threat-modeling-with-aws-security-agent
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS Security Agent — Threat Model Review
AWS Security Agent — Threat Model Review
Analyze spec documents (, ) against the source code to identify security-posture changes using STRIDE methodology. No prior scan needed.
requirements.mddesign.md针对源代码分析规格文档(、),使用STRIDE方法论识别安全态势变化。无需预先扫描。
requirements.mddesign.mdLocal state
本地状态
Read for and . If missing, run the workflow inline first.
.security-agent/config.jsonagent_space_idregionsetup-security-agent读取获取和。如果缺失,请先内联运行工作流。
.security-agent/config.jsonagent_space_idregionsetup-security-agentResolving the values you need
获取所需值
| Placeholder | How to resolve |
|---|---|
| |
| |
| |
| |
| |
| 占位符 | 获取方式 |
|---|---|
| |
| |
| |
| |
| |
Workflow
工作流程
-
Pre-checks. Read config, verify agent space, resolve values.
-
Collect spec files. Identify theand/or
requirements.mdthe user is working on. Use absolute paths. Ask if unclear which files to review.design.md -
Zip the workspace (same exclusions as code scan):bash
cd <absolute-workspace-path> zip -r /tmp/source.zip . \ -x ".git/*" -x ".security-agent/*" -x "node_modules/*" \ -x "__pycache__/*" -x ".venv/*" -x "venv/*" \ -x "dist/*" -x "build/*" -x "target/*" \ -x ".mypy_cache/*" -x ".pytest_cache/*" -x ".tox/*" \ -x ".next/*" -x "cdk.out/*" -x ".DS_Store" -x "*.pyc" -
Upload source zip:bash
SCAN_ID="tm-$(date +%s)-$(openssl rand -hex 3)" WORKSPACE_ID=$(printf '%s' "$(pwd)" | md5sum | cut -c1-12) aws s3 cp /tmp/source.zip s3://<bucket>/security-scans/source/${WORKSPACE_ID}/source.zip -
Upload spec files:bash
aws s3 cp /path/to/requirements.md s3://<bucket>/security-scans/threat-models/${SCAN_ID}/specs/requirements.md aws s3 cp /path/to/design.md s3://<bucket>/security-scans/threat-models/${SCAN_ID}/specs/design.md -
Create threat model:bash
aws securityagent create-threat-model --agent-space-id <id> --title <title> \ --service-role <role-arn> \ --assets sourceCode=[{s3Location=s3://<bucket>/security-scans/source/${WORKSPACE_ID}/source.zip}] \ --scope-docs '[{"s3Location":"s3://<bucket>/security-scans/threat-models/'${SCAN_ID}'/specs/requirements.md"},{"s3Location":"s3://<bucket>/security-scans/threat-models/'${SCAN_ID}'/specs/design.md"}]'Capture.threatModelId -
Start threat model job:bash
aws securityagent start-threat-model-job --agent-space-id <id> --threat-model-id <tm-id>Capture.threatJobId -
Persist towith
scans.json.scan_type: "THREAT_MODEL" -
Tell user: "Threat model review started. Runtime varies with workspace size. I'll check every 2 minutes — say 'stop polling' to opt out."
-
Poll every 2 minutes:bash
aws securityagent batch-get-threat-model-jobs --agent-space-id <id> --threat-model-job-ids <tj-id>Only respond when status changes. -
On COMPLETED → fetch threats:bash
aws securityagent list-threats --agent-space-id <id> --threat-job-id <tj-id>If, paginate withnextToken.--next-token
-
预检查。读取配置,验证agent空间,解析所需值。
-
收集规格文件。确定用户正在处理的和/或
requirements.md。使用绝对路径。若不清楚要评审哪些文件,请询问用户。design.md -
压缩工作区(排除规则与代码扫描相同):bash
cd <absolute-workspace-path> zip -r /tmp/source.zip . \ -x ".git/*" -x ".security-agent/*" -x "node_modules/*" \ -x "__pycache__/*" -x ".venv/*" -x "venv/*" \ -x "dist/*" -x "build/*" -x "target/*" \ -x ".mypy_cache/*" -x ".pytest_cache/*" -x ".tox/*" \ -x ".next/*" -x "cdk.out/*" -x ".DS_Store" -x "*.pyc" -
上传源代码压缩包:bash
SCAN_ID="tm-$(date +%s)-$(openssl rand -hex 3)" WORKSPACE_ID=$(printf '%s' "$(pwd)" | md5sum | cut -c1-12) aws s3 cp /tmp/source.zip s3://<bucket>/security-scans/source/${WORKSPACE_ID}/source.zip -
上传规格文件:bash
aws s3 cp /path/to/requirements.md s3://<bucket>/security-scans/threat-models/${SCAN_ID}/specs/requirements.md aws s3 cp /path/to/design.md s3://<bucket>/security-scans/threat-models/${SCAN_ID}/specs/design.md -
创建威胁模型:bash
aws securityagent create-threat-model --agent-space-id <id> --title <title> \ --service-role <role-arn> \ --assets sourceCode=[{s3Location=s3://<bucket>/security-scans/source/${WORKSPACE_ID}/source.zip}] \ --scope-docs '[{"s3Location":"s3://<bucket>/security-scans/threat-models/'${SCAN_ID}'/specs/requirements.md"},{"s3Location":"s3://<bucket>/security-scans/threat-models/'${SCAN_ID}'/specs/design.md"}]'记录。threatModelId -
启动威胁模型任务:bash
aws securityagent start-threat-model-job --agent-space-id <id> --threat-model-id <tm-id>记录。threatJobId -
将扫描信息以保存到
scan_type: "THREAT_MODEL"。scans.json -
告知用户:“威胁模型评审已启动。运行时间因工作区大小而异。我将每2分钟检查一次 — 输入‘停止轮询’即可退出。”
-
轮询:每2分钟执行一次:bash
aws securityagent batch-get-threat-model-jobs --agent-space-id <id> --threat-model-job-ids <tj-id>仅在状态变化时回复。 -
完成后 → 获取威胁信息:bash
aws securityagent list-threats --agent-space-id <id> --threat-job-id <tj-id>如果存在,使用nextToken进行分页查询。--next-token
Findings presentation
发现结果展示
Each threat includes: , , category, , , .
statementseveritystridethreatImpactrecommendationimpactedAssets🟣 CRITICAL: {statement}
STRIDE: {stride}
Impact: {threatImpact}
Assets: {impactedAssets}
Recommendation: {recommendation}
🔴 HIGH: {statement}
...Write full report to . Call out any threat that represents a regression from the prior design.
.security-agent/findings-{scan_id}.md每个威胁包含:(描述)、(严重程度)、(分类)、(威胁影响)、(建议)、(受影响资产)。
statementseveritystridethreatImpactrecommendationimpactedAssets🟣 CRITICAL: {statement}
STRIDE: {stride}
Impact: {threatImpact}
Assets: {impactedAssets}
Recommendation: {recommendation}
🔴 HIGH: {statement}
...将完整报告写入。特别指出任何代表与先前设计相比出现安全倒退的威胁。
.security-agent/findings-{scan_id}.mdRules
规则
- Threat model reviews are standalone — no prior scan needed
- Poll every 2 minutes, not faster
- At least one spec file is required
- Use absolute paths for workspace and spec files
- Title: (no spaces)
threat-model-<feature-name>
- 威胁模型评审可独立进行 — 无需预先扫描
- 每2分钟轮询一次,不可更频繁
- 至少需要一个规格文件
- 工作区和规格文件需使用绝对路径
- 标题格式:(无空格)
threat-model-<feature-name>