ADR-007 Accepted 2026-07-03

ADR-007: Threat Model and Trust Boundaries

Trust boundaries, least-privilege IAM, and the custom remediation role.

ADR-007: Threat model and trust boundaries

Context

A detection and response pipeline is an attractive target: if an attacker can influence what the pipeline sees or how it acts, they can hide evidence or amplify damage. The architecture must therefore define clear trust boundaries, enforce least privilege at each boundary, and limit blast radius if any single identity is compromised.

Decision

Adopt the following trust-boundary design:

  1. SCC control plane → Pub/Sub: Only the SCC notification service account may publish to scc-findings.
  2. Pub/Sub → Cloud Function: The function runs under a dedicated service account (scc-processor) with no project-level Editor/Owner roles.
  3. Function → GCP APIs: The function uses a custom IAM role (securevault.remediator) scoped to remediation-adjacent permissions. Only two are currently exercised (PUBLIC_BUCKET_ACL, OPEN_FIREWALL); permissions for a third, excluded handler remain provisioned as documented technical debt (see ADR-004, context/THREAT_MODEL.md).
  4. Function → secrets: The function may access only the single Secret Manager secret for the Brevo API key.
  5. Function → alerting: External alerting uses HTTPS to Brevo; failures are logged locally.

Consequences

Positive:

Negative:

Threat model diagram

flowchart LR
    subgraph GCP_Control["GCP Control Plane"]
        SCC[Security Command Center]
    end

    subgraph SecureVault["SecureVault Project"]
        PS[Pub/Sub: scc-findings]
        subgraph Function_Runtime["Cloud Function Runtime"]
            FN[process_finding]
        end
        SM[Secret Manager]
        FS[Firestore]
        BQ[BigQuery]
        MON[Cloud Monitoring]
    end

    subgraph External["External"]
        BV[Brevo]
    end

    SCC -->|SCC SA only| PS
    PS -->|function SA| FN
    FN -->|custom role| API[GCP APIs]
    FN -->|secretAccessor| SM
    FN -->|datastore.user| FS
    FN -->|bigquery.dataEditor| BQ
    FN -->|TLS| BV
    FN -->|metricWriter| MON

Alternatives considered

AlternativeProsConsVerdict
Default compute service accountSimpler IAM setupOverly broad permissions; classic escalation pathRejected.
Project Editor role for functionEasy to get startedViolates least privilege; compromise = full project accessRejected.
No Pub/Sub IAM restrictionEasier to testAny publisher can inject findingsRejected.
Secrets in environment variablesSimpler codeExposes secrets in logs and process listingsRejected.

References