Active findings
0Built-in scenario
sample_aws_safe_plan.jsonSafe Plan Demo
Analyzed sample_aws_safe_plan.json with 26 normalized resources and 6 trust boundaries.
Trust boundaries
6Resources
26Observations
2Findings
Severity bands
High
0No high findings.
Medium
0No medium findings.
Low
0No low findings.
Observations
Controls and mitigating signals
RDS instance is private and storage encrypted
aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.
S3 public access is reduced by a public access block
aws_s3_bucket.artifacts includes public-looking ACL or policy signals, but an attached public access block materially reduces that exposure.
Trust boundaries
Crossings that drive the model
admin-to-workload-plane
aws_iam_role.workload -> aws_lambda_function.processor
IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
public-subnet-to-private-subnet
aws_subnet.public_edge -> aws_subnet.private_app
The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.
public-subnet-to-private-subnet
aws_subnet.public_edge -> aws_subnet.private_data
The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.
workload-to-data-store
aws_instance.app -> aws_db_instance.app
Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.
workload-to-data-store
aws_lambda_function.processor -> aws_db_instance.app
Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.
workload-to-data-store
aws_lambda_function.processor -> aws_s3_bucket.artifacts
Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "cloud-threat-model-report",
"version": "1.0",
"tool": {
"name": "cloud-threat-modeler",
"version": "0.2.0"
},
"title": "Safe Plan Demo",
"analyzed_file": "sample_aws_safe_plan.json",
"analyzed_path": "/home/fleet/cloud-threat-modeler/fixtures/sample_aws_safe_plan.json",
"summary": {
"normalized_resources": 26,
"unsupported_resources": 0,
"trust_boundaries": 6,
"active_findings": 0,
"total_findings": 0,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 0,
"medium": 0,
"low": 0
}
},
"filtering": {
"total_findings": 0,
"active_findings": 0,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"inventory": {
"provider": "aws",
"unsupported_resources": [],
"metadata": {
"primary_account_id": "222233334444",
"supported_resource_types": [
"aws_db_instance",
"aws_ecs_cluster",
"aws_ecs_service",
"aws_ecs_task_definition",
"aws_iam_instance_profile",
"aws_iam_policy",
"aws_iam_role",
"aws_iam_role_policy",
"aws_iam_role_policy_attachment",
"aws_instance",
"aws_internet_gateway",
"aws_kms_key",
"aws_lambda_function",
"aws_lambda_permission",
"aws_lb",
"aws_nat_gateway",
"aws_route_table",
"aws_route_table_association",
"aws_s3_bucket",
"aws_s3_bucket_policy",
"aws_s3_bucket_public_access_block",
"aws_secretsmanager_secret",
"aws_secretsmanager_secret_policy",
"aws_security_group",
"aws_security_group_rule",
"aws_sns_topic",
"aws_sqs_queue",
"aws_subnet",
"aws_vpc"
]
},
"resources": [
{
"address": "aws_db_instance.app",
"provider": "aws",
"resource_type": "aws_db_instance",
"name": "app",
"category": "data",
"identifier": "db-safe-001",
"arn": "arn:aws:rds:us-east-1:222233334444:db:safe-customer-db",
"vpc_id": "vpc-safe-001",
"subnet_ids": [],
"security_group_ids": [
"sg-safe-db-001"
],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"engine": "postgres",
"publicly_accessible": false,
"public_access_reasons": [],
"public_exposure_reasons": [],
"storage_encrypted": true,
"db_subnet_group_name": "safe-private-data",
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_iam_policy.artifact_read",
"provider": "aws",
"resource_type": "aws_iam_policy",
"name": "artifact_read",
"category": "iam",
"identifier": "safe-artifact-read",
"arn": "arn:aws:iam::222233334444:policy/safe-artifact-read",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [
{
"effect": "Allow",
"actions": [
"s3:GetObject"
],
"resources": [
"arn:aws:s3:::safe-artifacts/*"
],
"principals": [],
"conditions": []
}
],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"policy_document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::safe-artifacts/*"
]
}
]
},
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_iam_policy.observability",
"provider": "aws",
"resource_type": "aws_iam_policy",
"name": "observability",
"category": "iam",
"identifier": "safe-observability",
"arn": "arn:aws:iam::222233334444:policy/safe-observability",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [
{
"effect": "Allow",
"actions": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"resources": [
