AWS Security MCP
A Model Context Protocol server that connects AI assistants like Claude to AWS security services, allowing them to autonomously query, inspect, and analyze AWS infrastructure for security issues and misconfigurations.
Tools
list_s3_buckets
List S3 buckets with metadata and optional public access check. Args: search_term: Optional search term to filter buckets by name check_public: Whether to check each bucket for public access Returns: JSON object with bucket information and public access details if requested
check_s3_bucket
Check an individual S3 bucket for security issues. Args: bucket_name: Name of the S3 bucket to check Returns: JSON object with detailed security assessment for the specified bucket
get_s3_bucket_details
Get detailed information about an S3 bucket. Args: bucket_name: Name of the S3 bucket Returns: JSON object with detailed bucket information
check_s3_bucket_security
Perform a comprehensive security audit of an S3 bucket. Args: bucket_name: Name of the S3 bucket Returns: JSON object with security assessment results
get_s3_bucket_policy
Get the policy of an S3 bucket. Args: bucket_name: Name of the S3 bucket Returns: JSON object with bucket policy information
scan_s3_buckets_for_public_access
Scan S3 buckets for public access permissions. Args: search_term: Optional text to filter buckets by name (ignored if bucket_names is provided) bucket_names: Optional list of specific bucket names to scan Returns: JSON object with security assessment results for public buckets
list_iam_resources
List IAM resources of the specified type, filtered for security audit relevance. Returns only the most security-relevant fields: - Name and ARN - AWS Managed Policies - Customer Managed Policies - Inline Policies - Last Usage Information - Trust Relationship (for roles) Args: resource_type: Type of IAM resource to list (roles, users, policies, access_keys, or all) limit: Maximum number of resources to return search_term: Optional search term to filter resources by name next_token: Pagination token for fetching the next set of resources (optional) Returns: JSON string with security-relevant IAM resource information
get_role_security_audit
Get comprehensive security audit information for an IAM role. Returns only the most security-relevant fields: - Name and ARN - AWS Managed Policies - Customer Managed Policies - Inline Policies with documents - Last Usage Information - Trust Relationship document Args: role_name: Name of the IAM role Returns: JSON string with security audit information
get_user_security_audit
Get comprehensive security audit information for an IAM user. Returns only the most security-relevant fields: - Name and ARN - AWS Managed Policies - Customer Managed Policies - Inline Policies with documents - Access Keys with last used information - MFA status - Console access status Args: user_name: Name of the IAM user Returns: JSON string with security audit information
list_user_policies
List all policies (both inline and attached managed policies) associated with an IAM user. Args: user_name: Name of the IAM user include_documents: Whether to include the full policy documents (default: True) Returns: JSON string with user policy information
get_user_permissions
Get permissions associated with an IAM user. Args: user_name: Name of the IAM user Returns: JSON string with user permission information
list_role_policies
List all policies (both inline and attached managed policies) associated with an IAM role. Args: role_name: Name of the IAM role include_documents: Whether to include the full policy documents (default: True) Returns: JSON string with role policy information
get_role_permissions
Get permissions associated with an IAM role. Args: role_name: Name of the IAM role Returns: JSON string with role permission information
get_iam_policy_content
Get the full content of an IAM policy by its ARN. Args: policy_arn: ARN of the IAM policy to retrieve Returns: JSON string with the policy document and metadata
find_roles_by_trust_relationship
Find IAM roles based on their trust relationship criteria. This tool has two main use cases: 1. Identifying roles that can be assumed by a specific principal (role/user/service) 2. Identifying roles that a specific IAM role can assume (by checking permissions) Args: principal_type: Type of principal to search for ('role', 'user', 'service', 'account', 'role_arn') principal_value: Value of the principal (role name, user name, service name, account ID, or complete role ARN) limit: Maximum number of roles to analyze Returns: JSON string with roles matching the trust relationship criteria
get_access_key_details
Get detailed information about a specific AWS access key ID. This tool searches across all IAM users to find which user owns the specified access key ID and returns detailed information about the key and its owner. Args: access_key_id: The AWS access key ID to look up (e.g., AKIAIOSFODNN7EXAMPLE) Returns: JSON string with detailed information about the access key and its owner
list_ec2_instances
List EC2 instances with details. Args: limit: Maximum number of instances to return (None for all) search_term: Optional search term to filter instances by name, ID, or type state: Instance state to filter by (default is "running"). Set to empty string to show all states. next_token: Pagination token from a previous request (optional) Returns: JSON formatted string with EC2 instance information
count_ec2_instances
Count EC2 instances, optionally filtering by state and security group rules. Args: state: Optional instance state to filter by (e.g., running, stopped, terminated) has_public_access: If set, only count instances with (True) or without (False) public internet access port: Optional specific port to check for access (e.g., 22 for SSH) Returns: JSON formatted string with instance count information
list_security_groups
List EC2 security groups with details. Args: limit: Maximum number of security groups to return (None for all) search_term: Optional search term to filter security groups. Supports special syntax: - Standard text search by name, ID, description, or VPC ID - port:XX - Find security groups with specific port open (e.g., port:22 for SSH) - protocol:XX - Find security groups allowing specific protocol (e.g., protocol:http) - public:true - Find security groups open to the internet (0.0.0.0/0) - cidr:X.X.X.X/X - Find security groups allowing specific CIDR range next_token: Pagination token from a previous request (optional) Returns: JSON formatted string with security group information
list_vpcs
List VPCs with details. Args: limit: Maximum number of VPCs to return (None for all) search_term: Optional search term to filter VPCs by ID or CIDR next_token: Optional pagination token for fetching next page of results Returns: JSON formatted string with VPC information
list_route_tables
List route tables with details. Args: limit: Maximum number of route tables to return (None for all) search_term: Optional search term to filter route tables by ID or VPC ID next_token: Optional pagination token for fetching next page of results Returns: JSON formatted string with route table information
list_subnets
List all subnets in a VPC or across all VPCs. Args: vpc_id: Optional VPC ID to list subnets for. If None, lists subnets across all VPCs. include_details: Whether to include detailed subnet information (route tables, ACLs) limit: Maximum number of subnets to return (None for all) search_term: Optional text to filter subnets by ID, VPC ID, CIDR, or tags next_token: Optional pagination token for fetching next page of results Returns: JSON formatted string with subnet information
list_ec2_resources
List EC2 resources of the specified type. Args: resource_type: Type of EC2 resource to list (instances, security_groups, vpcs, route_tables, subnets, or all) limit: Maximum number of resources to return (None for all) search_term: Optional search term to filter resources state: Instance state to filter by (default is "running"). Only applies to instances. next_token: Optional pagination token for fetching next page of results Returns: JSON formatted string with EC2 resource information
find_public_security_groups
Find security groups with public internet access (0.0.0.0/0). Args: port: Optional specific port to check for public access (e.g., 22 for SSH) Returns: JSON formatted string with security groups that allow public access
find_instances_with_public_access
Find EC2 instances that have public internet access through their security groups. Args: port: Optional specific port to check for public access (e.g., 22 for SSH) state: Instance state to filter by (default is "running") Returns: JSON formatted string with publicly accessible instances
find_resource_by_ip
Find AWS resources associated with a specific IP address. Args: ip_address: IP address to search for (public or private) Returns: JSON formatted string with information about resources using the IP address
find_instances_by_port
Find EC2 instances with security groups allowing access on a specific port. Args: port: The port number to check for state: Instance state to filter by (default is "running") Returns: JSON formatted string with instances that have the specified port open
find_security_groups_by_port
Find security groups with a specific port open. Args: port: Port number to check for (e.g., 22 for SSH, 3389 for RDP) Returns: JSON formatted string with security groups that have the specified port open
batch_describe_security_groups
Batch describe multiple security groups by ID. Args: security_group_ids: List of security group IDs to describe Returns: JSON formatted string with detailed information about multiple security groups
batch_describe_instances
Batch describe multiple EC2 instances by ID. Args: instance_ids: List of EC2 instance IDs to describe Returns: JSON formatted string with detailed information about multiple EC2 instances
get_securityhub_findings
Get findings from AWS SecurityHub. Args: limit: Maximum number of findings to return severity: Severity level to filter by (CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, or ALL) search_term: Optional search term to filter findings Returns: JSON formatted string with SecurityHub findings
list_failed_security_standards
List failed security standards from SecurityHub. Args: limit: Maximum number of failed standards to return Returns: JSON formatted string with failed security standards
list_function_layers
List layers used by a Lambda function. Args: function_name: Name or ARN of the Lambda function Returns: Formatted string with Lambda function layers
list_threat_intel_sets
List threat intelligence sets for a GuardDuty detector. Args: detector_id: GuardDuty detector ID max_results: Maximum number of results to return Returns: JSON formatted string with GuardDuty threat intel sets
get_analyzer
Get detailed information about a specific Access Analyzer. Args: analyzer_name: Name of the Access Analyzer Returns: JSON string with analyzer details
get_finding
Get detailed information about a specific Access Analyzer finding. Args: analyzerArn: ARN of the Access Analyzer finding_id: ID of the finding Returns: JSON string with finding details
list_findings_by_category
Get findings filtered by resource type category. Args: analyzerArn: ARN of the Access Analyzer resource_type: Resource type to filter by (e.g., AWS::S3::Bucket, AWS::SQS::Queue) status: Finding status filter (ACTIVE, ARCHIVED, RESOLVED) next_token: Pagination token for fetching the next set of results limit: Maximum number of findings to return Returns: JSON string with findings for the specified category
get_load_balancers
Get load balancers with optional filtering. Searches ELBv2 first (ALB, NLB, GWLB), then falls back to classic ELB if needed. Returns ARNs as the primary identifier. Args: load_balancer_type: Filter by type ('classic', 'application', 'network', 'gateway') arns: Filter by load balancer ARNs (preferred method) names: Filter by load balancer names (fallback method) next_token: Token for pagination max_items: Maximum items to return Returns: JSON string with load balancer information and pagination details
describe_load_balancer
Get detailed information about a specific load balancer. Args: load_balancer_arn: ARN of the load balancer Returns: JSON string with load balancer information
describe_instance_health
Describe the health of instances for a Classic Load Balancer. Args: load_balancer_name: Name of the Classic Load Balancer instance_ids: Optional list of instance IDs to filter by Returns: JSON string with instance health information
get_target_groups
Get target groups with optional filtering by load balancer ARN. Args: load_balancer_arn: Optional load balancer ARN to filter by next_token: Token for pagination max_items: Maximum items to return Returns: JSON string with target group information and pagination details
describe_target_health
Describe the health of targets in a target group. Args: target_group_arn: ARN of the target group targets: Optional list of targets to describe Returns: JSON string with target health information
describe_listeners
Describe listeners for a load balancer. Args: load_balancer_arn: ARN of the load balancer next_token: Token for pagination max_items: Maximum items to return Returns: JSON string with listener information
describe_load_balancer_listeners
Describe listeners for a load balancer using its ARN. Args: load_balancer_arn: The ARN of the load balancer next_token: Token for pagination max_items: Maximum items to return Returns: JSON string with listener information
describe_rules
Describe rules for a listener. Args: listener_arn: ARN of the listener next_token: Token for pagination max_items: Maximum items to return Returns: JSON string with rule information
search_load_balancer
Search for a load balancer by ARN, name, or DNS name. Searches ELBv2 first, then falls back to classic ELB if needed. Args: identifier: Load balancer ARN, name, or DNS name Returns: JSON string with load balancer information
describe_listeners_by_arns
Describe listeners by their ARNs. Args: listener_arns: List of listener ARNs Returns: JSON string with listener information
get_load_balancer_by_arn
Get load balancer by its ARN. Args: load_balancer_arn: ARN of the load balancer Returns: JSON string with load balancer information
list_distributions
List CloudFront distributions in the AWS account. Args: limit: Maximum number of distributions to return (default: 1000) next_token: Token for pagination (from previous request) Returns: JSON string with CloudFront distributions
get_distribution_details
Get detailed information about a specific CloudFront distribution. Args: distribution_id: ID of the CloudFront distribution or domain name Returns: JSON string with distribution details
list_cache_policies
List CloudFront cache policies. Args: limit: Maximum number of policies to return (default: 100) next_token: Token for pagination (from previous request) Returns: JSON string with cache policies
list_traffic_policies
List Route53 traffic policies in the AWS account. Args: limit: Maximum number of traffic policies to return (default: 100) next_token: Token for pagination (from previous request) Returns: JSON string with Route53 traffic policies
list_origin_request_policies
List CloudFront origin request policies. Args: limit: Maximum number of policies to return (default: 100) next_token: Token for pagination (from previous request) Returns: JSON string with origin request policies
list_response_headers_policies
List CloudFront response headers policies. Args: limit: Maximum number of policies to return (default: 100) next_token: Token for pagination (from previous request) Returns: JSON string with response headers policies
get_distribution_invalidations
Get invalidations for a specific CloudFront distribution. Args: distribution_id: ID of the CloudFront distribution limit: Maximum number of invalidations to return (default: 100) next_token: Token for pagination (from previous request) Returns: JSON string with invalidation details
search_distribution
Search for a CloudFront distribution by domain name, distribution ID, or alias. This tool searches for CloudFront distributions using the provided identifier, which can be a CloudFront domain name (e.g., d1234abcdef8ghi.cloudfront.net), a distribution ID (e.g., E1A2B3C4D5E6F7), or a custom domain alias. Args: identifier: CloudFront domain name, distribution ID, or alias Returns: JSON string with distribution details if found
list_hosted_zones
List Route53 hosted zones in the AWS account. Args: limit: Maximum number of hosted zones to return (default: 100) next_token: Token for pagination (from previous request) Returns: JSON string with Route53 hosted zones information
get_hosted_zone_details
Get detailed information about a specific Route53 hosted zone. Args: zone_id: ID of the Route53 hosted zone (can include or exclude '/hostedzone/' prefix) Returns: JSON string with hosted zone details
list_resource_record_sets
List resource record sets in a specific Route53 hosted zone. Args: zone_id: ID of the Route53 hosted zone (can include or exclude '/hostedzone/' prefix) limit: Maximum number of record sets to return per page (default: 100) next_token: Pagination token from a previous request (optional) Returns: JSON string with resource record sets and pagination information
list_health_checks
List Route53 health checks in the AWS account. Args: limit: Maximum number of health checks to return (default: 100) next_token: Token for pagination (from previous request) Returns: JSON string with Route53 health checks
check_subdomain_takeover_vulnerability
Check if a specific domain or subdomain is vulnerable to subdomain takeover attacks. This function performs a DNS-based analysis for subdomain takeover vulnerabilities: 1. Identifies all DNS records for the domain 2. For CNAME records, checks if they point to services that could be vulnerable 3. Analyzes DNS configurations for signs of abandoned or unclaimed resources Args: domain_name: The domain or subdomain name to check (e.g., xyz.dreamplug.in) Returns: JSON string with vulnerability assessment results
find_ip_address_details
Find details about an IP address, including associated EC2 resources and DNS records pointing to it. This function: 1. Identifies EC2 instances with this IP (public or private) 2. Finds network interfaces using this IP 3. Searches Route53 records pointing to this IP Args: ip_address: The IP address to lookup (e.g., 43.205.186.36) Returns: JSON string with IP address details and associated resources
analyze_domain_security
Analyze the security posture of a domain, including its DNS configuration and associated resources. This function: 1. Checks the domain's DNS records 2. For A records, analyzes the security of the associated IP addresses 3. For CNAME records, checks for subdomain takeover vulnerabilities 4. Provides security recommendations based on the findings Args: domain_name: The domain name to analyze Returns: JSON string with security analysis results
list_waf_web_acls
