Shadow AI Discovery Tool for AWS
GhostWeights hunts for unauthorized AI/ML workloads running in your AWS environment. It finds Shadow AI before attackers do - exposed APIs, forgotten GPU instances, and vulnerable endpoints.
Detects:
- Exposed Ollama, vLLM, Streamlit, Ray, Jupyter endpoints
- Running LLMs (Llama, Mistral) on EC2 instances
- AI model files on disk (.safetensors, .gguf, .bin)
- Exposed API keys in environment variables
- IMDSv1 vulnerable instances
- Public/unencrypted S3 buckets with models
- GPU instances without proper security
# Clone and build
git clone https://github.com/K0NGR3SS/ghostweights.git
cd ghostweights
go mod tidy
go build -o ghostweights ./cmd/ghostweights
# Basic scan
./ghostweights scan --region us-east-1
# Deep scan (uses SSM to inspect processes)
./ghostweights scan --region us-east-1 --deep
# Scan all regions
./ghostweights scan --all-regions --deepChecks security groups for exposed AI ports:
11434- Ollama API8501- Streamlit8265- Ray Dashboard7860- Gradio/HuggingFace8000- vLLM/FastChat8888- Jupyter Notebook
Inspects running instances to find:
- AI model files on disk
- Running LLM processes (Llama, Mistral, etc.)
- Exposed API keys (OpenAI, Anthropic, HuggingFace)
- GPU presence (NVIDIA)
- Python AI packages (torch, transformers, vllm)
- Jupyter notebooks without authentication
Scans buckets for:
- AI-related bucket names (model, dataset, rag, etc.)
- Public access misconfiguration
- Missing encryption
- Model files (.safetensors, .gguf, .pt, .h5)
./ghostweights scan --region us-east-1 --format json --output findings.json./ghostweights scan --region us-east-1 --format csv --output findings.csv./ghostweights scan --region us-east-1 --min-risk CRITICAL./ghostweights scan --region us-east-1 --exclude-ids i-abc123,i-def456./ghostweights scan --region us-east-1 --s3 --deep./ghostweights scan --all-regions --deep --s3 --format json --output report.json# Show help
./ghostweights --help
./ghostweights scan --help
# Print version
./ghostweights version
# Shell completion
./ghostweights completion bash
./ghostweights completion zsh--region, -r AWS region to scan (e.g., us-east-1)
--all-regions Scan all AWS regions
--deep Enable SSM deep scanning
--s3 Scan S3 buckets for AI models
--format Output format: table, json, csv (default: table)
--output, -o Write results to file
--min-risk Minimum risk level: LOW, MEDIUM, HIGH, CRITICAL
--exclude-ids Comma-separated instance IDs to skip
Phase 1: Initialization
β Connected to AWS (us-east-1)
Phase 2: Discovery & Analysis
β Found 157 running instances across 2 pages
β Scan Complete
Phase 3: Final Report
π¨ Found 8 potential issues:
Risk Service Instance ID Description Evidence
CRITICAL Exposed API Key i-0a1b2c3d4e5f6g7h8 API key in environment OPENAI_***_KEY=sk-***abc
CRITICAL Ollama API i-abc123def456 Active Ollama API Port 11434 open to 0.0.0.0/0
HIGH vLLM Inference Server i-11223344556677889 Serving model: Llama-3-8b on GPU Cmd: python -m vllm...
HIGH AI Model Files i-0a1b2c3d4e5f6g7h8 Found 12 model files Files: model.safetensors...
HIGH S3 Bucket my-models-bucket Contains 25 model files (PUBLIC) Bucket: my-models-bucket
MEDIUM GPU Detected i-99887766554433221 NVIDIA A100 GPU present Potential AI workload
MEDIUM IMDSv1 Enabled i-xyz789 SSRF vulnerable HttpTokens=optional
LOW AI Python Packages i-0a1b2c3d4e5f6g7h8 Found 5 AI/ML packages torch, transformers...
Minimum policy for basic scanning:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}For deep scanning, add:
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:GetCommandInvocation"
],
"Resource": "*"
}For S3 scanning, add:
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetBucketEncryption",
"s3:ListBucket"
],
"Resource": "*"
}For SSM deep scan: Instances need SSM Agent installed and IAM role with AmazonSSMManagedInstanceCore policy.
# Fail build if critical findings exist
./ghostweights scan --region us-east-1 --format json --output findings.json
# Check for critical issues
if [ $(jq '[.[] | select(.risk=="CRITICAL")] | length' findings.json) -gt 0 ]; then
echo "β CRITICAL Shadow AI findings detected!"
exit 1
fi# Add to crontab for weekly scans
0 2 * * 1 /usr/local/bin/ghostweights scan --all-regions --deep --format json --output /var/log/ghostweights/$(date +\%Y\%m\%d).json- β Fixed pagination (now handles unlimited instances)
- β Added security group caching (10x faster scans)
- β Better error handling and logging
- β IMDSv1 vulnerable instances
- β Model files on disk (.safetensors, .gguf, .bin)
- β Exposed API keys in environment
- β Python AI packages (torch, transformers, etc.)
- β Jupyter notebooks without authentication
- β S3 buckets with AI models
- β GPU detection
- β JSON and CSV output formats
- β Multi-region scanning (--all-regions)
- β Risk-based filtering (--min-risk)
- β Instance exclusion lists
- β S3 bucket analysis
Security Auditing: Find unauthorized AI deployments
Compliance: Ensure AI workloads meet security standards
Cost Optimization: Find forgotten GPU instances
Incident Response: Quick assessment of Shadow AI exposure
Red Team: Enumerate AI attack surface
This tool is intended only for authorized security testing on systems you own or have explicit permission to assess. Unauthorized scanning may be illegal. You are responsible for complying with all applicable laws and cloud provider policies.
The software is provided "as is", without warranty.