Threat Modeling exercise
- carocsteads
- Sep 17, 2025
- 8 min read
Updated: Dec 9, 2025
1. Objective
The objective of this document is to present step by step threat modeling exercise conducted for the Power Utility Awareness application. It aims to identify, evaluate, and prioritize potential security threats by analyzing the system, data flows, and trust boundaries. The goal is to uncovering risks and recommending mitigation strategies by following guidance from AWS Threat Modeling for builders workshop
This workshop introduces the background of threat modeling and why to do it, as well as some of the tools and techniques for modeling systems, identifying threats, and selecting mitigations. The workshop guides you through the process of creating a system model and corresponding threat model.
2. Description of Power Utility Awareness app
Amazon is committed to driving down energy usage. We have partnered with our Utility providers to increase awareness of our energy usage at fulfillment centers among the site administrators. The utility companies upload a report of weekly energy usage to an S3 bucket. A lambda is triggered to process the report, pull out usage metrics, and email a summary to the site administrators using the AWS Simple Email Service. The site admins can see trends and take action to reduce energy usage. What threats should we be worried about in this system?
3. Threat modeling methodology: STRIDE
3.1 Definition
STRIDE is an acronym comprising six threat categories. It groups similar threats together by the security property they violate.
| A | B | C | D | E |
1 |
| Name | Description | Violates | Mitigation |
2 | S | spoofing | maliciously impersonating a user or system | authenticity | authentication |
3 | T | tampering | maliciously modifying data when not supposed to | integrity | minimizing human access to prod data and cryptographic signature verification |
4 | R | repudiation | ability to claim someone did or did not perform an action | non-repudiation | generating audit log entries that cannot be modified or deleted |
5 | I | information disclosure | unauthorized access to confidential data | confidentiality | least privileges access control and encryption |
6 | D | Dos | overloading the system, preventing legitimate users from using the system | availability | throttling, least privilege access controls |
7 | E | elevation of privilege | elevating access privileges of non-users | authorization | access controls and authorization checks |
3.2 Why use a threat model?
A threat model helps to understand what you are building, what can go wrong and what to do about it. it is structured by answering the following questions:
· What are we working on?
· What can go wrong?
· What are we going to do about it?
· Did we do a good enough job?
3.3 What are we working on?
Creating a diagram of the Power Utility Awareness app helps to visualize it and define scope.
State the assumptions
· There is a single S3 bucket and uses encryption.
· There is a single Lambda function
· All users can upload report of weekly energy use to an S3 bucket
· Users GUI is a web browser that is patched and up to date.
· AWS services are in the same AWS account.
· AWS Simple Email Service uses encryption.
· Only admins can see trends and take action to reduce energy usage.
Identifying user stories, elements and trust boundaries.
Elements:
· web portal,
· email recipients,
· weekly reports uploads. Format of reports: forms, text, text +image?, text and numbers.
· S3 buckets,
· AWS simple email service, lambda process the report and pull out the metrics and email a summary to admins
· admin
· Database
· Billing
3.4 What can go wrong?
a. Identifying each element with the STRIDE framework will help to know what to do next.
elements | S | T | R | I | D | E |
email recipients |  | | | |||
reports | | |||||
S3 | | |||||
email service | | | | |||
billing information | | | | | | |
admin | | | | |||
web portal | | | |
| A | B | C |
1 | story | asset | STRIDE vulnerability |
2 | The Utility company logins to access S3 buckets | Email/password | Spoofing, Enumeration, plain text, stealing information and take over |
3 | The utility company received the measurements from the fulfillment’s centers. | Devices or measurements | Can be tampered |
4 | The utility company upload reports to S3 buckets. | Extension of reports, format, unlimited number of uploads, including payloads with the reports, overflowing the system with reports | Dos, tampering DB, disclose information. |
5 | Lambda processes the report and pull out the metrics and emails a summary to admins | Admin email list | Enumeration, spoofing, take over, tampering, |
6 | Admins take action to reduce the use of energy | Billing, payment | Financial loss, tampering, information disclosure |
b. Trust boundaries
Within a zone of trust, all elements are considered to be similarly trusted.
