Scan customer managed AWS policies for vulnerabilities using ChatGPT.
This tool automatically redacts the customer account number by replacing them with a randomly generated account number before sending the policies to ChatGPT. Knowledge of a vulnerable policy without knowledge of the account that has the policy provisioned, is useless to OpenAI. Additionally, the internal prompt has continually returned responses starting with Yes or No, therefore, we are just parsing this portion of the response to determine vulnerability. Those using the tool should manually review the responses in the output to determine context of the response. It's not perfect but it's absolutely helpful.
Follow me on Twitter (Mike Felch - @ustayready)
usage: scan.py [-h] --key KEY [--profile PROFILE] [--redact]
Retrieve all customer managed policies and check the default policy version for vulnerabilities
optional arguments:
-h, --help show this help message and exit
--key KEY OpenAI API key
--profile PROFILE AWS profile name to use (default: default)
--redact Redact sensitive information in the policy document (default: True)
CloudGPT the AWS vulnerability scanner
python scan.py --key ABC --profile AWSPROFILE
You can install and run with the following command:
$ git clone https://github.com/ustayready/cloudgpt
$ cd cloudgpt
~/cloudgpt $ virtualenv -p python3 .
~/cloudgpt $ source bin/activate
(cloudgpt) ~/cloudgpt $ python scan.py