed egress
- data tier posture: aws_db_instance.app is not directly public; database has no direct internet ingress path
- boundary rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.
Low
0No low findings.
Observations
Controls and mitigating signals
RDS instance is private and storage encrypted
aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.
Trust boundaries
Crossings that drive the model
internet-to-service
internet -> aws_lb.web
The resource is directly reachable or intentionally exposed to unauthenticated network clients.
public-subnet-to-private-subnet
aws_subnet.public_edge -> aws_subnet.private_app
The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.
public-subnet-to-private-subnet
aws_subnet.public_edge -> aws_subnet.private_data
The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.
workload-to-data-store
aws_instance.app -> aws_db_instance.app
Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "cloud-threat-model-report",
"version": "1.0",
"tool": {
"name": "cloud-threat-modeler",
"version": "0.2.0"
},
"title": "ALB / EC2 / RDS Demo",
"analyzed_file": "sample_aws_alb_ec2_rds_plan.json",
"analyzed_path": "/home/fleet/cloud-threat-modeler/fixtures/sample_aws_alb_ec2_rds_plan.json",
"summary": {
"normalized_resources": 19,
"unsupported_resources": 0,
"trust_boundaries": 4,
"active_findings": 1,
"total_findings": 1,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 0,
"medium": 1,
"low": 0
}
},
"filtering": {
"total_findings": 1,
"active_findings": 1,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"inventory": {
"provider": "aws",
"unsupported_resources": [],
"metadata": {
"primary_account_id": "333344445555",
"supported_resource_types": [
"aws_db_instance",
"aws_ecs_cluster",
"aws_ecs_service",
"aws_ecs_task_definition",
"aws_iam_instance_profile",
"aws_iam_policy",
"aws_iam_role",
"aws_iam_role_policy",
"aws_iam_role_policy_attachment",
"aws_instance",
"aws_internet_gateway",
"aws_kms_key",
"aws_lambda_function",
"aws_lambda_permission",
"aws_lb",
"aws_nat_gateway",
"aws_route_table",
"aws_route_table_association",
"aws_s3_bucket",
"aws_s3_bucket_policy",
"aws_s3_bucket_public_access_block",
"aws_secretsmanager_secret",
"aws_secretsmanager_secret_policy",
"aws_security_group",
"aws_security_group_rule",
"aws_sns_topic",
"aws_sqs_queue",
"aws_subnet",
"aws_vpc"
]
},
"resources": [
{
"address": "aws_db_instance.app",
"provider": "aws",
"resource_type": "aws_db_instance",
"name": "app",
"category": "data",
"identifier": "db-web-001",
"arn": "arn:aws:rds:us-east-1:333344445555:db:web-prod-db",
"vpc_id": "vpc-web-001",
"subnet_ids": [],
"security_group_ids": [
"sg-web-db-001"
],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"engine": "postgres",
"publicly_accessible": false,
"public_access_reasons": [],
"public_exposure_reasons": [],
"storage_encrypted": true,
"db_subnet_group_name": "web-private-data",
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_instance.app",
"provider": "aws",
"resource_type": "aws_instance",
"name": "app",
"category": "compute",
"identifier": "i-web-app-001",
"arn": "arn:aws:ec2:us-east-1:333344445555:instance/i-web-app-001",
"vpc_id": "vpc-web-001",
"subnet_ids": [
"subnet-web-private-app-001"
],
"security_group_ids": [
"sg-web-app-001"
],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"ami": "ami-web-123456",
"instance_type": "t3.medium",
"associate_public_ip_address": false,
"iam_instance_profile": null,
"public_access_reasons": [],
"public_exposure_reasons": [],
"tags": {
"Tier": "app"
},
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": true,
"direct_internet_reachable": false
}
},
{
"address": "aws_internet_gateway.main",
"provider": "aws",
"resource_type": "aws_internet_gateway",
"name": "main",
"category": "network",
"identifier": "igw-web-001",
"arn": null,
"vpc_id": "vpc-web-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_lb.web",
"provider": "aws",
"resource_type": "aws_lb",
"name": "web",
"category": "edge",
"identifier": "alb-web-001",
"arn": "arn:aws:elasticloadbalancing:us-east-1:333344445555:loadbalancer/app/web-prod/123456",
"vpc_id": "vpc-web-001",
"subnet_ids": [
"subnet-web-public-001"
],
"security_group_ids": [
"sg-web-lb-001"
],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": true,
"public_exposure": true,
"data_sensitivity": "standard",
"metadata": {
"internal": false,
"load_balancer_type": "application",
"public_access_reasons": [
"load balancer is configured as internet-facing"
],
"public_exposure_reasons": [
"load balancer is internet-facing and attached security groups allow internet ingress"
],
"public_access_configured": true,
"internet_ingress": true,
"internet_ingress_capable": true,
"internet_ingress_reasons": [
"aws_security_group.lb ingress tcp 443 from 0.0.0.0/0 (HTTPS from internet)"
],
"in_public_subnet": true,
"has_nat_gateway_egress": false,
"direct_internet_reachable": true
}
},
{
"address": "aws_nat_gateway.main",
"provider": "aws",
"resource_type": "aws_nat_gateway",
"name": "main",
"category": "network",
"identifier": "nat-web-001",
"arn": null,
"vpc_id": "vpc-web-001",
"subnet_ids": [
"subnet-web-public-001"
],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"allocation_id": "eipalloc-web-001",
"connectivity_type": "public",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": true,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table.private",
"provider": "aws",
"resource_type": "aws_route_table",
"name": "private",
"category": "network",
"identifier": "rtb-web-private-001",
"arn": null,
"vpc_id": "vpc-web-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"routes": [
{
"cidr_block": "0.0.0.0/0",
"nat_gateway_id": "nat-web-001"
}
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table.public",
"provider": "aws",
"resource_type": "aws_route_table",
"name": "public",
"category": "network",
"identifier": "rtb-web-public-001",
"arn": null,
"vpc_id": "vpc-web-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"routes": [
{
"cidr_block": "0.0.0.0/0",
"gateway_id": "igw-web-001"
}
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table_association.private_app",
"provider": "aws",
"resource_type": "aws_route_table_association",
"name": "private_app",
"category": "network",
"identifier": "rtassoc-web-private-app-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"route_table_id": "rtb-web-private-001",
"subnet_id": "subnet-web-private-app-001",
"gateway_id": null,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table_association.private_data",
"provider": "aws",
"resource_type": "aws_route_table_association",
"name": "private_data",
"category": "network",
"identifier": "rtassoc-web-private-data-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"route_table_id": "rtb-web-private-001",
"subnet_id": "subnet-web-private-data-001",
"gateway_id": null,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table_association.public_edge",
"provider": "aws",
"resource_type": "aws_route_table_association",
"name": "public_edge",
"category": "network",
"identifier": "rtassoc-web-public-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"route_table_id": "rtb-web-public-001",
"subnet_id": "subnet-web-public-001",
"gateway_id": null,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group.app",
"provider": "aws",
"resource_type": "aws_security_group",
"name": "app",
"category": "network",
"identifier": "sg-web-app-001",
"arn": null,
"vpc_id": "vpc-web-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "egress",
"protocol": "-1",
"from_port": 0,
"to_port": 0,
"cidr_blocks": [
"0.0.0.0/0"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": null
},
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 8080,
"to_port": 8080,
"cidr_blocks": [],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [
"sg-web-lb-001"
],
"description": "Application traffic from the ALB"
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"description": "Private app tier reachable only from the ALB",
"group_name": "web-app-sg",
"standalone_rule_addresses": [
"aws_security_group_rule.app_from_lb"
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group.db",
"provider": "aws",
"resource_type": "aws_security_group",
"name": "db",
"category": "network",
"identifier": "sg-web-db-001",
"arn": null,
"vpc_id": "vpc-web-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "egress",
"protocol": "-1",
"from_port": 0,
"to_port": 0,
"cidr_blocks": [
"0.0.0.0/0"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": null
},
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 5432,
"to_port": 5432,
"cidr_blocks": [],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [
"sg-web-app-001"
],
"description": "Postgres from the app tier"
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"description": "Database tier reachable only from the app tier",
"group_name": "web-db-sg",
"standalone_rule_addresses": [
"aws_security_group_rule.db_from_app"
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group.lb",
"provider": "aws",
"resource_type": "aws_security_group",
"name": "lb",
"category": "network",
"identifier": "sg-web-lb-001",
"arn": null,
"vpc_id": "vpc-web-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 443,
"to_port": 443,
"cidr_blocks": [
"0.0.0.0/0"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": "HTTPS from internet"
},
{
"direction": "egress",
"protocol": "-1",
"from_port": 0,
"to_port": 0,
"cidr_blocks": [
"0.0.0.0/0"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": null
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"description": "Public ALB ingress only",
"group_name": "web-lb-sg",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group_rule.app_from_lb",
"provider": "aws",
"resource_type": "aws_security_group_rule",
"name": "app_from_lb",
"category": "network",
"identifier": "sgrule-web-app-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 8080,
"to_port": 8080,
"cidr_blocks": [],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [
"sg-web-lb-001"
],
"description": "Application traffic from the ALB"
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"security_group_id": "sg-web-app-001",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group_rule.db_from_app",
"provider": "aws",
"resource_type": "aws_security_group_rule",
"name": "db_from_app",
"category": "network",
"identifier": "sgrule-web-db-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 5432,
"to_port": 5432,
"cidr_blocks": [],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [
"sg-web-app-001"
],
"description": "Postgres from the app tier"
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"security_group_id": "sg-web-db-001",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_subnet.private_app",
"provider": "aws",
"resource_type": "aws_subnet",
