AWS Security MCP

A Model Context Protocol (MCP) server that enables AI assistants to perform comprehensive AWS security analysis through natural language queries.

Overview

AWS Security MCP bridges AI assistants like Claude with AWS security services, enabling real-time infrastructure analysis through conversational queries. The system automatically discovers and analyzes resources across multiple AWS accounts, providing security insights without requiring deep AWS CLI knowledge.

Key Capabilities

• Cross-Account Discovery: Automatic detection and access to AWS Organization accounts
• Natural Language Interface: Query AWS resources using plain English
• Security Analysis: Integrated findings from GuardDuty, SecurityHub, and Access Analyzer
• Infrastructure Mapping: Network topology, threat modelling, security review and blast radius analysis
• Log Analytics: Athena-powered analysis of CloudTrail, VPC Flow Logs, and security events

Prerequisites

• Python: 3.11 or higher
• Package Manager: uv
• AWS Account: With appropriate IAM permissions
• MCP Client: Claude Desktop, Cline, or compatible client

AWS Requirements

MCP Server's AWS credentials must have the following permissions:

Core MCP Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CrossAccountAccess",
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": "arn:aws:iam::*:role/aws-security-mcp-cross-account-access"
    },
    {
      "Sid": "OrganizationDiscovery",
      "Effect": "Allow",
      "Action": [
        "organizations:ListAccounts"
      ],
      "Resource": "*"
    }
  ]
}

Athena Integration Permissions

For advanced log analysis capabilities, additional permissions are required:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AthenaQueryExecution",
      "Effect": "Allow",
      "Action": [
        "athena:BatchGetQueryExecution",
        "athena:GetQueryExecution",
        "athena:GetQueryResults",
        "athena:GetWorkGroup",
        "athena:GetTableMetadata",
        "athena:ListQueryExecutions",
        "athena:StartQueryExecution",
        "athena:GetQueryResultsStream",
        "athena:GetDataCatalog",
        "athena:ListDataCatalogs",
        "athena:ListDatabases",
        "athena:ListTableMetadata"
      ],
      "Resource": "*"
    },
    {
      "Sid": "GlueCatalogAccess",
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabase",
        "glue:GetDatabases",
        "glue:GetTable",
        "glue:GetTables",
        "glue:GetPartition",
        "glue:GetPartitions",
        "glue:BatchGetPartition"
      ],
      "Resource": "*"
    },
    {
      "Sid": "S3LogDataAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-cloudtrail-bucket/*",
        "arn:aws:s3:::your-cloudtrail-bucket",
        "arn:aws:s3:::your-vpc-flow-logs-bucket/*",
        "arn:aws:s3:::your-vpc-flow-logs-bucket",
        "arn:aws:s3:::your-security-logs-bucket/*",
        "arn:aws:s3:::your-security-logs-bucket"
      ]
    },
    {
      "Sid": "AthenaResultsAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::your-athena-results-bucket/*",
        "arn:aws:s3:::your-athena-results-bucket"
      ]
    }
  ]
}

Required AWS Managed Policies

SecurityAudit Policy (Required)

Attach the AWS managed SecurityAudit policy to your MCP Server's IAM user or IAM role:

Policy ARN: arn:aws:

... [View full README on GitHub](https://github.com/groovyBugify/aws-security-mcp#readme)