List AWS WAF Web ACLs. Args: scope: The scope of the Web ACLs to retrieve ('REGIONAL' or 'CLOUDFRONT') limit: Maximum number of Web ACLs to return next_token: Pagination token for fetching the next set of Web ACLs Returns: JSON object with Web ACL information
get_waf_web_acl_details
Get detailed information about a specific AWS WAF Web ACL. Args: web_acl_id: The ID of the Web ACL web_acl_name: The name of the Web ACL scope: The scope of the Web ACL ('REGIONAL' or 'CLOUDFRONT') Returns: JSON object with detailed Web ACL information
list_waf_ip_sets
List AWS WAF IP sets. Args: scope: The scope of the IP sets to retrieve ('REGIONAL' or 'CLOUDFRONT') limit: Maximum number of IP sets to return next_token: Pagination token for fetching the next set of IP sets Returns: JSON object with IP set information
get_waf_ip_set_details
Get detailed information about a specific AWS WAF IP set. Args: ip_set_id: The ID of the IP set ip_set_name: The name of the IP set scope: The scope of the IP set ('REGIONAL' or 'CLOUDFRONT') Returns: JSON object with detailed IP set information
list_waf_rule_groups
List AWS WAF rule groups. Args: scope: The scope of the rule groups to retrieve ('REGIONAL' or 'CLOUDFRONT') limit: Maximum number of rule groups to return next_token: Pagination token for fetching the next set of rule groups Returns: JSON object with rule group information
get_waf_rule_group_details
Get detailed information about a specific AWS WAF rule group. Args: rule_group_id: The ID of the rule group rule_group_name: The name of the rule group scope: The scope of the rule group ('REGIONAL' or 'CLOUDFRONT') Returns: JSON object with detailed rule group information
list_waf_resources_for_web_acl
List resources protected by a specific AWS WAF Web ACL. Args: web_acl_arn: The ARN of the Web ACL resource_type: The type of resource (e.g., 'APPLICATION_LOAD_BALANCER', 'API_GATEWAY') Returns: JSON object with resources protected by the Web ACL
list_all_waf_components
List all AWS WAF components (Web ACLs, IP sets, and rule groups). Args: scope: The scope of the components to retrieve ('REGIONAL' or 'CLOUDFRONT') limit: Maximum number of each component type to return Returns: JSON object with comprehensive WAF component information
count_active_access_keys
Count all active access keys across all IAM users in the AWS account. Returns: JSON string with counts and details of active access keys
get_inline_policy_content
Get the full content of an inline IAM policy. Args: entity_type: Type of entity the policy is attached to ('user' or 'role') entity_name: Name of the user or role policy_name: Name of the inline policy Returns: JSON string with the policy document and metadata
search_instance_profiles
Search for IAM instance profiles with optional filtering. Args: search_term: Optional text to filter instance profiles by name limit: Maximum number of instance profiles to return next_token: Pagination token for fetching the next set of results Returns: JSON string with instance profile information
analyze_trusted_relationships
Analyze the trusted relationships (assume role policies) for IAM roles. Args: role_name: Optional specific role name to analyze all_roles: Set to True to analyze all roles in the account limit: Maximum number of roles to analyze when all_roles is True Returns: JSON string with trusted relationship information
check_console_access
Check IAM users for console sign-in capability. Args: user_name: Specific IAM user to check check_all_users: Set to True to check all users in the account limit: Maximum number of users to check when check_all_users is True Returns: JSON string with console access information
check_confused_deputy_vulnerabilities
Identify IAM roles that might be vulnerable to confused deputy attacks. Confused deputy vulnerabilities occur when a role can be assumed by external entities without proper safeguards such as external IDs or source ARN restrictions. Args: all_roles: Set to True to check all roles in the account role_name: Specific IAM role to check (ignored if all_roles is True) limit: Maximum number of roles to check when all_roles is True include_aws_service_roles: Whether to include AWS service roles in the analysis Returns: JSON string with vulnerability analysis results
get_account_security_score
Get the overall security score for the AWS account. Returns: JSON formatted string with account security score
list_functions
List Lambda functions in the AWS account. Args: region: Optional region to filter functions limit: Maximum number of functions to return search_term: Optional search term to filter functions by name next_token: Pagination token for fetching the next set of functions (optional) Returns: JSON formatted string with Lambda functions
get_function_details
Get detailed information about a specific Lambda function. Args: function_name: Name or ARN of the Lambda function Returns: JSON formatted string with Lambda function details
get_function_policy
Get the resource policy for a Lambda function. Args: function_name: Name or ARN of the Lambda function Returns: JSON formatted string with Lambda function policy
list_function_permissions
List permissions granted to invoke a Lambda function. Args: function_name: Name or ARN of the Lambda function Returns: JSON formatted string with Lambda function permissions
list_invocations
Get recent invocations of a Lambda function from CloudWatch logs. Args: function_name: Name or ARN of the Lambda function limit: Maximum number of invocations to return Returns: Formatted string with recent Lambda function invocations
list_detectors
List all GuardDuty detectors in the account. Args: max_results: Maximum number of detectors to return Returns: JSON formatted string with GuardDuty detectors
list_findings
List findings from a specific IAM Access Analyzer. Args: analyzerArn: ARN of the Access Analyzer status: Optional filter for finding status (ACTIVE, ARCHIVED, RESOLVED) next_token: Pagination token for fetching the next set of results limit: Maximum number of findings to return Returns: JSON string with findings
get_finding_details
Get detailed information about a specific GuardDuty finding. Args: detector_id: GuardDuty detector ID finding_id: ID of the finding to retrieve Returns: JSON formatted string with detailed finding information
list_ip_sets
List IP sets for a GuardDuty detector. Args: detector_id: GuardDuty detector ID max_results: Maximum number of results to return Returns: JSON formatted string with GuardDuty IP sets
list_analyzers
List all IAM Access Analyzers in the account. Returns: JSON string with Access Analyzers
get_shield_subscription_status
Get the status of AWS Shield Advanced subscription. Returns: JSON object with subscription information
list_shield_protected_resources
List resources protected by AWS Shield Advanced. Args: limit: Maximum number of protected resources to return next_token: Pagination token for fetching the next set of resources Returns: JSON object with protected resource information
list_shield_protections
List protections configured in AWS Shield Advanced. Args: limit: Maximum number of protections to return next_token: Pagination token for fetching the next set of protections Returns: JSON object with protection information
get_shield_protection_details
Get detailed protection information for a specific resource in AWS Shield Advanced. Args: resource_arn: ARN of the resource to get protection details for Returns: JSON object with detailed protection information
list_shield_attacks
List DDoS attacks detected by AWS Shield Advanced. Args: days: Number of days to look back for attacks limit: Maximum number of attacks to return next_token: Pagination token for fetching the next set of attacks Returns: JSON object with attack information
get_shield_attack_details
Get detailed information about a specific DDoS attack detected by AWS Shield Advanced. Args: attack_id: ID of the attack to get details for Returns: JSON object with detailed attack information
get_shield_drt_access_status
Get the status of DDoS Response Team (DRT) access in AWS Shield Advanced. Returns: JSON object with DRT access information
get_shield_emergency_contacts
Get the emergency contacts configured for AWS Shield Advanced. Returns: JSON object with emergency contact information
get_shield_summary
Get a comprehensive summary of AWS Shield Advanced status and configuration. Returns: JSON object with Shield Advanced summary information
search_resources_by_tag
Search AWS resources by tag key and optional value. Args: tag_key: The tag key to search for tag_value: Optional tag value to filter by resource_types: Optional list of resource types to filter by (e.g., ['ec2:instance', 's3:bucket']) next_token: Token for pagination max_items: Maximum number of items to return (no limit if None) group_by_type: If True, resources will be grouped by service/resource type Returns: JSON string with resources matching the specified tags and pagination details
get_all_tag_keys
Get all tag keys used in the AWS account. Args: next_token: Token for pagination max_items: Maximum number of items to return Returns: JSON string with tag keys and pagination details
get_tag_values_for_key
Get all values for a specific tag key in the AWS account. Args: tag_key: The tag key to get values for next_token: Token for pagination max_items: Maximum number of items to return Returns: JSON string with tag values and pagination details
README
AWS Security MCP
AWS Security MCP is a Model Context Protocol server that provides a MCP Client like Claude to interact to AWS security services, allowing AI assistants to autonomously inspect and analyze your AWS infrastructure for security issues.
