Labsco
groovyBugify logo

AWS Security MCP

β˜… 83

from groovyBugify

An MCP server that enables AI assistants to interact with AWS security services.

πŸ”₯πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedFreeQuick setup

AWS Security MCP

License: MIT Python 3.11+

A Model Context Protocol (MCP) server that enables AI assistants to perform comprehensive AWS security analysis through natural language queries.

Overview

AWS Security MCP bridges AI assistants like Claude with AWS security services, enabling real-time infrastructure analysis through conversational queries. The system automatically discovers and analyzes resources across multiple AWS accounts, providing security insights without requiring deep AWS CLI knowledge.

Key Capabilities

  • Cross-Account Discovery: Automatic detection and access to AWS Organization accounts
  • Natural Language Interface: Query AWS resources using plain English
  • Security Analysis: Integrated findings from GuardDuty, SecurityHub, and Access Analyzer
  • Infrastructure Mapping: Network topology, threat modelling, security review and blast radius analysis
  • Log Analytics: Athena-powered analysis of CloudTrail, VPC Flow Logs, and security events

Architecture

Cross-Account Access

AWS Security MCP implements a hub-and-spoke model for multi-account access:

  1. Discovery: Uses organizations:ListAccounts to identify target accounts
  2. Role Assumption: Assumes aws-security-mcp-cross-account-access role in each account
  3. Session Management: Maintains temporary credentials with automatic refresh
  4. Fallback: Uses default credential chain for non-organization accounts

Required IAM Role Setup

Create this role in each target AWS account:

Role Name: aws-security-mcp-cross-account-access

Trust Policy:

Copy & paste β€” that's it
{
"Version": "2012-10-17",
"Statement": [
 {
   "Effect": "Allow",
   "Principal": {
     "AWS": "arn:aws:iam::YOUR-MASTER-ACCOUNT-ID:root"
   },
   "Action": "sts:AssumeRole"
    }
]
}

Permissions: Attach AWS managed policy arn:aws:iam::aws:policy/SecurityAudit

Athena Integration

Overview

AWS Security MCP integrates with Amazon Athena to provide advanced log analysis capabilities. This feature requires pre-existing Athena tables containing your security-relevant logs.

Supported Log Types

While the MCP server can analyze any log source through Athena, the following sources are recommended to provide comprehensive security metadata to your MCP client. For optimal security coverage, we recommend implementing at least CloudTrail and VPC Flow Logs:

Recommended Log Sources:

  • AWS CloudTrail: API call auditing and user activity tracking
  • VPC Flow Logs: Network traffic pattern analysis
  • CloudFront Logs: CDN request and response analysis
  • ALB Access Logs: Application load balancer traffic insights
  • WAF Logs: Web application firewall events and blocks(Cloudflare/AWS WAF/Akamai)
  • AWS Shield Logs: DDoS protection and mitigation events

Flexibility for Custom Log Sources

The MCP server supports querying any log type stored in S3, giving you complete flexibility to analyze custom or additional log sources. To enable analysis of any log source, ensure:

  1. S3 Storage: Your logs are stored in an S3 bucket
  2. Athena Table: A properly configured Athena table exists for the log format
  3. IAM Permissions: The MCP server has s3:GetObject and s3:ListBucket permissions for the target bucket

This architecture allows you to extend security analysis beyond standard AWS logs to include application logs, custom security events, or third-party security tool outputs.

Query Capabilities

Once tables are configured, you can perform advanced queries:

Copy & paste β€” that's it
Query: "Show all failed login attempts from external IPs in the last 24 hours"

Query: "Can you share what did 'saransh.rana@company.com' did in past 24 hours on my aws account? and share a timeline report?"

Query: "Can you check for all the 'Access Denied/Error/Forbidden' on my PCI(123456789012) aws account and share the username and userIP of the principal, and do a reverse IP checkup if this IP is coming from my own AWS Org or external party."

Query: "Correlate GuardDuty findings with CloudTrail and VPC Flow logs events"

Setup Prerequisites

  1. S3 Buckets: CloudTrail and VPC Flow Logs must be stored in S3
  2. Athena Workgroup: Configure appropriate workgroup with result location
  3. Partitioning: Enable partition projection for performance
  4. IAM Permissions: Grant Athena query permissions to the MCP execution role

Supported AWS Services

Currently Available

ServiceCapabilities
IAMUsers, roles, policies, access keys, permission analysis
EC2Instances, security groups, VPCs, subnets, network interfaces
S3Buckets, permissions, public access analysis
GuardDutyFindings, detectors, threat intelligence
SecurityHubFindings, compliance standards, security scores
LambdaFunctions, permissions, configurations, triggers
CloudFrontDistributions, origins, behaviors, security policies
ELB/ALB/NLBLoad balancers, target groups, listeners, health checks
Route53Hosted zones, DNS records, health checks
WAFWeb ACLs, rules, rate limiting
ShieldDDoS protection status and metrics
Access AnalyzerIAM access analysis and findings
ECS/ECRContainer services, repositories, image scanning
OrganizationsAccount structure, SCPs, organizational units
AthenaLog analysis, security event correlation

Planned Additions

  • Oauth Authentication
  • AWS Config compliance analysis
  • AWS Security Hub CSPM integration
  • External CSPM integration

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support