Threat Designer: AI-powered threat modeling for secure system design

Check the blogpost: Accelerate threat modeling with generative AI for an in-depth overview of the solution.

Architecture diagram

Agent logic

Description

Threat Designer is an AI-driven agent designed to automate and streamline the threat modeling process for secure system design.

Harnessing the power of large language models (LLMs), it analyzes system architectures, identifies potential security threats, and generates detailed threat models. By automating this complex and time-intensive task, Threat Designer empowers developers and security professionals to seamlessly incorporate security considerations from the earliest stages of development, enhancing both efficiency and system resilience.

The project deploys resources running on the following AWS services:

• AWS Amplify
• Amazon API Gateway
• Amazon Cognito
• AWS Lambda
• Amazon DynamodB Tables
• Amazon S3 Bucket

Repository Structure

. ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── assets ├── backend │ ├── app │ ├── authorizer │ ├── dependencies │ └── threat_designer ├── deployment.sh ├── destroy.sh ├── index.html ├── infra ├── package.json ├── public ├── src └── vite.config.js

Features

• Submit architecture diagrams and analyze for threats.
• Update threat modeling results via the user interface.
• Replay threat modeling based on your edits and additional input.
• Export results in pdf/docx format.
• Explore past threat models via the Threat Catalog page.

Prerequisites

The following tools must be installed on your local machine:

• Node.js (v18 or later) and npm
• curl
• jq
• Python (v3.12 or later) and pip
• Terraform CLI
• AWS CLI configured with appropriate credentials

AWS Bedrock Model Access

You must enable access to the following model in your AWS region:

• Claude 4 Sonnet

To enable Claude, follow the instructions here.

Installation and Deployment

1. Clone the Repository

bash git clone https://github.com/awslabs/threat-designer.git cd threat-designer

1. Make the deployment script executable:

bash chmod +x deployment.sh

1. Export AWS credentials

```bash

Option I: Export AWS temporary credentials

export AWSACCESSKEYID="yourtempaccesskey" export AWSSECRETACCESSKEY="yourtempsecretkey" export AWSSESSIONTOKEN="yourtempsessiontoken" export AWSDEFAULTREGION="yourregion"

Option II: Export AWS Profile

export AWSPROFILE="yourprofile_name" ```

1. Deploy with required parameters:

Note: Make sure to provide a valid email address during the deployment wizard. A user in Amazon Cognito User Pool will be created and the temporary credentials will be sent to the configured email address.

bash ./deployment.sh

Accessing the Application

After successful deployment, you can find the Login URL in the output of ./deployment:

sh Application Login page: https://dev.xxxxxxxxxxxxxxxx.amplifyapp.com

Configuration Options

Model Selection

If you want to use a different model than "Claude 4 Sonnet", update the variables model_main and model_struct in ./infra/variables.tf with the correct model ID and max_token configuration:

```hcl variable "modelmain" { type = object({ id = string maxtokens = number }) default = { id = "us.anthropic.claude-sonnet-4-20250514-v1:0" max_tokens = 64000 } }

variable "modelstruct" { type = object({ id = string maxtokens = number }) default = { id = "us.anthropic.claude-sonnet-4-20250514-v1:0" max_tokens = 16000 } } ```

Note: This application has been primarily tested with "Claude 4 Sonnet". While other Bedrock models may work, using different models might lead to unexpected results. The default model is set to us.anthropic.claude-sonnet-4-20250514-v1:0.

Reasoning boost will only work with us.anthropic.claude-sonnet-4-20250514-v1:0

Clean up

1. Empty the Architecture Bucket, following instructions here

2. Make the destroy script executable:

bash chmod +x destroy.sh

1. Export AWS credentials

```bash

Option I: Export AWS temporary credentials

export AWSACCESSKEYID="yourtempaccesskey" export AWSSECRETACCESSKEY="yourtempsecretkey" export AWSSESSIONTOKEN="yourtempsessiontoken" export AWSDEFAULTREGION="yourregion"

Option II: Export AWS Profile

export AWSPROFILE="yourprofile_name"

```

1. Execute the script:

bash ./destroy.sh

Contributing

See CONTRIBUTING for more information.

License

This library is licensed under the Apache License. See the LICENSE file.