Unlocking the Potential: Generative AI and Cloud Security Possibilities

This article shares thoughts about possibilities in CyberSecurity now that Generative AI is on the scene.

AWS Admin
Amazon Employee
Published Sep 27, 2023
Last Modified Jun 21, 2024

title: "Unlocking the Potential: Generative AI and Cloud Security Possibilities"
description: This article shares thoughts about possibilities in CyberSecurity now that Generative AI is on the scene.
  • generative-ai
  • cybersecurity
  • security
  • it-pros
  • security
  • generative-ai
  • generative-ai
    authorGithubAlias: 8carroll
    authorName: Brandon Carroll
    date: 2023-09-27

Generative AI, at its core, refers to algorithms that can generate new data instances that resemble a given set of data. In the realm of cloud computing, this technology is being used for many practical applications, from creating realistic training datasets for machine learning models to simulating network traffic for testing and validation purposes. For instance, developers are using Generative AI to create synthetic datasets that help train models where real data is scarce or sensitive. In the domain of cloud infrastructure, it can aid in optimizing resource allocation by predicting and simulating workloads.
But why is Generative AI crucial when we talk about cloud security on platforms like AWS? The answer lies in its ability to anticipate, simulate, and counteract potential threats. By generating potential security scenarios, Generative AI can help organizations anticipate vulnerabilities, test their systems against simulated breaches, and develop more resilient security postures. It's not just about responding to threats, but proactively preparing for them.
In the sections that follow, we will explore how Generative AI can bolster your cloud security posture on AWS, provide a hands-on example of querying Amazon Bedrock for Security Group rule reviews using Python, and conclude with thoughts into the future of Generative AI in cloud security.

Harnessing Generative AI to Fortify AWS Cloud Security

You probably already recognize that we are now living in a time in which businesses are increasingly reliant on cloud platforms. As organizations scale their operations on the cloud, the complexity of managing security postures grows exponentially. Traditional security measures are still essential, however at time, they fall short in addressing the dynamic nature of threats in a cloud environment. This is where Generative AI has the potential to enhance our security, offering an innovative, fresh perspective.

Understanding Generative AI in the Context of Cloud Security

Generative AI can make new data from existing patterns. For cloud security, this means it has the potential to:
  1. Simulate Threat Scenarios: Generative AI can create realistic threat scenarios, allowing security teams to test and validate their Cloud infrastructure's resilience. By simulating potential attack vectors, organizations can proactively identify vulnerabilities and take steps to ensure they are protected against them before they are exploited.
  2. Optimize Security Configurations: AWS offers a number of services, each with its own set of security configurations. With Generative AI, we can analyze existing configurations, simulate various combinations, and ask Generative AI to provide recommendations based on our specific needs.
  3. Enhance Monitoring and Alerts: By training on historical security logs and events, Generative AI can predict potential security breaches or anomalies. The key word here is "potential." Knowing what "could" happen allows security teams time to prepare and allows for more rapid action to be taken.

Generative AI and AWS Services

How might AWS services benefit from integration with Generative AI? Here are a few possibilities to consider.
Note that these are simply possibilities based on what I have experienced with Generative AI. In no way does this reflect the actual plans or roadmap for these services. I am not a member of these service teams.
  • AWS WAF (Web Application Firewall): Generative AI could simulate web traffic patterns based on your historical log data and compare that to your existing WAF rules, ensuring that malicious requests are blocked while legitimate traffic flows seamlessly.
  • Amazon GuardDuty: By analyzing findings from GuardDuty, Generative AI could predict emerging threat patterns and suggest refinements to other areas of your cloud security posture.
  • VPC Flow Logs: Analyzing flow logs with Generative AI can provide insights into network traffic patterns, highlighting potential security risks and optimizing network access controls. To take this a step further, this could be compared against existing WAF rules, AWS Network Firewall Rules, Security Groups, Network ACLs, and so on, and provide recommendations for optimizing and enhancing our rule sets. You'll see an example of this below.

The Bigger Picture: A Proactive Approach to Security

The true power of Generative AI lies in its ability to shift the security paradigm from a reactive to a proactive stance. Instead of waiting for threats to manifest, organizations can use Generative AI to anticipate and prepare for them. This forward-thinking approach paves the way for a future where cloud security is not just about defense but about foresight through innovation.

A Practical Example: Leveraging Generative AI to Review AWS Security Group Rules

In this section, we'll examine a practical example of how Generative AI can be used to review and optimize firewall rules. Specifically, we'll focus on AWS Security Groups, which act as virtual firewalls to control inbound and outbound traffic to AWS resources.


Our goal is to use Generative AI to:
  1. Examine VPC Flow Log data.
  2. Compare each entry in the flow log to each entry of the Security Group.
  3. Recommend optimizations to enhance security and allow necessary traffic.

Setting Up

Before we dive into the code, we will need to:
  1. Obtain VPC flow log data to feed into the LLM.
  2. Obtain our current security groups rules configuration to feed into the LLM.
In taking these two data sources and providing it to the LLM we are doing what is known as in-context learning. The LLM will learn what our traffic looks like as well as what our Security Groups look like and from there it can perform a zero-shot inference to provide us with a response. To learn more about the terminology and methods used with generative AI and Large-Language Models, see the course, Generative AI with Large Language Models on Coursera.
Let's begin by getting the flow log data that we will use to train our model.