"arn:aws:logs:us-east-1:222233334444:log-group:/aws/lambda/safe-processor:*",
"arn:aws:logs:us-east-1:222233334444:log-group:/aws/ec2/safe-app:*"
],
"principals": [],
"conditions": []
}
],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"policy_document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:222233334444:log-group:/aws/lambda/safe-processor:*",
"arn:aws:logs:us-east-1:222233334444:log-group:/aws/ec2/safe-app:*"
]
}
]
},
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_iam_role.workload",
"provider": "aws",
"resource_type": "aws_iam_role",
"name": "workload",
"category": "iam",
"identifier": "safe-workload-role",
"arn": "arn:aws:iam::222233334444:role/safe-workload-role",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [
{
"effect": "Allow",
"actions": [
"s3:GetObject"
],
"resources": [
"arn:aws:s3:::safe-artifacts/*"
],
"principals": [],
"conditions": []
}
],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"assume_role_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
]
},
"trust_principals": [
"lambda.amazonaws.com"
],
"trust_statements": [
{
"principals": [
"lambda.amazonaws.com"
],
"narrowing_condition_keys": [],
"narrowing_conditions": [],
"has_narrowing_conditions": false
}
],
"inline_policy_names": [],
"attached_policy_arns": [
"arn:aws:iam::222233334444:policy/safe-artifact-read"
],
"attached_policy_addresses": [
"aws_iam_policy.artifact_read"
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_iam_role_policy_attachment.workload_artifact_read",
"provider": "aws",
"resource_type": "aws_iam_role_policy_attachment",
"name": "workload_artifact_read",
"category": "iam",
"identifier": "safe-workload-artifact-read",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"role": "safe-workload-role",
"policy_arn": "arn:aws:iam::222233334444:policy/safe-artifact-read",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_instance.app",
"provider": "aws",
"resource_type": "aws_instance",
"name": "app",
"category": "compute",
"identifier": "i-safe-001",
"arn": "arn:aws:ec2:us-east-1:222233334444:instance/i-safe-001",
"vpc_id": "vpc-safe-001",
"subnet_ids": [
"subnet-safe-private-app-001"
],
"security_group_ids": [
"sg-safe-app-001"
],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"ami": "ami-safe-123456",
"instance_type": "t3.small",
"associate_public_ip_address": false,
"iam_instance_profile": null,
"public_access_reasons": [],
"public_exposure_reasons": [],
"tags": {
"Tier": "app"
},
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": true,
"direct_internet_reachable": false
}
},
{
"address": "aws_internet_gateway.main",
"provider": "aws",
"resource_type": "aws_internet_gateway",
"name": "main",
"category": "network",
"identifier": "igw-safe-001",
"arn": null,
"vpc_id": "vpc-safe-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_lambda_function.processor",
"provider": "aws",
"resource_type": "aws_lambda_function",
"name": "processor",
"category": "compute",
"identifier": "safe-processor",
"arn": "arn:aws:lambda:us-east-1:222233334444:function:safe-processor",
"vpc_id": "vpc-safe-001",
"subnet_ids": [
"subnet-safe-private-app-001"
],
"security_group_ids": [
"sg-safe-app-001"
],
"attached_role_arns": [
"arn:aws:iam::222233334444:role/safe-workload-role"
],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"runtime": "python3.12",
"handler": "handler.main",
"vpc_enabled": true,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": true,
"direct_internet_reachable": false
}
},
{
"address": "aws_lb.web",
"provider": "aws",
"resource_type": "aws_lb",
"name": "web",
"category": "edge",
"identifier": "alb-safe-001",
"arn": "arn:aws:elasticloadbalancing:us-east-1:222233334444:loadbalancer/app/safe-web/123456",
"vpc_id": "vpc-safe-001",
"subnet_ids": [
"subnet-safe-private-app-001"
],
"security_group_ids": [
"sg-safe-lb-001"
],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"internal": true,
"load_balancer_type": "application",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": true,
"direct_internet_reachable": false
}
},
{
"address": "aws_nat_gateway.main",
"provider": "aws",
"resource_type": "aws_nat_gateway",
"name": "main",
"category": "network",
"identifier": "nat-safe-001",
"arn": null,
"vpc_id": "vpc-safe-001",
"subnet_ids": [
"subnet-safe-public-001"
],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"allocation_id": "eipalloc-safe-001",
"connectivity_type": "public",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": true,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table.private",
