Integrating ChatGPT API with AWS Config

ChatGPT helps resolve reported non-compliance rules

Source: ChatGPT with AWS Config

As companies increasingly move towards cloud-based solutions, security remains a top concern. Amazon Web Services (AWS) provides many tools to secure your applications and data, including AWS Config. But did you know you can further enhance your security by integrating AWS Config with ChatGPT API?

This post shows you how to set up a security solution that leverages AWS Config and ChatGPT API to remediate non-compliant rules. Note that this approach implements one of many possibilities for using AI on the cloud.

Before starting, I recommend using this implementation as a starting point for your custom security solution, rather than directly implementing it in production environments. As with any security solution, it is significant to thoroughly test and validate the implementation with numerous rules to ensure it meets your specific requirements and does not introduce any new vulnerabilities or risks.

Implementation review

Now we are going to review the proposed architecture for this solution, and we will describe its execution workflow. This is the architecture diagram:

Workflow diagram of the solution.

Workflow diagram of the solution.

1. We will have AWS Config management rules configured; when the system detects a non-compliant rule, it will send the event via SNS.
2. SNS has a subscriber that sends the data to a specific lambda function.
3. The lambda function uses the SDK to get the event from Cloudtrail.
4. Cloudtrail returns the event associated with the non-compliant Config rule.
5. The lambda made a request to ChatGPT API asking about how to solve the issue using an AWS CLI command.
6. The ChatGPT API returns the suggested AWS CLI command.
7. Lambda uses the Slack API to send a message to a specific Slack channel.
8. The user interacts with the channel to review and apply the suggested command.
9. Slack executes the webhook configured to API Gateway and sends the data.
10. The API Gateway receives and dispatches the request to a specific lambda function.
11. The lambda uses the SDK to enqueue the command in a specific SQS queue and returns the success message.
12. Another lambda function reads the available messages in the SQS queue. It uses the AWS CLI to execute the operation and sends a message to the Slack channel with the status.

It’s important to clarify that ChatGPT, as an Artificial intelligence system, is not always precise with the output results; in this case. It is the user’s responsibility to make the final decision if use or not the solution suggested by the AI.

Deploying the solution

The following GitHub repository has the resources to deploy the AWS components mentioned in the previous diagram. Before lifting and setting up our AWS infrastructure, we need two important prerequisites:

Before lifting and setting up our AWS infrastructure, we need two important prerequisites:

1. Get the API key from Open AI: follow the instructions in this Medium post to get your key.
2. Build a Slack bot and get an OAuth token: I recommend reviewing the following Medium post to do this.

Once we have the previous prerequisites ready, we will be able to proceed with the following steps to deploy the AWS infrastructure of the prior diagram

Once we receive the API URL of the API Gateway, we need to put it inside our Slack application and follow the following steps:

• Set up the webhook URL: go to the Slack page and select the desired application.

Select the application.

• Expand the Add features and functionality section, and select the Interactive components box:

Select the Interactive Components box.

• The next step is setting up the request URL input, putting the stage of the API Gateway URL:

https://<your_api_identifier>.execute-api.us-east-1.amazonaws.com/prod/webhook

Before saving the save, verify that the switch is in On.

Configuring the webhook URL.

Testing the functionality

Now that all our components are working, we can review the AWS Console inside the AWS Config module; let’s see the rules that we have configured:

AWS Config rules deployed by CloudFormation stack.

The rules configured in the solution were taken from the official AWS Config-managed rules:

• The “DetectInsecureChangesInSecurityGroups” rule checks if the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT when IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR besides 0.0.0.0/0). This rule applies only to IPv4.
• The “DetectOpenS3Buckets” rule checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible. This rule is NON_COMPLIANT if an Amazon S3 bucket is not listed, or parameter and bucket-level settings are public.

To test the rules, we will force the creation of a non-compliant event:

• To test the first rule, go to the EC2 module and update an inbound rule for any security group, allowing All Traffic from the internet:

All traffic is allowed from the internet.

• To test the second rule about public permissions in S3, set up off Block public access (bucket settings):

Setting up public access to the bucket

If all is OK, AWS Config will detect the non-compliant rules, and we will receive a message in the Slack channel:

Example of notifications on the Slack channel.

If the user clicks the “Apply suggested command” button, they can interact with the reply actions. The webhook will execute, and the process explained in the implementation diagram will start. The user will receive a message indicating the status of the applied command:

Response after reply actions.

If the bot responds that the command was applied, the AWS Config complaint rule will be in “COMPLIANT” status in a few minutes. This way, the user did not have to interact with the console because the solution was given by ChatGPT, making the resolution of the security issues more efficient and faster.

Conclusions

The integration of AWS Config with ChatGPT’s API could become a potent means of enhancing the security of your AWS infrastructure. By automating security tasks and leveraging natural language processing to identify and remediate non-compliant resources, you can enhance your security posture and reduce the risk of security breaches.

I encourage you to explore further how you can leverage these tools to improve your security posture. I recommend this post for a good example of an implementation of AI with AWS. Review the OpenAI page and be aware of its new features, like new releases related to the new versions of GPT-4.

References

• The latest news related to OpenAI
• Understand in more detail about AWS Config.
• How to configure Slack to send programmatic messages.
• Another implementation of ChatGPT with AWS tools.

Thanks for reading, I hope this post has provided valuable insights and resources for enhancing your AWS security.