Skip to content

Instantly share code, notes, and snippets.

@ustayready
Created January 16, 2023 23:49
Show Gist options
  • Save ustayready/c29e9f9dca0a0b8170fbdfec11afc349 to your computer and use it in GitHub Desktop.
Save ustayready/c29e9f9dca0a0b8170fbdfec11afc349 to your computer and use it in GitHub Desktop.
CloudGPT - Use ChatGPT to analyze AWS policies for vulnerabilities
import openai
import boto3
import json
import time
from typing import Dict, List
openai.api_key = '### SET YOUR OPENAPI API KEY HERE ###'
session = boto3.session.Session()
client = session.client('iam')
def get_role_names() -> List[str]:
""" Retrieve a list of role names by paginating over list_roles() calls """
roles = []
role_paginator = client.get_paginator('list_roles')
for response in role_paginator.paginate():
response_role_names = [r.get('RoleName') for r in response['Roles']]
roles.extend(response_role_names)
return roles
def get_policies_for_roles(role_names: List[str]) -> Dict[str, List[Dict[str, str]]]:
""" Create a mapping of role names and any policies they have attached to them by
paginating over list_attached_role_policies() calls for each role name.
Attached policies will include policy name and ARN.
"""
policy_map = {}
policy_paginator = client.get_paginator('list_attached_role_policies')
for name in role_names:
role_policies = []
for response in policy_paginator.paginate(RoleName=name):
role_policies.extend(response.get('AttachedPolicies'))
policy_map.update({name: role_policies})
return policy_map
def check_policy(policy):
prompt = f'Does this AWS policy have any security vulnerabilities: \n{policy}'
response = openai.Completion.create(
model="text-davinci-003",
prompt=prompt,
temperature=0.5,
max_tokens=500,
top_p=1,
frequency_penalty=0.0,
presence_penalty=0.0,
stream=False,
)
answer = response.choices[0]['text']
print(answer)
def retrieve_policy(arn):
policy = client.get_policy(
PolicyArn = arn
)
policy_version = client.get_policy_version(
PolicyArn = arn,
VersionId = policy['Policy']['DefaultVersionId']
)
return (policy, policy_version)
role_names = get_role_names()
attached_role_policies = get_policies_for_roles(role_names)
for k, v in attached_role_policies.items():
for x in v:
name = k
arn = x['PolicyArn']
version, policy = retrieve_policy(arn)
print('###################')
print(f'{name} -> {arn}\n{policy}')
answer = check_policy(policy)
print(f'{answer}')
print('###################')
@Tha581
Copy link

Tha581 commented Feb 3, 2023

@Tha581
Copy link

Tha581 commented Feb 3, 2023

@raajheshkannaa
Copy link

I understand this is more for learning and POC purposes. However if we were to actually use on a daily basis, how different would this be compared to validating AWS IAM Policies against AWS IAM Access Analyzer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment