AI Provider Setup (BYOK)

Configure your AI provider for intelligent drift analysis using the Bring Your Own Key (BYOK) model.

Overview

Controlinfra uses AI to analyze detected drift and provide:

• Root Cause Analysis: Why the drift occurred
• Impact Assessment: What systems are affected
• Severity Classification: How urgent is the fix
• Fix Recommendations: Code to resolve the drift
• Prevention Tips: How to avoid future drift

Supported Providers

Anthropic Claude (Recommended)

Controlinfra uses Claude Sonnet 4 for drift analysis:

• Excellent at understanding infrastructure context
• Strong code generation capabilities
• Detailed, actionable recommendations

OpenAI GPT-4

Alternatively, use GPT-4o:

• Reliable analysis results
• Good code generation
• Wide language support

Getting API Keys

Anthropic API Key

1. Go to console.anthropic.com
2. Sign up or log in
3. Navigate to API Keys
4. Click Create Key
5. Copy the key (starts with sk-ant-api03-)

WARNING

Store your API key securely. You won't be able to see it again after creation.

OpenAI API Key

1. Go to platform.openai.com
2. Sign up or log in
3. Navigate to API Keys
4. Click Create new secret key
5. Copy the key (starts with sk-)

Configuration Steps

Step 1: Navigate to Settings

1. Log in to Controlinfra
2. Click Settings in the bottom navigation
3. Find the AI Provider section

Step 2: Select Provider

Choose your preferred provider:

○ Anthropic Claude (Recommended)
○ OpenAI GPT-4

Step 3: Enter API Key

Paste your API key:

API Key: sk-ant-api03-xxxxxxxxxxxxx...

Step 4: Save and Verify

Click Save. Controlinfra will verify your key is valid.

TIP

You can test your configuration by running a scan on a repository with known drift.

How BYOK Works

With Bring Your Own Key:

1. You control costs: AI usage is billed directly to your API account
2. Direct relationship: Requests go directly to the AI provider
3. No markup: Controlinfra doesn't charge for AI usage
4. Your data: Analysis requests use your own API account

Cost Estimation

Typical costs per drift analysis:

Provider	Model	~Cost per Analysis
Anthropic	Claude Sonnet 4	~$0.01-0.03
OpenAI	GPT-4o	~$0.02-0.05

A scan with 10 drifts would cost approximately $0.10-0.50.

Security

Key Storage

Your API key is:

• Encrypted: Using AES-256 encryption at rest
• Isolated: Stored separately from other user data
• Access-controlled: Only decrypted during analysis

Key Usage

Your key is only used for:

• Drift analysis during scans
• Fix code generation
• No other purposes

Key Rotation

We recommend rotating API keys periodically:

1. Generate a new key in your provider console
2. Update the key in Controlinfra Settings
3. Revoke the old key

Analysis Features

When AI is configured, each drift includes:

Root Cause Analysis

Root Cause: The security group was modified directly in the AWS
console to add SSH access (port 22) from 0.0.0.0/0. This change
was likely made for debugging purposes and was not reflected in
the Terraform configuration.

Impact Assessment

Impact: This change exposes the instance to potential SSH brute
force attacks from anywhere on the internet. All instances in
this security group are affected.

Blast Radius: 3 EC2 instances

Severity Classification

Severity	Description
Critical	Security vulnerability, immediate action needed
High	Significant risk, fix soon
Medium	Should be addressed, not urgent
Low	Minor inconsistency, fix when convenient

Fix Code

# Add this to your security group configuration:
ingress {
  from_port   = 22
  to_port     = 22
  protocol    = "tcp"
  cidr_blocks = ["10.0.0.0/8"]  # Restrict to internal network
  description = "SSH access from internal network"
}

Prevention Recommendations

Prevention:
1. Implement AWS Config rules to detect console changes
2. Use IAM policies to restrict direct security group modifications
3. Set up alerts for infrastructure changes outside of CI/CD
4. Consider using Controlinfra scheduled scans to catch drift early

Switching Providers

To switch between Anthropic and OpenAI:

1. Go to Settings → AI Provider
2. Select the new provider
3. Enter the new API key
4. Click Save

Previous analysis results are preserved regardless of provider changes.

Disabling AI Analysis

To disable AI analysis:

1. Go to Settings → AI Provider
2. Remove the API key or select None
3. Click Save

Scans will still detect drift but without AI-powered analysis.

Troubleshooting

"Invalid API Key" Error

• Verify the key was copied correctly (no extra spaces)
• Check the key hasn't been revoked
• Ensure you're using the right provider's key

"Rate Limit Exceeded"

• Your API account may have hit rate limits
• Check your provider's usage dashboard
• Consider upgrading your API plan

"Insufficient Credits"

• Add credits to your AI provider account
• Check usage limits in provider settings

Analysis Not Appearing

• Verify AI provider is configured
• Check the scan completed successfully
• Ensure drift was detected (no drift = no analysis)

Best Practices

1. Monitor Usage

Track your AI API usage:

• Set up billing alerts
• Monitor cost per scan
• Adjust scan frequency if needed

2. Use Appropriate Models

• Claude Sonnet 4 / GPT-4o are recommended for accuracy
• Smaller models may be less expensive but less accurate

3. Review Analysis Results

• AI analysis is a recommendation, not a mandate
• Always review suggested fixes before applying
• Use your judgment for critical infrastructure

Next Steps

• Understanding Drift Analysis - Deep dive into AI features
• Run Your First Scan - See AI analysis in action
• Configure Self-Hosted Runners - Enhanced security