Created
January 16, 2023 23:49
-
-
Save ustayready/c29e9f9dca0a0b8170fbdfec11afc349 to your computer and use it in GitHub Desktop.
CloudGPT - Use ChatGPT to analyze AWS policies for vulnerabilities
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import openai | |
| import boto3 | |
| import json | |
| import time | |
| from typing import Dict, List | |
| openai.api_key = '### SET YOUR OPENAPI API KEY HERE ###' | |
| session = boto3.session.Session() | |
| client = session.client('iam') | |
| def get_role_names() -> List[str]: | |
| """ Retrieve a list of role names by paginating over list_roles() calls """ | |
| roles = [] | |
| role_paginator = client.get_paginator('list_roles') | |
| for response in role_paginator.paginate(): | |
| response_role_names = [r.get('RoleName') for r in response['Roles']] | |
| roles.extend(response_role_names) | |
| return roles | |
| def get_policies_for_roles(role_names: List[str]) -> Dict[str, List[Dict[str, str]]]: | |
| """ Create a mapping of role names and any policies they have attached to them by | |
| paginating over list_attached_role_policies() calls for each role name. | |
| Attached policies will include policy name and ARN. | |
| """ | |
| policy_map = {} | |
| policy_paginator = client.get_paginator('list_attached_role_policies') | |
| for name in role_names: | |
| role_policies = [] | |
| for response in policy_paginator.paginate(RoleName=name): | |
| role_policies.extend(response.get('AttachedPolicies')) | |
| policy_map.update({name: role_policies}) | |
| return policy_map | |
| def check_policy(policy): | |
| prompt = f'Does this AWS policy have any security vulnerabilities: \n{policy}' | |
| response = openai.Completion.create( | |
| model="text-davinci-003", | |
| prompt=prompt, | |
| temperature=0.5, | |
| max_tokens=500, | |
| top_p=1, | |
| frequency_penalty=0.0, | |
| presence_penalty=0.0, | |
| stream=False, | |
| ) | |
| answer = response.choices[0]['text'] | |
| print(answer) | |
| def retrieve_policy(arn): | |
| policy = client.get_policy( | |
| PolicyArn = arn | |
| ) | |
| policy_version = client.get_policy_version( | |
| PolicyArn = arn, | |
| VersionId = policy['Policy']['DefaultVersionId'] | |
| ) | |
| return (policy, policy_version) | |
| role_names = get_role_names() | |
| attached_role_policies = get_policies_for_roles(role_names) | |
| for k, v in attached_role_policies.items(): | |
| for x in v: | |
| name = k | |
| arn = x['PolicyArn'] | |
| version, policy = retrieve_policy(arn) | |
| print('###################') | |
| print(f'{name} -> {arn}\n{policy}') | |
| answer = check_policy(policy) | |
| print(f'{answer}') | |
| print('###################') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| boto3 | |
| openai |
I understand this is more for learning and POC purposes. However if we were to actually use on a daily basis, how different would this be compared to validating AWS IAM Policies against AWS IAM Access Analyzer
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://www.facebook.com/best.gv.161?mibextid=ZbWKwL