accessanalyzer_get_finding

Retrieve detailed information about a single finding. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. analyzer_arn (str): The ARN of the analyzer. finding_id (str): The ID of the finding to retrieve. Returns: str: JSON-formatted details of the finding.

cloudtrail_describe_trails

Describe all CloudTrail trails configured in the AWS account.

cloudtrail_lookup_events

Lookup CloudTrail events using filters. If the user request falls into one of these scenarios, use the Athena tools instead: - EventName is a data event (e.g. GetObject, DeleteObject, PutObject); - the user wants to filter by role name; - the user wants to filter by principal ID; - the user wants to filter by IP address; - the user wants to filter by bucket name; - the user wants to filter by file object in buckets; - the user wants to filter using regex; When filtering for EventName, note that the event name is case-sensitive and must match the exact name of the event. If you want to use operators like 'equals', 'not equals', 'contains', etc., you must use the Athena tools instead. <IMPORTANT> Call datetime.datetime.now() to get the current date and time before providing the start and end times. If the user asks for events happened in the last 7 days, run 'datetime.datetime.now() - datetime.timedelta(days=7)' to get the start date. Print out the start and end times to the user. </IMPORTANT> Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. attribute_key (str): The name of the event to search for. Valid attributes keys: EventId | EventName | ReadOnly | Username | ResourceType | ResourceName | EventSource | AccessKeyId attribute_value (str): The value of the event to search for. If no key-value pair is provided, use 'ReadOnly'='false'. start_time (str): start timestamp with format 'YYYY-MM-DD HH:MM:SS' (e.g. '2025-04-10 12:45:50'). If not provided, use 'datetime.datetime.now() - datetime.timedelta(days=7)' to get the start date. end_time (str): end timestamp with format 'YYYY-MM-DD HH:MM:SS' (e.g. '2025-04-11 12:45:50'). If not provided, use 'datetime.datetime.now()' to get the end date. max_results (int): Maximum number of events to return. Returns: list: A list of CloudTrail events matching the specified criteria.

athena_create_cloudtrail_table

Create an Athena table for CloudTrail logs with partition projection. <IMPORTANT> Before using this tool ask the user for OUTPUT bucket, unless it is provided. This is necessary to create the table correctly. If the API fails, interrupt the process and ask the user for the OUTPUT BUCKET. </IMPORTANT> Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. cloudtrail_bucket (str): The S3 bucket for CloudTrail logs - you can retrieve it using the 'cloudtrail_describe_trails' tool. is_org_trail (bool): Indicates if the trail is for the organization. account_id (str): Your AWS account ID - you can retrieve it. database (str): Athena database name to be used. output_bucket (str): Ask the user if not specified, S3 bucket URI (e.g. 's3://my-athena-query-results/') for query results - different from cloudtrail_bucket. Returns: str: An empty result if successful, or an error message if there was an issue.

athena_query_events

Query Athena for granular granular searches on CloudTrail logs. <IMPORTANT> Before calling this tool, you must call the athena_create_cloudtrail_table tool to create the table. If the user asks for a different region, you must call the athena_create_cloudtrail_table tool to create the table in that region. </IMPORTANT> Parameters: aws_region: The AWS region - use 'us-east-1' if not specified. start_time: ISO string of the start time end_time: ISO string of the end time database: Athena database name to be used - use 'default' if not specified. output_bucket: S3 bucket URI (e.g. 's3://my-athena-query-results/') for query results - different from cloudtrail_bucket. event_names: List of event names to filter on (e.g. ["GetObject", "DeleteObject"]) principal_id: Optional principal ID to filter on. Use the percent sign (%) as a wildcard character. user_arn: Optional user ARN to filter on. Use the percent sign (%) as a wildcard character. user_name: Optional user name to filter on. role_name: Optional role name to filter on. ip_address: Optional IP address to filter on. Use the percent sign (%) as a wildcard character. bucket_name: Optional bucket name to filter on. Use the percent sign (%) as a wildcard character. limit: Maximum number of results to return (default is 50). Returns: str: JSON-formatted result of the Athena query.

cloudwatch_describe_log_groups

Describes available CloudWatch log groups in the specified region. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. log_group_name_pattern (str): The pattern to filter log group names. Pattern: [\.\-_/#A-Za-z0-9]* If you specify a string for this parameter, the operation returns only log groups that have names that match the string based on a case-sensitive substring search. For example, if you specify Foo, log groups named FooBar, aws/Foo, and GroupFoo would match, but foo, F/o/o and Froo would not match. Returns: str: JSON-formatted list of log groups.

cloudwatch_list_log_streams

Lists log streams in a specified CloudWatch log group. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. log_group (str): The name of the log group. limit (int): Maximum number of log streams to return. Returns: str: JSON-formatted list of log streams.

cloudwatch_filter_log_events

Filters log events in a specified CloudWatch log group using FilterLogEvents API. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. log_group (str): The name of the log group. start_time (str): ISO formatted start timestamp (e.g. '2025-04-10T00:00:00Z'). end_time (str): ISO formatted end timestamp (e.g. '2025-04-11T00:00:00Z'). filter_pattern (str): A filter pattern to match events. limit (int): Maximum number of log events to return. **Supported regex syntax:** - When using regex to search and filter log data, you must surround your expressions with %. - Filter patterns with regex can only include the following: - Alphanumeric characters - An alphanumeric character is a character that is either a letter (from A to Z or a to z) or a digit (from 0 to 9). - Supported symbol characters - These include: '_', '#', '=', '@','/', ';', ',', and '-'. For example, %something!% would be rejected since '!' is not supported. - Supported operators - These include: '^', '$', '?', '[', ']', '{', '}', '|', '', '*', '+', and '.'. - The ( and ) operators are not supported. You cannot use parentheses to define a subpattern. - Multi-byte characters are not supported. Returns: str: JSON-formatted list of matching log events.

ec2_describe_flow_logs

Describe one or more VPC Flow Logs. If no filter is provided, returns all Flow Logs in the region. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. flow_log_ids (list[str], optional): List of Flow Log IDs to describe. resource_ids (list[str], optional): List of resource IDs to filter by. resource_type (str, optional): Type of resource to filter by (e.g. 'VPC', 'NetworkInterface', 'Subnet'). max_results (int, optional): Maximum number of results to return. Returns: str: JSON-formatted list of Flow Logs.

guardduty_list_detectors

List all GuardDuty detector IDs in the specified AWS region. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. Returns: str: JSON-formatted list of detector IDs.

guardduty_list_findings

List GuardDuty finding IDs for a given detector. Optionally, you can supply a list of finding IDs to retrieve specific findings or a minimum severity threshold to filter findings. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. detector_id (str): The GuardDuty detector ID. finding_ids (list, optional): Specific finding IDs to query. severity_threshold (float, optional): If provided, returns only findings with severity greater than this value. <IMPORTANT> After calling this tool, you should call guardduty_get_findings multiple times with the finding_ids returned by this tool. </IMPORTANT> Returns: str: JSON-formatted list of finding IDs.

guardduty_get_findings

Get detailed information for the specified GuardDuty findings. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. detector_id (str): The GuardDuty detector ID. finding_ids (list): A list of finding IDs for which to retrieve details. <IMPORTANT> The server may crash when the response is too large. To avoid this, pass only max 2 finding IDs at a time. The finding_ids list should contain a maximum of 2 IDs. If guardduty_list_findings returns more than 2 IDs, you should call this tool max 5 times. Then, proceed with your analysis, but remember to notify the user that there may be additional findings not retrieved. </IMPORTANT> Returns: str: JSON-formatted details of the findings.

guardduty_get_finding_statistics

Get summary statistics for GuardDuty findings for a given detector. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. detector_id (str): The GuardDuty detector ID. Returns: str: JSON-formatted statistics about the findings.

config_describe_recorder_status

Describe status of AWS Config recorder(s). Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. Returns: JSON list of ConfigurationRecorderStatus objects.

config_list_discovered_resources

List resource identifiers that AWS Config has discovered. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. resource_type (str): e.g. 'AWS::EC2::Instance'. Returns: JSON list of resourceIdentifier objects.

config_get_resource_config_history

Fetch configuration snapshots for a resource between two ISO timestamps. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. resource_type (str): e.g. 'AWS::S3::Bucket'. resource_id (str): the resource's ARN or ID. start_time (str): ISO timestamp, e.g. '2025-04-01T00:00:00Z'. end_time (str): ISO timestamp. limit (int): Maximum number of configuration items to return. Returns: JSON list of ConfigurationItem objects.

config_describe_compliance_by_resource

List compliance summaries for resources, optionally filtered by type. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. resource_type (str): optional AWS resource type filter. Returns: JSON list of ComplianceByResource objects.

config_describe_config_rules

Describe one or more AWS Config rules, or all rules if none specified. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. rule_names (list): optional list of Config rule names. Returns: JSON list of ConfigRule objects.

networkinsights_list_scopes

Describe all Network Access Scopes in the region. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. Returns: JSON list of NetworkInsightsAccessScope objects.

networkinsights_list_analyses

Describe analyses for one or more scopes. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. scope_id (str): The ID of the access scope to filter by. analysis_ids (list[str]): List of analysis IDs to filter by. Returns: JSON list of NetworkInsightsAccessScopeAnalysis objects.

networkinsights_get_findings

Retrieve all findings for a given analysis. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. analysis_id (str): The ID of the analysis to retrieve findings for. max_results (int): Maximum number of findings to return. Returns: JSON list of NetworkInsightsAccessScopeAnalysisFinding objects.

networkinsights_start_analysis

Start a Network Access Scope analysis. Parameters: aws_region (str): AWS region - use 'us-east-1' if not specified. scope_id (str): The NetworkInsightsAccessScopeId to analyze. dry_run (bool): If True, checks permissions without starting. tag_specifications (list): TagSpecification dicts for annotating the analysis. client_token (str): Idempotency token for the request. Returns: str: JSON representation of the NetworkInsightsAccessScopeAnalysis object.

accessanalyzer_list_analyzers

List all IAM Access Analyzer analyzers in the specified region. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. Returns: str: JSON-formatted list of analyzers.

accessanalyzer_get_analyzer

Retrieve details of a specific analyzer by name. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. analyzer_name (str): The name of the analyzer to retrieve. Returns: str: JSON-formatted details of the analyzer.

accessanalyzer_list_findings

List findings for an analyzer, with optional filter. filter: {'resourceType': {'eq': ['AWS::S3::Bucket']}, ...} Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. analyzer_arn (str): The ARN of the analyzer to list findings for. filter (dict, optional): Filter criteria for findings. max_results (int): Maximum number of findings to return. Returns: str: JSON-formatted list of findings.