"provider": "aws",
"resource_type": "aws_route_table",
"name": "private",
"category": "network",
"identifier": "rtb-safe-private-001",
"arn": null,
"vpc_id": "vpc-safe-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"routes": [
{
"cidr_block": "0.0.0.0/0",
"nat_gateway_id": "nat-safe-001"
}
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table.public",
"provider": "aws",
"resource_type": "aws_route_table",
"name": "public",
"category": "network",
"identifier": "rtb-safe-001",
"arn": null,
"vpc_id": "vpc-safe-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"routes": [
{
"cidr_block": "0.0.0.0/0",
"gateway_id": "igw-safe-001"
}
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table_association.private_app",
"provider": "aws",
"resource_type": "aws_route_table_association",
"name": "private_app",
"category": "network",
"identifier": "rtassoc-safe-private-app-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"route_table_id": "rtb-safe-private-001",
"subnet_id": "subnet-safe-private-app-001",
"gateway_id": null,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table_association.private_data",
"provider": "aws",
"resource_type": "aws_route_table_association",
"name": "private_data",
"category": "network",
"identifier": "rtassoc-safe-private-data-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"route_table_id": "rtb-safe-private-001",
"subnet_id": "subnet-safe-private-data-001",
"gateway_id": null,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_route_table_association.public_edge",
"provider": "aws",
"resource_type": "aws_route_table_association",
"name": "public_edge",
"category": "network",
"identifier": "rtassoc-safe-public-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"route_table_id": "rtb-safe-001",
"subnet_id": "subnet-safe-public-001",
"gateway_id": null,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_s3_bucket.artifacts",
"provider": "aws",
"resource_type": "aws_s3_bucket",
"name": "artifacts",
"category": "data",
"identifier": "safe-artifacts",
"arn": "arn:aws:s3:::safe-artifacts",
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [
{
"effect": "Allow",
"actions": [
"s3:GetObject"
],
"resources": [
"arn:aws:s3:::safe-artifacts/*"
],
"principals": [
"*"
],
"conditions": []
}
],
"public_access_configured": true,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"bucket": "safe-artifacts",
"acl": "public-read",
"policy_document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::safe-artifacts/*"
}
]
},
"public_access_reasons": [
"bucket ACL `public-read` grants public access",
"bucket policy allows anonymous access"
],
"public_exposure_reasons": [],
"public_access_block": {
"block_public_acls": true,
"block_public_policy": true,
"ignore_public_acls": true,
"restrict_public_buckets": true
},
"public_access_configured": true,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_s3_bucket_public_access_block.artifacts",
"provider": "aws",
"resource_type": "aws_s3_bucket_public_access_block",
"name": "artifacts",
"category": "data",
"identifier": "safe-artifacts-public-block",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"bucket": "safe-artifacts",
"block_public_acls": true,
"block_public_policy": true,
"ignore_public_acls": true,
"restrict_public_buckets": true,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group.app",
"provider": "aws",
"resource_type": "aws_security_group",
"name": "app",
"category": "network",
"identifier": "sg-safe-app-001",
"arn": null,
"vpc_id": "vpc-safe-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "egress",
"protocol": "-1",
"from_port": 0,
"to_port": 0,
"cidr_blocks": [
"0.0.0.0/0"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": null
},
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 8080,
"to_port": 8080,
"cidr_blocks": [],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [
"sg-safe-lb-001"
],
"description": "App traffic from ALB"
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"description": "Application tier only reachable from the load balancer",
"group_name": "safe-app-sg",
"standalone_rule_addresses": [
"aws_security_group_rule.app_from_lb"
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group.db",
"provider": "aws",
"resource_type": "aws_security_group",
"name": "db",
"category": "network",
"identifier": "sg-safe-db-001",
"arn": null,
"vpc_id": "vpc-safe-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "egress",
"protocol": "-1",
"from_port": 0,
