Threat Designer is an AI-driven agent designed to automate and streamline the threat modeling process for secure system design.
Harnessing the power of large language models (LLMs), it analyzes system architectures, identifies potential security threats, and generates detailed threat models. By automating this complex and time-intensive task, Threat Designer empowers developers and security professionals to seamlessly incorporate security considerations from the earliest stages of development, enhancing both efficiency and system resilience.
The project deploys resources running on the following AWS services:
- AWS Amplify
- Amazon API Gateway
- Amazon Cognito
- AWS Lambda
- Amazon DynamodB Tables
- Amazon S3 Bucket
.
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── assets
├── backend
│ ├── app
│ ├── authorizer
│ ├── dependencies
│ └── threat_designer
├── deployment.sh
├── destroy.sh
├── index.html
├── infra
├── package.json
├── public
├── src
└── vite.config.js
- Submit architecture diagrams and analyze for threats.
- Update threat modeling results via the user interface.
- Replay threat modeling based on your edits and additional input.
- Export results in pdf/docx format.
- Explore past threat models via the
Threat Catalogpage.
The following tools must be installed on your local machine:
- Node.js (v18 or later) and npm
- curl
- jq
- Python (v3.12 or later) and pip
- Terraform CLI
- AWS CLI configured with appropriate credentials
You must enable access to the following model in your AWS region:
- Claude 3.7 Sonnet
To enable Claude, follow the instructions here.
- Clone the Repository
git clone https://github.com/awslabs/threat-designer.git
cd threat-designer- Make the deployment script executable:
chmod +x deployment.sh- Export AWS credentials
# Option I: Export AWS temporary credentials
export AWS_ACCESS_KEY_ID="your_temp_access_key"
export AWS_SECRET_ACCESS_KEY="your_temp_secret_key"
export AWS_SESSION_TOKEN="your_temp_session_token"
export AWS_DEFAULT_REGION="your_region"
# Option II: Export AWS Profile
export AWS_PROFILE="your_profile_name"- Deploy with required parameters:
Note: Make sure to provide a valid email address during the deployment wizard. A user in Amazon Cognito User Pool will be created and the temporary credentials will be sent to the configured email address.
./deployment.shAfter successful deployment, you can find the Login URL in the output of ./deployment:
Application Login page: https://dev.xxxxxxxxxxxxxxxx.amplifyapp.comIf you want to use a different model than "Claude 3.7 Sonnet", update the variables model_main and model_struct in ./infra/variables.tf with the correct model ID and max_token configuration:
variable "model_main" {
type = object({
id = string
max_tokens = number
})
default = {
id = "us.anthropic.claude-3-7-sonnet-20250219-v1:0"
max_tokens = 64000
}
}
variable "model_struct" {
type = object({
id = string
max_tokens = number
})
default = {
id = "us.anthropic.claude-3-7-sonnet-20250219-v1:0"
max_tokens = 16000
}
}Note: This application has been primarily tested with "Claude 3.7 Sonnet". While other Bedrock models may work, using different models might lead to unexpected results. The default model is set to us.anthropic.claude-3-7-sonnet-20250219-v1:0.
Reasoning boost will only work with us.anthropic.claude-3-7-sonnet-20250219-v1:0
-
Empty the Architecture Bucket, following instructions here
-
Make the destroy script executable:
chmod +x destroy.sh- Export AWS credentials
# Option I: Export AWS temporary credentials
export AWS_ACCESS_KEY_ID="your_temp_access_key"
export AWS_SECRET_ACCESS_KEY="your_temp_secret_key"
export AWS_SESSION_TOKEN="your_temp_session_token"
export AWS_DEFAULT_REGION="your_region"
# Option II: Export AWS Profile
export AWS_PROFILE="your_profile_name"
- Execute the script:
./destroy.shSee CONTRIBUTING for more information.
This library is licensed under the Apache License. See the LICENSE file.