c. Identify threats
| A | B | C | D |
1 | at ID | Threat Statement | Element | STRIDE |
2 | T01 | A threat actor who can spoof the identity of the AWS Lambda function can set up their own API endpoint, which leads to exfiltration of user-supplied data to an attacker-controlled endpoint, resulting in reduced authenticity and confidentiality of PowerUtilityAwarness app | Actor <->AWS Lambda | S,T |
3 | T02 | A threat actor who can spoof the identity of a legitimate developer can tamper with the function code running in the AWS Lambda function, which leads to the modification of energy usage, resulting in reduced integrity of PowerUtilityAwarness app. | AWS Lambda< → Web portal | T |
4 | T03 | A threat actor with access to another user's token can spoof another user, which leads to viewing detail information of energy usage, resulting in reduced authenticity and confidentiality of PowerUtilityAwarness app. | Actor↔web portal | S,I |
5 | T04 | A threat actor with user permissions can make thousands of concurrent upload requests, which leads to blocking user access to the application, resulting in reduced availability of the web application, provoking service disruption of PowerUtilityAwarness app. | Actor ↔web portal | D |
6 | T05 | A threat actor, who has access to an internal insecure endpoint, which leads to the execution of malicious code, resulting in ransomware and laterally move to compromise other systems, resulting in reduced access control and authorization of PowerUtilityAwarness app. | Actor ↔web portal | E |
7 | T06 | A threat actor with access to logs can claim they did not delete a report when did it, altering or fabricating logs, making difficult to link actions to the individual who performed them, which leads to compromise the incident investigation, resulting in reduced non-repudiation of PowerUtilityAwarness app. | Actor↔tables | R |
d. Identify risk
| A | B | C | D | E |
1 | Priority | at ID | Threat Statement | Element | STRIDE |
2 | High | T01 | A threat actor who can spoof the identity of the AWS Lambda function can set up their own API endpoint, which leads to exfiltration of user-supplied data to an attacker-controlled endpoint, resulting in reduced authenticity and confidentiality of PowerUtilityAwarness app | Actor <->AWS Lambda | S,T |
3 | High | T02 | A threat actor who can spoof the identity of a legitimate developer can tamper with the function code running in the AWS Lambda function, which leads to the modification of energy usage, resulting in reduced integrity of PowerUtilityAwarness app. | AWS Lambda< → Web portal | T |
4 | High | T03 | A threat actor with access to another user's token can spoof another user, which leads to viewing detail information of energy usage, resulting in reduced authenticity and confidentiality of PowerUtilityAwarness app. | Actor↔web portal | S,I |
5 | High | T04 | A threat actor with user permissions can make thousands of concurrent upload requests, which leads to blocking user access to the application, resulting in reduced availability of the web application, provoking service disruption of PowerUtilityAwarness app. | Actor ↔web portal | D |
6 | High | T05 | A threat actor, who has access to an internal insecure endpoint, which leads to the execution of malicious code, resulting in ransomware and laterally move to compromise other systems, resulting in reduced access control and authorization of PowerUtilityAwarness app. | Actor ↔web portal | E |
7 | High | T06 | A threat actor with access to logs can claim they did not delete a report when did it, altering or fabricating logs, making difficult to link actions to the individual who performed them, which leads to compromise the incident investigation, resulting in reduced non-repudiation of PowerUtilityAwarness app. | Actor↔tables | R |
3.5 What are we going to do about it?
Risk response strategies: avoid, mitigate, transfer or accept.
Prioritizing threats to select the mitigations.