Fetching Historical Traffic Data

The historical data set in the context of our example would ideally come from VPC Flow Logs. VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. This data can provide a wealth of information about traffic patterns, sources of traffic, destinations, ports used, and more. By using VPC Flow Logs as your historical data set, you can gain valuable insights into your network traffic patterns and behaviors, making it an excellent source for training generative AI models for AWS security purposes. If you don't have VPC Flow Logs enabled you will need to do so before moving on, and you will need to allow some time to pass for data to be collected. For more information on how to set up VPC Flow Logs see the user guide article Publish flow logs to CloudWatch Logs.
  1. Let's get a list of our flow logs using the aws ec2 describe-flow-logs --region us-west-2 --output json command. From here take note of the Log Group Name.
Getting Log Group Name
Note that the Log Group Name is gen-ai-example.
  1. Next, let's get the log stream name using the aws logs describe-log-streams --log-group-name "gen-ai-example" --region us-west-2 command.
Getting the Log Stream Name
Here we note that the Log Stream Name is eni-026f791613cca9e4a-accept.
  1. Now we want to copy the log data to a file that we will feed it into our prompt. We do this using the aws logs get-log-events --log-group-name gen-ai-example --log-stream-name eni-026f791613cca9e4a-accept --region us-west-2 | > log_data.json command.
This creates a file named log_data.json in your current directory. Below is a sample output of the log data used in this post should you want to recreate this on your own.
  1. Next let's list our security groups and get their IDs. We do this with the command aws ec2 describe-security-groups --query 'SecurityGroups[*].[GroupName,GroupId]' --output table --region us-west-2.
Alt text
The security group we want to work with is called secure-server-sg.
  1. Now let's copy the rules from that security group out to a file using the command aws ec2 describe-security-groups --group-ids sg-0e4072046461dd467 --region us-west-2 | > security_groups.json.
This creates a file named security_groups.json in your current directory. Below is a sample output of the security group data used in this post should you want to recreate this on your own.
Importance of understanding Tokens: A concept that's important to understand when working with LLMs is the use of Tokens. A token can be as short as one character or as long as one word. For example, "a" is one token, and "address" is also one token. In some languages or scripts, a token might represent a syllable or a word component. When working with an LLM a process called Tokenization takes place in which a sequence of text (your prompt in this case) is converted to tokens. LLMs have a maximum token limit for interactions with it. This is both for input and output. In our python code below you will see the max_tokens_to_sample value set to 4096. If a prompt is too long, it might need to be truncated or otherwise adapted to fit within this limit. This is important because the log data and the security groups will be tokenized, and longer formats can consume more tokens. Here we are using JSON, but you may prefer to convert to CSV. Either way, you need to be aware of how this will impact your prompt and the corresponding result.
Now that we have our data to provide to the model, let's interact with the LLM using Python.

Interacting with the Model

For this step we will take the data we have saved in the two files, include that in our prompt and ask the LLM to examine the VPC Flow Log data, compare each entry in the flow log to each entry of the Security Group, and then recommend optimizations to enhance security and allow necessary traffic.
Here's a look at what the python code looks like. For this example we are interacting with the Amazon Bedrock Service.
After sending the prompt we are returned the following response, as seen in the image below.
Getting a response from bedrock
As can be seen in the response, the LLM was able to take the VPC Flow Log data and Security Group data I provided to the LLM along with specific information in my prompt (CIDR range and inbound vs. outbound directionality) and provide a breakdown of what the rules would do when seeing the provided traffic as well as a list of recommendations.
As seen above, the LLM has learned what inbound vs. outbound is in the context of my environment. It's also determined based on the data I provided what would be allowed and what would be denied. This is not without error. The model did not take into consideration that outbound traffic from a Security Group is allowed by default and therefore return traffic would match a state table entry and be allowed. It made the assumption that all the traffic it saw in the flow log was not stateful. This is something that could be added to the prompt in the future, however the real purpose of this example is to give you an idea of what security could look like when working hand-in-hand with generative-ai tools, and how you might interact with an LLM using code rather than a Web UI. This also illustrates the importance of good prompt engineering and how it directly impacts the results you get in return.


At the start of this article, we talked about how Generative AI can do many things to help fortify our cloud security posture. It can help us guess future problems, give advice on security settings, and more. But, like all powerful tools, we need to use it wisely.
Generative AI has the potential to change the game for cloud security. Our practical example of using the LLM to review our security groups is just a simple example amongst a world of possibilities?
What's next for Generative AI in cloud security? Maybe it can help us find weak spots before they become big problems. Or maybe it can alert us right away if something suspicious happens. While there are products and services on the market today that do these things, we should be interested in how Generative AI can add to the functionality and benefit of these services.
So, as we finish up, let's remember this is just the beginning. There's a lot more to learn and do with Generative AI and cloud security and hopefully this helped you become more acquainted with it. If you haven't done so already, start thinking about Generative AI and cloud security. It's likely to become a regular part of our work in the near future. Until then, keep exploring, keep learning, and happy lab-ing.


Here are some relevant resources that discuss the use of generative AI in cloud security to get you started.
    • This article from TechRepublic discusses how generative AI is revolutionizing the way organizations address cloud security by providing realistic synthetic data for testing.
    • InfoWorld's piece discusses the implications of adding generative AI to cloud architectures, especially concerning data availability, security, and model selection.
    • The Cloud Security Alliance discusses the shared responsibility model in the context of generative AI applications built on the cloud.
    • Written by Ken Huang, this article delves into the challenges emerging around identity and access management (IAM) within cloud environments due to the rise of generative AI. It explores how IAM enables and secures GenAI deployments in the cloud and the new security considerations that arise when combining these technologies.
    • This article discusses the challenges of securing cloud resources and how generative AI can be a powerful tool in addressing these challenges. It touches upon the potential of generative AI in producing template-based infrastructure-as-code for secure cloud environments and the importance of scanning for misconfigurations.
    • This Amazon SageMaker Documentation explains what prompt engineering is, why it's important, and how a model can be trained with Zero-shot and Few-shot learning.

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.