RoboSonda 🔍🛡️

Privacy-first AWS security analysis powered by local AI

RoboSonda analyzes your AWS security logs using a local LLM (via Ollama) to generate AI-powered insights without sending any data externally. Get real-time security health scores and actionable recommendations while keeping your sensitive data 100% private.

Features

• 🔒 100% Local Analysis - All AI processing happens on your machine
• 📊 Security Health Score - Quantitative 0-100 score for your AWS security posture
• 🚀 Real-time Analysis - Analyze CloudTrail, GuardDuty, and Security Hub logs
• 🎯 Smart Filtering - Automatic noise reduction for actionable insights
• 🌈 Beautiful Output - Color-coded terminal UI with clear severity indicators
• 📦 Single Binary - No dependencies, works on Mac, Linux, and Windows

Quick Start

Prerequisites

1. Install Ollama:

# macOS
brew install ollama

# Linux
curl -fsSL https://ollama.ai/install.sh | sh

2. Start Ollama and pull the required model:

ollama serve
ollama pull llama3.2:1b

3. Configure AWS credentials (uses standard AWS credential chain):

# Option 1: Environment variables
export AWS_ACCESS_KEY_ID=your_key
export AWS_SECRET_ACCESS_KEY=your_secret

# Option 2: AWS CLI profile
aws configure --profile production

Installation

# Download the latest release
curl -L https://github.com/jnewton03/robosonda/releases/latest/download/robosonda-$(uname -s)-$(uname -m) -o robosonda
chmod +x robosonda
sudo mv robosonda /usr/local/bin/

# Or build from source
git clone https://github.com/jnewton03/robosonda.git
cd robosonda
go build -o robosonda

Usage

Basic analysis (last 24 hours):

robosonda analyze

With specific AWS profile:

robosonda analyze --profile production

Custom time range and region:

robosonda analyze --hours 48 --region us-west-2

JSON output for automation:

robosonda analyze --output json > security-report.json

Example Output

🔍 RoboSonda Security Analysis
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📊 Security Health Score: 82/100 (Good)

🚨 Critical Findings (0)
None detected

⚠️  High Severity (2)
• Unusual API activity from IP 203.0.113.45
• Failed authentication attempts on production resources

🔔 Medium Severity (5)
• S3 bucket policy changes detected
• New IAM role created with broad permissions
• Security group modified to allow 0.0.0.0/0
• Root account activity detected
• CloudTrail logging disabled temporarily

✅ Recommendations
1. Review and restrict the new IAM role permissions
2. Investigate the source of failed authentication attempts
3. Enable MFA for all users, especially root account
4. Review S3 bucket policies for public access

🔒 Analysis performed 100% locally - no data sent externally

How It Works

1. Data Collection: RoboSonda connects to AWS APIs to fetch:

   • CloudTrail management and data events
   • GuardDuty findings (if enabled)
   • Security Hub alerts (if enabled)

2. Smart Filtering: Removes noise from:

   • AWS health checks
   • Monitoring service calls
   • Duplicate events

3. Local AI Analysis: Uses Ollama with llama3.2:1b model to:

   • Identify security patterns
   • Assess severity levels
   • Generate recommendations

4. Health Score Calculation:

   • 100-90: Excellent (no issues)
   • 89-70: Good (minor issues)
   • 69-50: Fair (attention needed)
   • 49-30: Poor (immediate action required)
   • 29-0: Critical (severe security issues)

Privacy & Security

• ✅ No external API calls except to AWS services
• ✅ No telemetry or usage tracking
• ✅ No data leaves your machine
• ✅ Open source and auditable
• ✅ Uses AWS SDK credential chain

Configuration

RoboSonda uses standard flags for configuration:

Flags:
  -h, --help            Show help
  -p, --profile string  AWS profile to use
  -r, --region string   AWS region (default: us-east-1)
  -t, --hours int       Hours to analyze (default: 24)
  -o, --output string   Output format: terminal or json (default: terminal)
  -v, --verbose         Enable verbose logging

Building from Source

# Clone repository
git clone https://github.com/jnewton03/robosonda.git
cd robosonda

# Install dependencies
go mod download

# Build
go build -o robosonda

# Run tests
go test ./...

# Build for all platforms
goreleaser build --snapshot --clean

Troubleshooting

"Ollama not running"

Ensure Ollama is running:

ollama serve

"Model not found"

Pull the required model:

ollama pull llama3.2:1b

"AWS credentials not found"

Configure AWS credentials using one of:

• Environment variables
• AWS CLI profile
• IAM role (for EC2/ECS)

Performance Issues

• Reduce time range: --hours 12
• Check Ollama is using GPU (if available)
• Ensure sufficient RAM (4GB minimum)

Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Add tests for new functionality
4. Ensure all tests pass
5. Submit a pull request

License

MIT License - see LICENSE file for details

Acknowledgments

• Ollama for local LLM infrastructure
• Cobra for CLI framework
• AWS SDK for Go for AWS integration

---

Built with ❤️ for the security-conscious AWS community