One of the ways that Amazon Web Services (AWS) helps customers maintain the security of their cloud environments is with AWS Security Hub, which aggregates, organizes, and prioritizes security alerts from AWS services and third-party tools. These alerts are based on security controls — rules that help ensure that services are configured securely and in compliance with best practices.
Traditionally, the development and implementation of these security controls has been a complex, time-consuming, and labor-intensive process. As cloud environments have grown more sophisticated, the demand for efficient and scalable security solutions has only intensified.
In a paper we presented at the Workshop on GenAI and RAG Systems for Enterprise at this year’s International Conference on Information and Knowledge Management (CIKM), we describe a new model that harnesses advanced AI capabilities to automate the creation of security controls, enabling faster, more efficient, and highly accurate generation of the rules that help users safeguard their cloud infrastructures.
The current challenge
Developing security controls for AWS services involves analyzing service documentation, writing detailed specifications (often in Gherkin format), and, ultimately, developing the code to ensure secure configurations. On average, it can take 24 days to produce a single security control. The complexity of this process will grow as AWS continues to expand its portfolio of services, with each service including numerous resources that must be protected, and manually writing and reviewing controls can cause delays in deployment.
Enter generative AI
The new model uses large language models (LLMs) to generate Gherkin specifications automatically. This reduces the time taken from days to mere seconds. When prompted with model service documentation and descriptions of the security requirements, LLMs can output accurate control specifications ready for implementation.
For instance, LLMs can generate Gherkin specifications — known as gherkins — for basic security requirements such as encryption of data at rest or logging. This process helps ensure that jobs using AWS services like Amazon SageMaker AutoML are properly configured to meet security standards, without engineers having to dive into documentation every time.
Domain-specialized AI for security
Prompt engineering is the process of designing precise input prompts to guide the behavior of a language model toward the desired outputs. The goal of prompt engineering is to ensure that the model understands the context and purpose of the task, leading to more accurate and relevant responses.
In the new model, we combined a few prompt-engineering techniques to improve the performance of the LLM and increase the transparency of its output. First, we used chain-of-thought reasoning to break down the complex task of generating gherkins into a sequence of simpler steps. In each step, the LLM was instructed to create an intermediate result, which was used as the input for the next step.
We also used retrieval-augmented generation (RAG) to allow the LLM to retrieve relevant information from external sources. In our case, the source was the Boto3 API specifications, and the information was the configuration of services and resources, expressed in the Boto3 syntax, which was added to the prompt as well.
The last technique we used was in-context learning, where we added positive examples of gherkins developed by security engineers to the prompt. This has the effect of nudging the LLM in the right direction, forcing it to imitate the positive examples and generate similar gherkins for the input query.
By combining these techniques, the new model is able to deliver highly accurate and domain-specific security controls, which should significantly speed up the development process and enhance overall security efficiency. In future work, we will refine the system further, potentially using agent-based architectures to handle even more-complex control generation scenarios.
Acknowledgments: Felix Candelario