"name": "private_app",
"category": "network",
"identifier": "subnet-web-private-app-001",
"arn": null,
"vpc_id": "vpc-web-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.20.2.0/24",
"availability_zone": "us-east-1a",
"map_public_ip_on_launch": false,
"tags": {
"Tier": "app"
},
"is_public_subnet": false,
"route_table_ids": [
"rtb-web-private-001"
],
"has_public_route": false,
"has_nat_gateway_egress": true,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"direct_internet_reachable": false
}
},
{
"address": "aws_subnet.private_data",
"provider": "aws",
"resource_type": "aws_subnet",
"name": "private_data",
"category": "network",
"identifier": "subnet-web-private-data-001",
"arn": null,
"vpc_id": "vpc-web-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.20.3.0/24",
"availability_zone": "us-east-1a",
"map_public_ip_on_launch": false,
"tags": {
"Tier": "data"
},
"is_public_subnet": false,
"route_table_ids": [
"rtb-web-private-001"
],
"has_public_route": false,
"has_nat_gateway_egress": true,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"direct_internet_reachable": false
}
},
{
"address": "aws_subnet.public_edge",
"provider": "aws",
"resource_type": "aws_subnet",
"name": "public_edge",
"category": "network",
"identifier": "subnet-web-public-001",
"arn": null,
"vpc_id": "vpc-web-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.20.1.0/24",
"availability_zone": "us-east-1a",
"map_public_ip_on_launch": true,
"tags": {
"Tier": "edge"
},
"is_public_subnet": true,
"route_table_ids": [
"rtb-web-public-001"
],
"has_public_route": true,
"has_nat_gateway_egress": false,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"direct_internet_reachable": false
}
},
{
"address": "aws_vpc.main",
"provider": "aws",
"resource_type": "aws_vpc",
"name": "main",
"category": "network",
"identifier": "vpc-web-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.20.0.0/16",
"tags": {
"Name": "web-main"
},
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
}
]
},
"trust_boundaries": [
{
"identifier": "internet-to-service:internet->aws_lb.web",
"boundary_type": "internet-to-service",
"source": "internet",
"target": "aws_lb.web",
"description": "Traffic can cross from the public internet to aws_lb.web.",
"rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
},
{
"identifier": "public-subnet-to-private-subnet:aws_subnet.public_edge->aws_subnet.private_app",
"boundary_type": "public-subnet-to-private-subnet",
"source": "aws_subnet.public_edge",
"target": "aws_subnet.private_app",
"description": "Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.",
"rationale": "The VPC contains both publicly routable and private network segments that should be treated as separate trust zones."
},
{
"identifier": "public-subnet-to-private-subnet:aws_subnet.public_edge->aws_subnet.private_data",
"boundary_type": "public-subnet-to-private-subnet",
"source": "aws_subnet.public_edge",
"target": "aws_subnet.private_data",
"description": "Traffic can move from aws_subnet.public_edge toward aws_subnet.private_data.",
"rationale": "The VPC contains both publicly routable and private network segments that should be treated as separate trust zones."
},
{
"identifier": "workload-to-data-store:aws_instance.app->aws_db_instance.app",
"boundary_type": "workload-to-data-store",
"source": "aws_instance.app",
"target": "aws_db_instance.app",
"description": "aws_instance.app can interact with aws_db_instance.app.",
"rationale": "Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group."
}
],
"findings": [
{
"fingerprint": "sha256:878d7f51554b80571305b48b2d814a70df80e28ee3b2bf44a8feb9bd1d5c3e47",
"title": "Sensitive data tier is transitively reachable from an internet-exposed path",
"rule_id": "aws-private-data-transitive-exposure",
"category": "Information Disclosure",
"severity": "medium",
"affected_resources": [
"aws_lb.web",
"aws_instance.app",
"aws_db_instance.app",
"aws_security_group.app"
],
"trust_boundary_id": "workload-to-data-store:aws_instance.app->aws_db_instance.app",
"rationale": "aws_db_instance.app is not directly public, but internet traffic can first reach aws_lb.web, move through aws_lb.web can reach aws_instance.app, and then cross into the private data tier through aws_instance.app. That creates a quieter transitive exposure path than a directly public data store.",
"recommended_mitigation": "Keep internet-adjacent entry points from chaining into workloads that retain database or secret access, narrow edge-to-workload and workload-to-workload trust, and isolate sensitive data access behind more deliberate service boundaries.",
"evidence": [
{
"key": "network_path",
"values": [
"internet reaches aws_lb.web",
"aws_lb.web reaches aws_instance.app",
"aws_instance.app reaches aws_db_instance.app"
]
},
{
"key": "security_group_rules",
"values": [
"aws_security_group.app ingress tcp 8080 from sg-web-lb-001 (Application traffic from the ALB)"
]
},
{
"key": "subnet_posture",
"values": [
"aws_lb.web sits in public subnet aws_subnet.public_edge with an internet route",
"aws_instance.app sits in private subnet aws_subnet.private_app with NAT-backed egress"
]
},
{
"key": "data_tier_posture",
"values": [
"aws_db_instance.app is not directly public",
"database has no direct internet ingress path"
]
},
{
"key": "boundary_rationale",
"values": [
"Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group."
]
}
],
"severity_reasoning": {
"internet_exposure": 0,
"privilege_breadth": 0,
"data_sensitivity": 2,
"lateral_movement": 2,
"blast_radius": 1,
"final_score": 5,
"severity": "medium",
"computed_severity": null
}
}
],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [
{
"title": "RDS instance is private and storage encrypted",
"observation_id": "aws-rds-private-encrypted",
"affected_resources": [
"aws_db_instance.app"
],
"rationale": "aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.",
"category": "data-protection",
"evidence": [
{
"key": "database_posture",
"values": [
"publicly_accessible is false",
"storage_encrypted is true",
"no attached security group allows internet ingress",
"engine is postgres"
]
}
]
}
],
"limitations": [
"AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
"Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
"IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
"Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}Markdown report
# ALB / EC2 / RDS Demo
- Analyzed file: `sample_aws_alb_ec2_rds_plan.json`
- Provider: `aws`
- Normalized resources: `19`
- Unsupported resources: `0`
## Summary
This run identified **4 trust boundaries** and **1 findings** across **19 normalized resources**.
- High severity findings: `0`
- Medium severity findings: `1`
- Low severity findings: `0`
## Discovered Trust Boundaries
### `internet-to-service`
- Source: `internet`
- Target: `aws_lb.web`
- Description: Traffic can cross from the public internet to aws_lb.web.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.
### `public-subnet-to-private-subnet`
- Source: `aws_subnet.public_edge`
- Target: `aws_subnet.private_app`
- Description: Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.
- Rationale: The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.
### `public-subnet-to-private-subnet`
- Source: `aws_subnet.public_edge`
- Target: `aws_subnet.private_data`
- Description: Traffic can move from aws_subnet.public_edge toward aws_subnet.private_data.
- Rationale: The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.
### `workload-to-data-store`
- Source: `aws_instance.app`
- Target: `aws_db_instance.app`
- Description: aws_instance.app can interact with aws_db_instance.app.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.
## Findings
### High
No findings in this severity band.
### Medium
#### Sensitive data tier is transitively reachable from an internet-exposed path
- STRIDE category: Information Disclosure
- Affected resources: `aws_lb.web`, `aws_instance.app`, `aws_db_instance.app`, `aws_security_group.app`
- Trust boundary: `workload-to-data-store:aws_instance.app->aws_db_instance.app`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +2, blast_radius +1, final_score 5 => medium
- Rationale: aws_db_instance.app is not directly public, but internet traffic can first reach aws_lb.web, move through aws_lb.web can reach aws_instance.app, and then cross into the private data tier through aws_instance.app. That creates a quieter transitive exposure path than a directly public data store.
- Recommended mitigation: Keep internet-adjacent entry points from chaining into workloads that retain database or secret access, narrow edge-to-workload and workload-to-workload trust, and isolate sensitive data access behind more deliberate service boundaries.
- Evidence:
- network path: internet reaches aws_lb.web; aws_lb.web reaches aws_instance.app; aws_instance.app reaches aws_db_instance.app
- security group rules: aws_security_group.app ingress tcp 8080 from sg-web-lb-001 (Application traffic from the ALB)
- subnet posture: aws_lb.web sits in public subnet aws_subnet.public_edge with an internet route; aws_instance.app sits in private subnet aws_subnet.private_app with NAT-backed egress
- data tier posture: aws_db_instance.app is not directly public; database has no direct internet ingress path
- boundary rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.
### Low
No findings in this severity band.
## Controls Observed
### RDS instance is private and storage encrypted
- Category: `data-protection`
- Affected resources: `aws_db_instance.app`
- Rationale: aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.
- Evidence:
- database posture: publicly_accessible is false; storage_encrypted is true; no attached security group allows internet ingress; engine is postgres
## Limitations / Unsupported Resources
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.