"to_port": 0,
"cidr_blocks": [
"0.0.0.0/0"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": null
},
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 5432,
"to_port": 5432,
"cidr_blocks": [],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [
"sg-safe-app-001"
],
"description": "Postgres from app tier"
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"description": "Database ingress only from the app tier",
"group_name": "safe-db-sg",
"standalone_rule_addresses": [
"aws_security_group_rule.db_from_app"
],
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group.lb",
"provider": "aws",
"resource_type": "aws_security_group",
"name": "lb",
"category": "network",
"identifier": "sg-safe-lb-001",
"arn": null,
"vpc_id": "vpc-safe-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 443,
"to_port": 443,
"cidr_blocks": [
"10.10.0.0/16"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": "HTTPS from internal clients"
},
{
"direction": "egress",
"protocol": "-1",
"from_port": 0,
"to_port": 0,
"cidr_blocks": [
"0.0.0.0/0"
],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [],
"description": null
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"description": "Internal load balancer ingress only",
"group_name": "safe-lb-sg",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group_rule.app_from_lb",
"provider": "aws",
"resource_type": "aws_security_group_rule",
"name": "app_from_lb",
"category": "network",
"identifier": "sgrule-safe-app-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 8080,
"to_port": 8080,
"cidr_blocks": [],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [
"sg-safe-lb-001"
],
"description": "App traffic from ALB"
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"security_group_id": "sg-safe-app-001",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_security_group_rule.db_from_app",
"provider": "aws",
"resource_type": "aws_security_group_rule",
"name": "db_from_app",
"category": "network",
"identifier": "sgrule-safe-db-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [
{
"direction": "ingress",
"protocol": "tcp",
"from_port": 5432,
"to_port": 5432,
"cidr_blocks": [],
"ipv6_cidr_blocks": [],
"referenced_security_group_ids": [
"sg-safe-app-001"
],
"description": "Postgres from app tier"
}
],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"security_group_id": "sg-safe-db-001",
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
},
{
"address": "aws_subnet.private_app",
"provider": "aws",
"resource_type": "aws_subnet",
"name": "private_app",
"category": "network",
"identifier": "subnet-safe-private-app-001",
"arn": null,
"vpc_id": "vpc-safe-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.10.2.0/24",
"availability_zone": "us-east-1a",
"map_public_ip_on_launch": false,
"tags": {
"Tier": "app"
},
"is_public_subnet": false,
"route_table_ids": [
"rtb-safe-private-001"
],
"has_public_route": false,
"has_nat_gateway_egress": true,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"direct_internet_reachable": false
}
},
{
"address": "aws_subnet.private_data",
"provider": "aws",
"resource_type": "aws_subnet",
"name": "private_data",
"category": "network",
"identifier": "subnet-safe-private-data-001",
"arn": null,
"vpc_id": "vpc-safe-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.10.3.0/24",
"availability_zone": "us-east-1a",
"map_public_ip_on_launch": false,
"tags": {
"Tier": "data"
},
"is_public_subnet": false,
"route_table_ids": [
"rtb-safe-private-001"
],
"has_public_route": false,
"has_nat_gateway_egress": true,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"direct_internet_reachable": false
}
},
{
"address": "aws_subnet.public_edge",
"provider": "aws",
"resource_type": "aws_subnet",
"name": "public_edge",
"category": "network",
"identifier": "subnet-safe-public-001",
"arn": null,
"vpc_id": "vpc-safe-001",
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.10.1.0/24",
"availability_zone": "us-east-1a",
"map_public_ip_on_launch": true,
"tags": {
"Tier": "edge"
},
"is_public_subnet": true,
"route_table_ids": [
"rtb-safe-001"
],
"has_public_route": true,
"has_nat_gateway_egress": false,
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"direct_internet_reachable": false
}
},
{
"address": "aws_vpc.main",
"provider": "aws",
"resource_type": "aws_vpc",
"name": "main",
"category": "network",
"identifier": "vpc-safe-001",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"cidr_block": "10.10.0.0/16",
"tags": {
"Name": "safe-main"
},