| A | B | C | D | E | F |
1 | Priority | at ID | Threat Statement | Element | STRIDE | Mitigation |
2 | High | T01 | A threat actor who can spoof the identity of the AWS Lambda function can set up their own API endpoint, which leads to exfiltration of user-supplied data to an attacker-controlled endpoint, resulting in reduced authenticity and confidentiality of PowerUtilityAwarness app | Actor <->AWS Lambda | S,T | Use strict IAM policies to ensure only trusted services can assume the Lambda’s role.Restrict Lambda’s egress using Virtual Private Cloud endpoints, security groups, or allowlists to prevent access to attacker-controlled endpoints.Require AWS SigV4 signing or mutual TLS to verify that API requests come from the trusted Lambda function.Enable CloudTrail, VPC Flow Logs, and Lambda Insights to detect unusual API calls or outbound traffic.Sanitize and validate all user inputs to avoid data leakage or reflective attacks. |
3 | High | T02 | A threat actor who can spoof the identity of a legitimate developer can tamper with the function code running in the AWS Lambda function, which leads to the modification of energy usage, resulting in reduced integrity of PowerUtilityAwarness app. | AWS Lambda< → Web portal | S,T | Use multi-factor authentication (MFA) for all IAM users Use IAM roles with least privilege, avoiding long-lived credentials.Enable AWS Lambda Code Signing to ensure only verified and trusted code is deployed.Reject unsigned or modified code automatically.Enforce code review, approval workflows, and change history tracking.Enable AWS CloudTrail to log all API activity, especially code updates. |
4 | High | T03 | A threat actor with access to another user's token can spoof another user, which leads to viewing detail information of energy usage, resulting in reduced authenticity and confidentiality of PowerUtilityAwarness app. | Actor↔web portal | S,I | Implement OAuth 2.0 with JWTs that are signed and expire quickly to reduce the impact of token theft.Tie tokens to the specific device or session, making them unusable if stolen and used elsewhere.On the client side, store tokens in secure, non-accessible storage (e.g., Keychain, Secure Storage).Never expose tokens in URLs or logs.Use MFA and device-based risk signals to detect suspicious logins.Allow users to revoke sessions or tokens from a dashboard.Use behavioral analytics to detect duplicate sessions, or sudden access spikes. |
5 | High | T04 | A threat actor with user permissions can make thousands of concurrent upload requests, which leads to blocking user access to the application, resulting in reduced availability of the web application, provoking service disruption of PowerUtilityAwarness app. | Actor ↔web portal | D | Implement Rate Limiting and ThrottlingUse API Gateway to limit the number of requests per user or IP over time.Apply per-user quotas for upload endpoints.Apply stricter rate limits for lower-trust users or anonymous sessions.Require higher-trust verification (e.g., CAPTCHA, MFA) for high-volume actions.Use CloudWatch, GuardDuty, or WAF logging to detect spikes in upload traffic.Set alerts for excessive requests from a single user or IP.Route uploads to smooth out spikes and protect backend systems.Apply Web Application Firewall (WAF) Rules to detect and block abusive patterns, like repeated large POST requests. |
6 | High | T05 | A threat actor, who has access to an internal insecure endpoint, which leads to the execution of malicious code, resulting in ransomware and laterally move to compromise other systems, resulting in reduced access control and authorization of PowerUtilityAwarness app. | Actor ↔web portal | E | Enforce Network Segmentation Isolate internal services using VPCs, subnets, and security groups.Apply Zero Trust principles: never trust internal traffic by default.Harden Internal EndpointsRequire authentication and authorization even for internal APIs.Disable or tightly restrict debug, admin, or maintenance interfaces.Validate Inputs and Sanitize Execution PathsPerform strict input validation to prevent code injection.Avoid executing user-supplied code or commands.Implement Runtime Protection to detect malicious behavior like ransomware activity or unauthorized script execution.Monitor and Restrict Lateral MovementEnable network monitoring to detect unusual lateral access.Apply least privilege to IAM roles, EC2 instances, and Lambda functions |
7 | High | T06 | A threat actor with access to logs can claim they did not delete a report when did it, altering or fabricating logs, making difficult to link actions to the individual who performed them, which leads to compromise the incident investigation, resulting in reduced non-repudiation of PowerUtilityAwarness app. | Actor↔tables | T,R | Enable Immutable LoggingUse write-once storage for logs to prevent alteration.Digitally Sign or Hash LogsApply cryptographic signing or hashing to logs at creation time to detect tampering.Restrict Log AccessEnforce least privilege on log access using IAM policies. Store sensitive logs in separate, secured log accounts or buckets.Centralize and Monitor LogsAggregate logs using centralized logging systems Set alerts on suspicious log access or modifications.Maintain Audit Trails and Time StampsEnsure logs include accurate timestamps, user IDs, and source IPs.Use NTP for synchronized time across systems. |
3.6 Did we do a good enough job?
The threat model is a living document. Driving process improvement to do better incrementally over time.
Comments