Features
- Query AWS Infrastructure with Natural Lang query for example - "share a list of running ec2 instances that are of type t2.large"
- Query security findings from GuardDuty, SecurityHub, and IAM Access Analyzer
- List and inspect AWS resources for security misconfigurations
- Analyze IAM roles, policies, and permissions for security issues
- Examine EC2 instances, security groups, and networking components
- Scan for sensitive information in environment variables and configurations
- Generate Threat Modelling reports on the fly
- Generate Contextual Security Recommendations on the fly
- Generate network map on the fly to visualise how network map of you AWS Infrastructure Looks like
- Generate blast radius analysis of any service/resource or teams that are tagged.
- Search Seamlessly between you tagged resources
AWS Services Coverage
Currently Supported
- IAM: Roles, users, policies, access keys, and permission analysis
- EC2: Instances, security groups, Elastic Network Interfaces, VPCs, Subnets, and route tables
- S3: Buckets, permissions, and public access analysis
- GuardDuty: Findings and detectors
- SecurityHub: Findings and standards compliance
- Lambda: Functions, permissions, and configurations
- Cloudfront: Cloudfront Distributions, Origin Mapping, API Route Mapping
- LoadBalancer: ALB, ELB, NLB, Target Groups, Listeners,
- Route53: Hosted Zones, RecordSets
- WAF: WebACL, AWS WAF
- Shield: AWS DDOS Protection
- IAM Access Analyser: Security findings on IAM Access Analyser
Work In Progress
- ECS/ECR: Container security analysis
- CloudTrail: Audit logging analysis
- KMS: Key management and encryption
- Config: Configuration compliance
Installation
Prerequisites
- uv
- Python 3.11+
- AWS Account with proper credentials - Can work with either AWS Access Keys or AWS STS Credentials!
- MCP Client (Claude Desktop, Cline, 5ire, etc.)
Setup
-
Clone this repository:
git clone https://github.com/groovyBugify/aws-security-mcp.git cd aws-security-mcp -
Make the runner script executable:
chmod +x run_aws_security.sh -
Update
run_aws_security.shfile with valid AWS Credentialsexport AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY
You can utilise AWS STS Credentials, AWS Profiles as well, you just need to export them before running the MCP Client.
MCP Client Setup
Theoretically, any MCP client should work with AWS Security MCP. Sharing Claude Desktop setup below.
To set up Claude Desktop as an AWS Security MCP client, go to Claude -> Settings -> Developer -> Edit Config -> claude_desktop_config.json and add the following:
{
"mcpServers": {
"aws-security": {
"command": "/path/to/aws-security-mcp/run_aws_security.sh"
}
}
}
Alternatively, edit this file directly:
/Users/YOUR_USER/Library/Application Support/Claude/claude_desktop_config.json
Running AWS Security MCP on steroids
Using any MCP Client we can couple multiple MCPs toghthere for example -
Troubleshooting
If at any point you face issues with running the MCP server, you can try checking the MCP Server logs that are usually stored on your system /Users/{userName}/Library/Logs/Claude
License
This project is licensed under the MIT License - see the LICENSE file for details.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.