"public_access_reasons": [],
"public_exposure_reasons": [],
"public_access_configured": false,
"internet_ingress": false,
"internet_ingress_capable": false,
"internet_ingress_reasons": [],
"in_public_subnet": false,
"has_nat_gateway_egress": false,
"direct_internet_reachable": false
}
}
]
},
"trust_boundaries": [
{
"identifier": "admin-to-workload-plane:aws_iam_role.workload->aws_lambda_function.processor",
"boundary_type": "admin-to-workload-plane",
"source": "aws_iam_role.workload",
"target": "aws_lambda_function.processor",
"description": "aws_iam_role.workload governs actions performed by aws_lambda_function.processor.",
"rationale": "IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries."
},
{
"identifier": "public-subnet-to-private-subnet:aws_subnet.public_edge->aws_subnet.private_app",
"boundary_type": "public-subnet-to-private-subnet",
"source": "aws_subnet.public_edge",
"target": "aws_subnet.private_app",
"description": "Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.",
"rationale": "The VPC contains both publicly routable and private network segments that should be treated as separate trust zones."
},
{
"identifier": "public-subnet-to-private-subnet:aws_subnet.public_edge->aws_subnet.private_data",
"boundary_type": "public-subnet-to-private-subnet",
"source": "aws_subnet.public_edge",
"target": "aws_subnet.private_data",
"description": "Traffic can move from aws_subnet.public_edge toward aws_subnet.private_data.",
"rationale": "The VPC contains both publicly routable and private network segments that should be treated as separate trust zones."
},
{
"identifier": "workload-to-data-store:aws_instance.app->aws_db_instance.app",
"boundary_type": "workload-to-data-store",
"source": "aws_instance.app",
"target": "aws_db_instance.app",
"description": "aws_instance.app can interact with aws_db_instance.app.",
"rationale": "Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group."
},
{
"identifier": "workload-to-data-store:aws_lambda_function.processor->aws_db_instance.app",
"boundary_type": "workload-to-data-store",
"source": "aws_lambda_function.processor",
"target": "aws_db_instance.app",
"description": "aws_lambda_function.processor can interact with aws_db_instance.app.",
"rationale": "Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group."
},
{
"identifier": "workload-to-data-store:aws_lambda_function.processor->aws_s3_bucket.artifacts",
"boundary_type": "workload-to-data-store",
"source": "aws_lambda_function.processor",
"target": "aws_s3_bucket.artifacts",
"description": "aws_lambda_function.processor can interact with aws_s3_bucket.artifacts.",
"rationale": "Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject."
}
],
"findings": [],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [
{
"title": "RDS instance is private and storage encrypted",
"observation_id": "aws-rds-private-encrypted",
"affected_resources": [
"aws_db_instance.app"
],
"rationale": "aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.",
"category": "data-protection",
"evidence": [
{
"key": "database_posture",
"values": [
"publicly_accessible is false",
"storage_encrypted is true",
"no attached security group allows internet ingress",
"engine is postgres"
]
}
]
},
{
"title": "S3 public access is reduced by a public access block",
"observation_id": "aws-s3-public-access-block-observed",
"affected_resources": [
"aws_s3_bucket.artifacts",
"aws_s3_bucket_public_access_block.artifacts"
],
"rationale": "aws_s3_bucket.artifacts includes public-looking ACL or policy signals, but an attached public access block materially reduces that exposure.",
"category": "data-protection",
"evidence": [
{
"key": "mitigated_public_access",
"values": [
"bucket ACL `public-read` would otherwise grant public access",
"bucket policy would otherwise allow anonymous access"
]
},
{
"key": "control_posture",
"values": [
"block_public_acls is true",
"block_public_policy is true",
"ignore_public_acls is true",
"restrict_public_buckets is true"
]
}
]
}
],
"limitations": [
"AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.",
"Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.",
"IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.",
"Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}Markdown report
# Safe Plan Demo
- Analyzed file: `sample_aws_safe_plan.json`
- Provider: `aws`
- Normalized resources: `26`
- Unsupported resources: `0`
## Summary
This run identified **6 trust boundaries** and **0 findings** across **26 normalized resources**.
