xvnpw / fabric-agent-action-examples

Example of fabric-agent-action usage
0 stars 0 forks source link

Threat model using fabric and react agent #6

Closed xvnpw closed 5 days ago

xvnpw commented 1 week ago

Architecture

This document outlines the architecture of the AI Nutrition-Pro application, including system context, containers, and deployment views. The architecture is depicted using C4 diagrams for enhanced clarity..

System Context diagram

C4Context
  title System Context diagram for AI Nutrition-Pro
  Enterprise_Boundary(b0, "AI Nutrition-Pro boundary") {
    System(anps1, "AI Nutrition-Pro API Service")
  }
  Enterprise_Boundary(b1, "OpenAI") {
    System_Ext(ChatGPT, "ChatGPT", "LLM")
  }
  Enterprise_Boundary(b2, "Meal Planner A") {
    Person_Ext(n1, "Dietitian A")
    System_Ext(apa, "Meal Planner A System")
  }
  Rel(anps1, ChatGPT, "Uses for LLM featured content creation", "REST")
  Rel(n1, apa, "Uses for diet creation")
  Rel(apa, anps1, "Uses for AI content generation", "REST")

Containers Context diagram

C4Container
    title Container diagram for AI Nutrition-Pro

    Container_Boundary(c0, "AI Nutrition-Pro") {
        Container(api_gateway, "API Gateway", "Kong", "Authentication of clients, filtering of input, rate limiting")
        Container(app_control_plane, "Web Control Plane", "Golang, AWS Elastic Container Service", "Provides control plane to onboard and manage clients, configuration and check billing data")
        ContainerDb(control_plan_db, "Control Plane Database", "Amazon RDS", "Stores all data related to control plan, tenants, billing")
        Container(backend_api, "API Application", "Golang, AWS Elastic Container Service", "Provides AI Nutrition-Pro functionality via API")
        ContainerDb(api_db, "API database", "Amazon RDS", "Stores dietitian' content samples, request and responses to LLM.")
        Person(admin, "Administrator", "Administrator of AI Nutrition-Pro application")
        Person(onboard_manager, "App Onboarding Manager", "Employee that is onboarding new Meal Planner applications to AI Nutrition-Pro application")
    }

    Person(ce1, "Meal Planner application manager", "Meal Planner employee designated to manage AI Nutrition-Pro integration")

    System_Ext(mealApp, "Meal Planner", "Application to create diets by dietitians")
    Person_Ext(n1, "Dietitian")

    System_Ext(chatgpt, "ChatGPT-3.5", "LLM")

    Rel(n1, mealApp, "Uses for diet creation")
    Rel(mealApp, api_gateway, "Uses for AI content generation", "HTTPS/REST")
    Rel(api_gateway, backend_api, "Uses for AI content generation", "HTTPS/REST")
    Rel(ce1, app_control_plane, "Manage billings, onboard new dietitians")
    Rel(admin, app_control_plane, "Configure system properties")
    Rel(onboard_manager, app_control_plane, "Creates new tenant. Onboarding new meal planner applications")
    Rel(backend_api, chatgpt, "Utilizes ChatGPT for LLM-featured content creation", "HTTPS/REST")

    Rel(app_control_plane, control_plan_db, "read/write data", "TLS")
    Rel(backend_api, api_db, "read/write data", "TLS")

External systems and persons

Name Type Description Responsibilities
Meal Planner application External system, web application One of many Meal Planner applications that can be integrated with AI Nutrition-Pro. It connects to AI Nutrition-Pro using REST and HTTPS. - uploads samples of dietitians' content to AI Nutrition-Pro
- fetches AI generated results, e.g. diet introduction, from AI Nutrition-Pro
Dietitian External person It's a customer of Meal Planner application. It's using Meal Planner to create diets for patients. It will see AI generated content directly in Meal Planner. - creates diets
- consents to AI processing of data
ChatGPT-3.5 External system, API It's OpenAI product, an LLM solution It will be used to generate content based on provided samples.

AI Nutrition-Pro container context systems and persons

Name Type Description Responsibilities
Web Control Plane Internal system, Web application It's written using Golang and deployed as Docker container into AWS Elastic Container Service. It uses Control Plane Database to store data. It's used in 3 roles: Administrator, App Onboarding Manager, and Meal Planner application manager. Provide control plane to onboard and manage clients, configuration and check billing data
Control Plane Database Internal database, Amazon RDS instance Database storing data for Web Control Plane
API Gateway Internal system, API Gateway Kong API Gateway - authentication
- rate limiting
- filtering of input
API Application Internal system, API application It's written using Golang and deployed as Docker container into AWS Elastic Container Service Provides AI Nutrition-Pro functionality via API.
API database Internal database, Amazon RDS instance Stored data: samples of dietitians' content, requests, and responses to LLM. Storing data for API Application
Administrator Internal Person Administrator of AI Nutrition-Pro application. - manage server configuration
- resolve problems
App Onboarding Manager Internal Person Employee that is onboarding new Meal Planner applications to AI Nutrition-Pro application. - manage configuration of integrated Meal Planner application
Meal Planner application manager Internal Person Employee of Meal Planner Manages AI Nutrition-Pro integration, e.g. configuration, api keys, billings.

Deployment diagram

For deployment, we will use Amazon AWS Cloud.

C4Deployment
  title AI Nutrition-Pro deployment to AWS Cloud diagram
  Deployment_Node(aws, "AWS account") {
    Deployment_Node(vpc, "VPC", "App VPC") {
      Deployment_Node(ecs, "AWS ECS", "App ECS") {
        Container(api_gateway, "API Gateway", "Kong")
        Container(api_app, "API Application", "Golang")
        Container(web_control_plane, "Web Control Plane", "Golang")
      }
    }
    ContainerDb(api_db, "API Database", "AWS RDS")
    ContainerDb(control_plane_db, "Control Plane Database", "AWS RDS")
  }

  Rel(api_gateway, api_app, "REST/HTTPS")
  Rel(api_app, api_db, "Native/TLS")
  Rel(web_control_plane, control_plane_db, "Native/TLS")
xvnpw commented 1 week ago

/fabric create stride threat model. Create summary of output

github-actions[bot] commented 1 week ago
(🤖 AI Generated)

The STRIDE threat model for the AI Nutrition-Pro application identifies potential threats across various components, such as the API Gateway, API Application, Control Plane Database, API Database, Web Control Plane, and ChatGPT-3.5. Key threats include spoofing, tampering, unauthorized data access, data exfiltration, elevation of privilege, and data leakage. Mitigations involve authentication, encryption, access control, and regular audits. The model also raises questions about additional security measures and assumptions regarding IAM policies and data encryption.

The summary of the architecture highlights that AI Nutrition-Pro integrates with OpenAI's ChatGPT for diet content creation, using AWS for deployment. Key components include the API Gateway for secure API management, Web Control Plane for client onboarding and billing, and AWS ECS and RDS for container and database management. The architecture supports integration with Meal Planner applications, enhancing usability for dietitians.