- High severity findings: `0`
- Medium severity findings: `0`
- Low severity findings: `0`
## Discovered Trust Boundaries
### `public-subnet-to-private-subnet`
- Source: `aws_subnet.public_edge`
- Target: `aws_subnet.private_app`
- Description: Traffic can move from aws_subnet.public_edge toward aws_subnet.private_app.
- Rationale: The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.
### `public-subnet-to-private-subnet`
- Source: `aws_subnet.public_edge`
- Target: `aws_subnet.private_data`
- Description: Traffic can move from aws_subnet.public_edge toward aws_subnet.private_data.
- Rationale: The VPC contains both publicly routable and private network segments that should be treated as separate trust zones.
### `workload-to-data-store`
- Source: `aws_instance.app`
- Target: `aws_db_instance.app`
- Description: aws_instance.app can interact with aws_db_instance.app.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.
### `workload-to-data-store`
- Source: `aws_lambda_function.processor`
- Target: `aws_db_instance.app`
- Description: aws_lambda_function.processor can interact with aws_db_instance.app.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when database ingress security groups explicitly trust the workload security group.
### `workload-to-data-store`
- Source: `aws_lambda_function.processor`
- Target: `aws_s3_bucket.artifacts`
- Description: aws_lambda_function.processor can interact with aws_s3_bucket.artifacts.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when their attached role allows S3 actions such as s3:GetObject.
### `admin-to-workload-plane`
- Source: `aws_iam_role.workload`
- Target: `aws_lambda_function.processor`
- Description: aws_iam_role.workload governs actions performed by aws_lambda_function.processor.
- Rationale: IAM configuration acts as a control-plane boundary because the workload inherits whatever privileges the role carries.
## Findings
### High
No findings in this severity band.
### Medium
No findings in this severity band.
### Low
No findings in this severity band.
## Controls Observed
### RDS instance is private and storage encrypted
- Category: `data-protection`
- Affected resources: `aws_db_instance.app`
- Rationale: aws_db_instance.app is kept off direct internet paths and has storage encryption enabled, which reduces straightforward data exposure risk.
- Evidence:
- database posture: publicly_accessible is false; storage_encrypted is true; no attached security group allows internet ingress; engine is postgres
### S3 public access is reduced by a public access block
- Category: `data-protection`
- Affected resources: `aws_s3_bucket.artifacts`, `aws_s3_bucket_public_access_block.artifacts`
- Rationale: aws_s3_bucket.artifacts includes public-looking ACL or policy signals, but an attached public access block materially reduces that exposure.
- Evidence:
- mitigated public access: bucket ACL `public-read` would otherwise grant public access; bucket policy would otherwise allow anonymous access
- control posture: block_public_acls is true; block_public_policy is true; ignore_public_acls is true; restrict_public_buckets is true
## Limitations / Unsupported Resources
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- AWS support is intentionally limited to a curated v1 resource set rather than the full Terraform AWS provider.
- Subnet public/private classification prefers explicit route table associations and NAT or internet routes when present, but it does not model main-route-table inheritance or every routing edge case.
- IAM analysis resolves inline role policies, customer-managed role-policy attachments, and EC2 instance profiles present in the plan, but it does not expand AWS-managed policy documents that are not materialized in Terraform state.
- Resource-policy analysis focuses on explicit policy documents and Lambda permission resources present in the plan; it does not model every service-specific condition key or every downstream runtime authorization path.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.